Fwd: [Daniel Shahaf: [PATCH] ch06 additions]

Daniel Shahaf danielsh at elego.de
Mon Dec 19 17:51:36 CST 2011

----- Forwarded message from Daniel Shahaf <danielsh at elego.de> -----

From: Daniel Shahaf <danielsh at elego.de>
Subject: [PATCH] ch06 additions
To: svnbook-dev at red-bean.com
Date: Wed, 14 Dec 2011 12:54:45 +0200
Message-ID: <20111214105444.GA3392 at lp-shahaf.local>

A couple of random improvements:

* clarify svn+ssh:// security issue
* fix/add links
* clarify man-in-the-middle attack scope

Index: ch06-server-configuration.xml
--- ch06-server-configuration.xml	(revision 4230)
+++ ch06-server-configuration.xml	(working copy)
@@ -1365,9 +1365,13 @@ baz
         simply setting <literal>auth-access = read</literal>
         or <literal>auth-access = none</literal>.<footnote><para>Note
         that using any sort of <command>svnserve</command>-enforced
-        access control at all is a bit pointless; the user already has
-        direct access to the repository
-        database.</para></footnote></para>
+        access control at all only makes sense if the users cannot 
+        bypass it and access the repository directory directly using
+        other tools (such as <command>cd</command> and
+        <command>vi</command>); implementing
+        such restrictions is described later in this chapter, in
+        <xref linkend="svn.serverconfig.svnserve.sshtricks.fixedcmd"
+        />.</para></footnote></para>
       <para>You'd think that the story of SSH tunneling would end
         here, but it doesn't.  Subversion allows you to create custom
@@ -1608,7 +1612,7 @@ arding,no-X11-forwarding,no-pty TYPE1 KEY1 harry at e
       excellent documentation, publicly available on their web site at
       <ulink url="http://httpd.apache.org"/>.  For example, a general
       reference for the configuration directives is located at
-      <ulink url="http://httpd.apache.org/docs-2.0/mod/directives.html"
+      <ulink url="http://httpd.apache.org/docs/current/mod/directives.html"
     <para>Also, as you make changes to your Apache setup, it is likely
@@ -2413,7 +2417,9 @@ LoadModule authz_svn_module   modules/mod_authz_sv
         <para>It's beyond the scope of this book to describe how to
           generate client and server SSL certificates and how to
           configure Apache to use them.  Many other references,
-          including Apache's own documentation, describe the process.</para>
+          including Apache's own documentation (<ulink 
+          url="http://httpd.apache.org/docs/current/ssl/"/>),
+          describe the process.</para>
           <para>SSL certificates from well-known entities generally
@@ -2422,7 +2428,8 @@ LoadModule authz_svn_module   modules/mod_authz_sv
             tool such as OpenSSL (<ulink url="http://openssl.org"
             />).<footnote><para>While self-signed certificates are
             still vulnerable to a <quote>man-in-the-middle</quote>
-            attack, such an attack is much more difficult for a casual
+            attack (before a client sees the certtificate for the first
+            time), such an attack is much more difficult for a casual
             observer to pull off, compared to sniffing unprotected

----- End forwarded message -----

More information about the svnbook-dev mailing list