[Gllug] Subversion Authorisation

Steve Nelson sanelson at gmail.com
Wed Feb 28 12:06:42 UTC 2007

Hello chums,

I have two svn repositories with two subdirectories each, and four groups
of users.  I have written an authz file to describe the ACL I require
- namely that the root of both repository be anonymous read-only, and
that different control is imposed per group each subdirectory, with
inheritance taking place on anything beneath them.

Following the advice of the subversion book, I have set up my apache container
with both Satisfy Any and Require Valid User, to provide a combination
of authentication and anonymous access.

I am finding that with Satisfy Any, all users can browse anywhere in
either repository, even if this is specifically restricted in the
authz file.

If I remove Satisfy Any, I find that every time a user moves within
the repos they are challenged for a password.  The ACL is honoured -
ie the users are only allowed to do as the ACL describes, but they are
challenged even for areas where they should have anonymous, read-only

What I want is a combination - but I cannot see what I have done
wrong.  My container and authz file are below.

Any suggestions?  Or am I missing something obvious?


<Location /repos>
       DAV svn
       SVNParentPath /local/svn
       SVNIndexXSLT /svnindex.xsl

       # Require SSL connection for password protection.

       # our access control policy

       # try anonymous access first, resort to real
       # authentication if necessary.
       Satisfy Any
       Require valid-user

       # How to authenticate if needed
       AuthType Basic
       AuthName "De La Rue Subversion Repositories"
       AuthUserFile /etc/httpd/conf/.htpasswd

And my AuthzSVN acl is:

coe = sanjay, darryl
im =  witcharp, nelsonst
general = subversion
atos = berry, fred

* = r
@coe = r
@im = r
@general = r
@atos = r

@coe = rw
@im = rw
@general =
@atos = r

@coe =
@im = r
@general =
@atos = rw

@coe = r
@im = r
@general = r
@atos = r

@coe =
@im = rw
@general =
@atos =

@coe = rw
@im = r
@general = r
@atos = r
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list