[svnbook commit] r1258 - in trunk/src/en: . book
sussman
svnbook-dev at red-bean.com
Mon May 2 21:01:39 CDT 2005
Author: sussman
Date: Mon May 2 21:01:38 2005
New Revision: 1258
Modified:
trunk/src/en/TODO
trunk/src/en/book/ch06.xml
Log:
* src/en/book/ch06.xml: document SVNPathAuthz directive.
* src/en/TODO: mark of 1.1 to-do item.
Modified: trunk/src/en/TODO
==============================================================================
--- trunk/src/en/TODO (original)
+++ trunk/src/en/TODO Mon May 2 21:01:38 2005
@@ -109,11 +109,6 @@
This probably needs to be an "advanced topics" chapter 7
section (MIKE).
- * New 'SVNPathAuthz Off' directive, to disable path-based authz in
- apache (and increase speed.)
-
- (BEN) will mention this in chapter 6, but:
-
* Need 'definitive list' of all mod_dav_svn directives.
(FITZ) new chapter 9 section.
Modified: trunk/src/en/book/ch06.xml
==============================================================================
--- trunk/src/en/book/ch06.xml (original)
+++ trunk/src/en/book/ch06.xml Mon May 2 21:01:38 2005
@@ -1769,6 +1769,72 @@
</sect3>
+ <sect3 id="svn-ch-6-sect-4.4.3">
+ <title>Disabling Path-based Checks</title>
+
+ <para>The <command>mod_dav_svn</command> module goes through a
+ lot of work to make sure that data you've marked
+ "unreadable" doesn't get accidentally leaked. This means
+ that it needs to closely monitor all of the paths and
+ file-contents returned by commands like <command>svn
+ checkout</command> or <command>svn update</command>
+ commands. If these commands encounter a path that isn't
+ readable according to some authorization policy, then the
+ path is typically omitted altogether. In the case of
+ history or rename tracing — e.g. running a command
+ like <command>svn cat -r OLD foo.c</command> on a file that
+ was renamed long ago — the rename tracking will simply
+ halt if one of the object's former names is determined to be
+ read-restricted.</para>
+
+ <para>All of this path-checking can sometimes be quite
+ expensive, especially in the case of <command>svn
+ log</command>. When retrieving a list revisions, the server
+ looks at every changed path in each revision and checks it
+ for readability. If an unreadable path is discovered, then
+ it's omitted from the list of the revision's changed paths
+ (normally seen with the <option>--verbose</option> option),
+ and the whole log message is suppressed. Needless to say,
+ this can be time-consuming on revisions that affect a large
+ number of files. This is the cost of security: even if you
+ haven't configured a module like
+ <command>mod_authz_svn</command> at all, the
+ <command>mod_dav_svn</command> module is still asking Apache
+ <command>httpd</command> to run authorization checks on
+ every path. The <command>mod_dav_svn</command> module has
+ no idea what authorization modules have been installed, so
+ all it can do is ask Apache to invoke whatever might be
+ present.</para>
+
+ <para>On the other hand, there's also an escape-hatch of
+ sorts, one which allows you to trade security features for
+ speed. If you're not enforcing any sort of per-directory
+ authorization (i.e. not using
+ <command>mod_authz_svn</command> or similar module), then
+ you can disable all of this path-checking. In your
+ <filename>httpd.conf</filename> file, use the
+ <literal>SVNPathAuthz</literal> directive:</para>
+
+ <example id="svn-ch-6-sect-4.4.3-ex-1">
+ <title>Disabling path checks altogether</title>
+ <programlisting>
+ <Location /repos>
+ DAV svn
+ SVNParentPath /usr/local/svn
+
+ SVNPathAuthz off
+ </Location>
+ </programlisting>
+ </example>
+
+ <para>The <literal>SVNPathAuthz</literal> directive is "on" by
+ default. When set "off", all path-based authorization
+ checking is disabled; <command>mod_dav_svn</command> stops
+ invoking authorization checks on every path it
+ discovers.</para>
+
+ </sect3>
+
</sect2>
<sect2 id="svn-ch-6-sect-4.5">
More information about the svnbook-dev
mailing list