Ubuntu
subversion package

svn sometimes ignoring svnserve.conf. Then SVN not asking for auth, connects as anonymous - giving misleading error: Authorization failed

Bug #520743 reported by LimCore
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
subversion (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Binary package hint: subversion
Similar but *different* bug is bug#519083 where svn+ssh always just ignores authz.
Here svn's repo sometimes is enabled to be r/w even before editing svnserve.conf to allow any access,
and sometimes it blocks any access until svnserve.conf is edited. (SECURITY!)
Also access related error messages are not very helpful.

Svn client sometimes do not ask for passphrase and just connects always as anonymous to any newly create repo,
but when I connect to an older repo (create months ago) all works!

For svn:// method, for svnserve -d server.

User A + old repo = works
User A + new repo = as anonymous always (even after rm -rf ~/.subversion)
User B + new repo = as anonymous always

Ubuntu 9.10 amd64

REPRODUCE - 5 minute test case - PLEASE CONFIRM MY BUG

apt-get install subversion # on Karmic 9.10 for example

Start subversion local server (server method: svnserve deamon)
Create a repo and try to import to it - FAIL?

On the server / as root:
  (IF YOU RUN SVN APACHE server, then disable it first!)

$ mkdir -p /srv/svn/repo/lc
$ cd /srv/svn/repo/lc
$ svnadmin create repofoo

$ killall svnserve
$ /usr/bin/svnserve -d -r /srv/svn/repo/

On the client / as user:
$ mkdir testsvn
$ cd testsvn/
$ mkdir repofoo
$ cd repofoo
$ echo "some text" > testfile.txt
$ svn import svn://localhost/lc/repofoo -m "importing"

and....?

******* THE RESULT: ****
here you will get error:
svn: Authorization failed
   (There is no question about authorization.)

But checkout (by default allowed for anonymous) will work:
$svn co svn://localhost/lc/repofoo
Checked out revision 0.

***********************************************************************************
If you get this above 2 messages, instead of prompt to enter password, then this is the bug described,
it means svn connects always in anonymous mode, therefore blocked write but allowed read access.
Please confirm my bug and select on top Affects me too!
***********************************************************************************

Btw, I can not force authorization, look:

root@jumpi(2010-02-12 00:41:21)/srv/svn/repo/lc$ vim repofoo/conf/passwd
root@jumpi(2010-02-12 00:41:31)/srv/svn/repo/lc$ cat repofoo/conf/passwd
[users]
bob = secret

user1@jumpi(2010-02-12 00:41:04)~/testsvn/repofoo$ svn --username bob import svn://localhost/lc/repofoo -m "importing"
svn: Authorization failed
user1@jumpi(2010-02-12 00:41:09)~/testsvn/repofoo$ svn --username bob --password secret import svn://localhost/lc/repofoo -m "importing"
svn: Authorization failed

Ubuntu 9.10 amd64
ii subversion 1.6.5dfsg-1ubuntu1

Btw, using an older already existing repo (created months ago) works 100% fine.

See original description
LimCore (limcore)
description: updated
description: updated
Revision history for this message
Krzysztof Klimonda (kklimonda) wrote :

I can confirm that by following these commands I get svn: Authorization failed.

Changed in subversion (Ubuntu):
status: New → Confirmed
Revision history for this message
Krzysztof Klimonda (kklimonda) wrote :

Ubuntu Karmic, subversion 1.6.5dfsg-1ubuntu1.

Revision history for this message
LimCore (limcore) wrote :

#svn @ freenode

[01:12] <borg-queen> it doesn't work here as long as i do not edit svnserve.conf

[01:13] <borg-queen> ijteresting is that it doesn't ask for a password before i edited svnserve.conf
[01:14] <LimCore> yes. this is the bug anyway

He uses Debian, SID
[01:15] <borg-queen> ii subversion 1.3.2-6 Advanced version control system

Revision history for this message
kgorny (kgorny) wrote :

I get the same error after executing all of the commands.
svn version: ii subversion 1.5.4dfsg1-1ubun Advanced version control system

Revision history for this message
LimCore (limcore) wrote :

This is NOT the problem of callking mkdir before svnadmin create

( http://www.linuxquestions.org/questions/linux-software-2/svn-authorization-failed-what-am-i-doing-wrong-701579/ )

Still same problem when not doing mkdir first:

root:
/srv/svn/repo/lc$ stat barbar
stat: cannot stat `barbar': No such file or directory
/srv/svn/repo/lc$ svnadmin create barbar

client:
~/testsvn$ mkdir barbar
~/testsvn$ cd barbar
~/testsvn/barbar$ echo "some text" > testfile.txt
~/testsvn/barbar$ svn import svn://localhost/lc/barbar -m "importing"
svn: Authorization failed

Revision history for this message
LimCore (limcore) wrote :

The work around is to enable (append or edit) to barbar/conf/svnserve.conf lines:
password-db = passwd
authz-db = authz

And this setting must remain all the time.

But is NOT needed when using the old-repo I mentioned above.
So apparently if repo was created in other way (the old one was done afair with svn+ssh at first) then some parts of settings in svnserver are not important.

So this is ANOTHER of authz usage inconsistencies (see also bug#519083)!

Really this should be more consistent and documented. I will contact upstream.
Marking as security bug, really source code can be important, not everyone is [wide]open-source ;)

security vulnerability: no → yes
summary: - svn stoped asking for auth, and connects as anonymous - giving usually
- svn: Authorization failed
+ svn sometimes ignoring svnserve.conf. Then SVN not asking for auth,
+ connects as anonymous - giving misleading error: Authorization failed
description: updated
Jamie Strandboge (jdstrand)
security vulnerability: yes → no
Revision history for this message
Maarten Bezemer (veger) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. We are sorry that we do not always have the capacity to look at all reported bugs in a timely manner. There have been many changes in Ubuntu since that time you reported the bug and your problem may have been fixed with some of the updates. It would help us a lot if you could test it on a currently supported Ubuntu version. When you test it and it is still an issue, kindly upload the updated logs by running apport-collect 520743 and any other logs that are relevant for this particular issue.

Changed in subversion (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for subversion (Ubuntu) because there has been no activity for 60 days.]

Changed in subversion (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.