I have a question about Apache authentication, which I'm hoping someone will be able to help me with.
I want a subversion repository where /home is less restrictive than anyplace else on the system. That is, I give many people access to /home, where they can make branches (of anything in the system) and drop experiments and whatnot. And I give a smaller set of people (everyone in the commit group) access to the entire repository.
But I can't figure out any way to relax permissions on a subdirectory. It's driving me nuts. I even tried hacks like <Location ~ "/(every|path|but|home)"> with a Require group commit and <Location /> with Require valid-user, but it just allowed anyone to commit anywhere. Unlike RewriteRule it seems like Location doesn't allow the prefixing of regular expressions with ! to indicate negation (so I can't use <Location ~ "!^/home">).
Which ordering do you have in the Order directive?
You will need to write a stanza for all directories at the level for which you want relaxed permissions. A brief example:
consider the tree bar,baz,qux in foo using groups: elect and worldOrder Allow Deny <Directory foo/bar> Require group elect </Directory> <Directory foo/baz> Require group world </Directory> <Directory foo/qux> #this lets anyone in!! it is wrong Require valid-user Require group elect </Directory>
I find that when it comes to securing resources like this explicit is better than implicit ;-)# Larry
If it's a Subversion repository: Why not use Subversion's own authorization feature? It'll easily accept what you want.# Simon Percivall
I'd forgotten about that, I'll have to give that a look again.# Ian Bicking
# Peter Fein
Removing controls in subdirectories
The following example shows how to use the Satisfy directive to disable access controls in a subdirectory of a protected directory. This technique should be used with caution, because it will also disable any access controls imposed by mod_authz_host.
<Directory /path/to/protected/> Require user david </Directory> <Directory /path/to/protected/unprotected> # All access controls and authentication are disabled # in this directory Satisfy Any Allow from all </Directory># philc
See: http://httpd.apache.org/docs/2.2/mod/core.html#require Section: Removing controls in subdirectories# philc