SVN with Apache security

Question

I've set up a local SVN repo with apache https access on an ubuntu machine using this example: http://stackoverflow.com/questions/60736/how-to-setup-a-subversion-svn-server-on-gnu-linux-ubuntu

Everything works great.
The next step is to allow users to access SVN over the internet. This works, but here's my question: Currently it seems everyone can see the files. Using TortSVN I can see everything, and it only prompts for a username/pw if I make changes. How do I make it so nobody can see the repo or any files unless you're prompted for user/pw ?

Answer 1

You want to edit your svnserve.conf file to say:

anon-access = none

This is located in the conf/ directory of your repository. This will force a user to log in before they can even check out your repository.

Answer 2

You have two psossibilities: you can remove the following lines from httpd.conf:

<LimitExcept GET PROPFIND OPTIONS REPORT>
</LimitExcept>

Or you can switch to path based authorization:.

By adding this line to your httpd-config:

 AuthzSVNAccessFile /path/to/access/file

and placing this into your path/to/access/file:

[groups]
devs = developer1, developer2
mgr = manager1, manager2

[/]
* = 
@devs= rw
@mgr = r
pparker = rw

in the section [groups] you can group your users by assigning them group names

in the path section [/] you can assign to any path permissions either

• read only access (r) write
• access (rw)
• no access at all

The asterisk is a wildcard for matching any other user or group. Note the at-sign (@) for referencing groups. In this sample "pparker" is a single user.