#363: SVN repositories without authz files seem to allow any authorized OSGeo
LDAP user to commit
-------------------+--------------------------------------------------------
Reporter: hobu | Owner: sac@lists.osgeo.org
Type: task | Status: new
Priority: normal | Component: SAC
Keywords: |
-------------------+--------------------------------------------------------
The OSSIM project had some unauthorized commits to its repository
http://trac.osgeo.org/ossim/changeset/14391 , and I also found that I
could commit to their repository even though I wasn't in the ossim group
http://trac.osgeo.org/ossim/changeset/14406
Some limited testing showed me this is related to our non-authz
configuration, but I couldn't figure out why it was allowing me to commit.
For a quick fix, I just put an authz.tmpl in the ossim svn directory and
went on my way. There are a number of projects that do not use authz
though, so we should figure out what's going on.
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/363>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#363: SVN repositories without authz files seem to allow any authorized OSGeo
LDAP user to commit
-----------------------+----------------------------------------------------
Reporter: hobu | Owner: sac@lists.osgeo.org
Type: task | Status: new
Priority: critical | Component: SAC
Resolution: | Keywords: svn
-----------------------+----------------------------------------------------
Changes (by warmerdam):
* priority: normal => critical
* keywords: => svn
* cc: jbirch, warmerdam (added)
Comment:
The same problem has been observed with mapguide and I have confirmed that
I (not a mapguide commmitter) can commit.
(http://trac.osgeo.org/mapguide/changeset/3974,
http://trac.osgeo.org/mapguide/changeset/3980).
Howard, can you look into this?
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/363#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#363: SVN repositories without authz files seem to allow any authorized OSGeo
LDAP user to commit
-----------------------+----------------------------------------------------
Reporter: hobu | Owner: sac@lists.osgeo.org
Type: task | Status: new
Priority: critical | Component: SAC
Resolution: | Keywords: svn
-----------------------+----------------------------------------------------
Comment (by tomfukushima):
Some additional information, not sure if it will help or not, but Greg
Boone (OSGeoID: gregboone) was able to submit to the MGOS repository even
though he is not a committer; he is a committer to the FDO repository.
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/363#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#363: SVN repositories without authz files seem to allow any authorized OSGeo
LDAP user to commit
-----------------------+----------------------------------------------------
Reporter: hobu | Owner: sac@lists.osgeo.org
Type: task | Status: new
Priority: critical | Component: SAC
Resolution: | Keywords: svn
-----------------------+----------------------------------------------------
Comment (by tomfukushima):
Still a big problem. Klain who is not a committer to MapGuide or FDO was
able to commit a change (r 4134) to the MapGuide repository.
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/363#comment:3>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#363: SVN repositories without authz files seem to allow any authorized OSGeo
LDAP user to commit
-----------------------+----------------------------------------------------
Reporter: hobu | Owner: sac@lists.osgeo.org
Type: task | Status: new
Priority: critical | Component: SAC
Resolution: | Keywords: svn
-----------------------+----------------------------------------------------
Comment (by jbirch):
Is there a way that we can implement authz (whatever that is) for
MapGuide? Is there a wiki page on this somewhere?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/363#comment:4>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#363: SVN repositories without authz files seem to allow any authorized OSGeo
LDAP user to commit
-----------------------+----------------------------------------------------
Reporter: hobu | Owner: sac@lists.osgeo.org
Type: task | Status: new
Priority: critical | Component: SAC
Resolution: | Keywords: svn
-----------------------+----------------------------------------------------
Comment (by tomfukushima):
The wiki page is: http://wiki.osgeo.org/wiki/Subversion.
I have created ticket #400 to resolve !MapGuide's issues.
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/363#comment:5>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#363: SVN repositories without authz files seem to allow any authorized OSGeo
LDAP user to commit
-----------------------+----------------------------------------------------
Reporter: hobu | Owner: sac@lists.osgeo.org
Type: task | Status: closed
Priority: critical | Component: SAC
Resolution: fixed | Keywords: svn
-----------------------+----------------------------------------------------
Changes (by warmerdam):
* status: new => closed
* resolution: => fixed
Comment:
I have determined that the problem was a stray Requre valid-user in file
/etc/httpd/conf.d/ldap_auth_url.inc which masked the Require group
directive for the non-authz svn .conf files.
I have removed this line from ldap_auth_url.inc, confirming that all the
authz subversion .conf files already have Require valid-user.
I then discovered that none of the Trac .conf files had REquire valid-user
so I had to add it to all of them.
So, now things seem to be secure again without setting up the authz stuff
for all projects.
--
Ticket URL: <http://trac.osgeo.org/osgeo/ticket/363#comment:6>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.