Opened 14 years ago

Closed 13 years ago

#363 closed task (fixed)

SVN repositories without authz files seem to allow any authorized OSGeo LDAP user to commit

Reported by: hobu Owned by: sac@…
Priority: critical Milestone:
Component: Systems Admin Keywords: svn
Cc: jbirch, warmerdam

Description

The OSSIM project had some unauthorized commits to its repository http://trac.osgeo.org/ossim/changeset/14391 , and I also found that I could commit to their repository even though I wasn't in the ossim group http://trac.osgeo.org/ossim/changeset/14406

Some limited testing showed me this is related to our non-authz configuration, but I couldn't figure out why it was allowing me to commit. For a quick fix, I just put an authz.tmpl in the ossim svn directory and went on my way. There are a number of projects that do not use authz though, so we should figure out what's going on.

Change History (6)

comment:1 by warmerdam, 13 years ago

Cc: jbirch warmerdam added
Keywords: svn added
Priority: normalcritical

The same problem has been observed with mapguide and I have confirmed that I (not a mapguide commmitter) can commit. (http://trac.osgeo.org/mapguide/changeset/3974, http://trac.osgeo.org/mapguide/changeset/3980).

Howard, can you look into this?

comment:2 by tomfukushima, 13 years ago

Some additional information, not sure if it will help or not, but Greg Boone (OSGeoID: gregboone) was able to submit to the MGOS repository even though he is not a committer; he is a committer to the FDO repository.

comment:3 by tomfukushima, 13 years ago

Still a big problem. Klain who is not a committer to MapGuide or FDO was able to commit a change (r 4134) to the MapGuide repository.

comment:4 by jbirch, 13 years ago

Is there a way that we can implement authz (whatever that is) for MapGuide? Is there a wiki page on this somewhere?

comment:5 by tomfukushima, 13 years ago

The wiki page is: http://wiki.osgeo.org/wiki/Subversion.

I have created ticket #400 to resolve MapGuide's issues.

comment:6 by warmerdam, 13 years ago

Resolution: fixed
Status: newclosed

I have determined that the problem was a stray Requre valid-user in file /etc/httpd/conf.d/ldap_auth_url.inc which masked the Require group directive for the non-authz svn .conf files.

I have removed this line from ldap_auth_url.inc, confirming that all the authz subversion .conf files already have Require valid-user.

I then discovered that none of the Trac .conf files had REquire valid-user so I had to add it to all of them.

So, now things seem to be secure again without setting up the authz stuff for all projects.

Note: See TracTickets for help on using tickets.