Opened 16 years ago
Closed 15 years ago
#363 closed task (fixed)
SVN repositories without authz files seem to allow any authorized OSGeo LDAP user to commit
| Reported by: | hobu | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | SysAdmin | Keywords: | svn |
| Cc: | jbirch, warmerdam |
Description
The OSSIM project had some unauthorized commits to its repository http://trac.osgeo.org/ossim/changeset/14391 , and I also found that I could commit to their repository even though I wasn't in the ossim group http://trac.osgeo.org/ossim/changeset/14406
Some limited testing showed me this is related to our non-authz configuration, but I couldn't figure out why it was allowing me to commit. For a quick fix, I just put an authz.tmpl in the ossim svn directory and went on my way. There are a number of projects that do not use authz though, so we should figure out what's going on.
Change History (6)
comment:1 by , 15 years ago
| Cc: | added |
|---|---|
| Keywords: | svn added |
| Priority: | normal → critical |
comment:2 by , 15 years ago
Some additional information, not sure if it will help or not, but Greg Boone (OSGeoID: gregboone) was able to submit to the MGOS repository even though he is not a committer; he is a committer to the FDO repository.
comment:3 by , 15 years ago
comment:4 by , 15 years ago
Is there a way that we can implement authz (whatever that is) for MapGuide? Is there a wiki page on this somewhere?
comment:5 by , 15 years ago
The wiki page is: http://wiki.osgeo.org/wiki/Subversion.
I have created ticket #400 to resolve MapGuide's issues.
comment:6 by , 15 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
I have determined that the problem was a stray Requre valid-user in file /etc/httpd/conf.d/ldap_auth_url.inc which masked the Require group directive for the non-authz svn .conf files.
I have removed this line from ldap_auth_url.inc, confirming that all the authz subversion .conf files already have Require valid-user.
I then discovered that none of the Trac .conf files had REquire valid-user so I had to add it to all of them.
So, now things seem to be secure again without setting up the authz stuff for all projects.
The same problem has been observed with mapguide and I have confirmed that I (not a mapguide commmitter) can commit. (http://trac.osgeo.org/mapguide/changeset/3974, http://trac.osgeo.org/mapguide/changeset/3980).
Howard, can you look into this?