403 Forbidden in response to COPY request

40 views
Skip to first unread message

Anton Prowse

unread,
Mar 17, 2010, 9:39:46 AM3/17/10
to us...@subversion.apache.org
Several users are configured to use our Subversion system via HTTPS and Basic authentication.

Repos URL:
https://www.example.com/repos/repos1/trunk


Apache config "vhost_ssl.conf":

<Location /repos>
    DAV svn
    SVNParentPath /var/www/svn

    AuthzSVNAccessFile /var/www/vhosts/example.com/conf/reposAccessFile

    AuthType Basic
    AuthName "Traffic Subversion Repository"
    AuthUserFile /var/www/vhosts/example.com/conf/svnuserpw
    require valid-user
</Location>


reposAccessFile:

[specialrepos:/]
* = rw

[specialrepos:/trunk]
user2 =

[specialrepos:/branches]
user2 =

[specialrepos:/tags]
user2 =

[/trunk/specialfile]
user2 =

[/]
* = rw


svnuserpw file:
user1:<hash>
user2:<hash>


When I authenticate as user1 I can execute all commands without problem.  However, when I authenticate as user2 I receive the following error when trying to create a branch from the trunk of "repos1":

Using TortoiseSVN from my local machine:
> Copy C:\www\repos1 to https://www.example.com/repos/repos1/branches/test, Revision 999
Server sent unexpected return value (403 Forbidden) in response to COPY request
for '/repos/repos1/!svn/bc/999/trunk'

Using the command line from my local machine:
> svn copy --username user2 https://www.example.com/repos/repos1/trunk https://www.example.com/repos/repos1/branches/test -r 999 -m ""
> svn: COPY of branches/test4: 403 Forbidden (https://www.online-toolbox.com)

It works if I do it on the command line of the same server where the repos is actually stored, and I'm logged in as root:
> svn copy --username user2 file:///var/www/svn/repos1/trunk file:///var/www/svn/repos1/branches/test -r 999 -m "" --no-auth-cache
> Committed revision 2000.

....but fails if I'm logged in on that same server as another user:
> svn copy --username user2 file:///var/www/svn/repos1/trunk file:///var/www/svn/repos1/branches/test -r 999 -m "" --no-auth-cache
> svn: Can't create directory '/var/www/svn/repos1/db/transactions/1999-1.txn': Permission denied
but this is presumably because only the "apache" operating system user has write access to the /var/www/svn folder:

drwxr-xr-x  123 apache apache    4096 Jan 1 2010 .
drwxr-xr-x  1 root   root      4096 Jan 1 2010 ..
drwxr-xr-x  12 apache apache    4096 Jan 1 2010 repos1
drwxr-xr-x  12 apache apache    4096 Jan 1 2010 specialrepos


I can't see what makes user2 different from user1 other than the configuration in reposAccessFile which only concerns an unrelated repository ("specialrepos") and a single file which exists in all repositories ("/trunk/specialfile").

I'm using:
TortoiseSVN 1.6.5, Build 16974 - 32 Bit , 2009/08/20 08:13:46
Subversion 1.6.5,
apr 1.3.8
apr-utils 1.3.9
neon 0.28.6
OpenSSL 0.9.8k 25 Mar 2009
zlib 1.2.3

Any advice will be much appreciated!

Cheers,
Anton Prowse 
TRAVELCLICK Privacy Policy

This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of TravelCLICK.  Before opening any attachments, please check them for viruses and defects.

Bob Archer

unread,
Mar 17, 2010, 10:32:15 AM3/17/10
to Anton Prowse, us...@subversion.apache.org

I think this is a known issue. You have to give user2 read access to the root path in order for him to be able to create branches. that is the difference between user1 and user2. User1 has rw access to /.

BOb

Anton Prowse

unread,
Mar 17, 2010, 10:46:41 AM3/17/10
to Bob Archer, us...@subversion.apache.org

From: Bob Archer <Bob.A...@amsi.com>
Date: 17/03/2010 15:32

>>> svn: COPY of branches/test: 403 Forbidden (https://www.example.com)



> I think this is a known issue. You have to give user2 read access to the root path in order for him to be able to create branches. that is the difference between user1 and user2. User1 has rw access to /.

Sorry, I don't follow you; doesn't everyone have access to / due to the
following lines?

[/]
* = rw

Cheers,
Anton Prowse

Jon Foster

unread,
Mar 17, 2010, 2:16:08 PM3/17/10
to Anton Prowse, us...@subversion.apache.org
Hi,

Anton Prowse wrote:
[...]
> [/trunk/specialfile]
> user2 =
[...]


> when I authenticate as user2 I receive the following error
> when trying to create a branch from the trunk of "repos1":

> Server sent unexpected return value (403 Forbidden) in
> response to COPY request for '/repos/repos1/!svn/bc/999/trunk'

user2 is trying to copy /trunk/specialfile to somewhere where he'd
be able to read it. So Subversion blocks it. In order to create
a branch from trunk, you need read access to trunk and every file
inside it.

Perhaps /trunk/specialfile can be moved somewhere else, so you can
remove this restrictive permission? (This may require you to dump
the repository and use "svndumpfilter" to get rid of the historical
revisions of /trunk/specialfile).

Kind regards,

Jon

--
(Please direct all replies to the mailing list)


**********************************************************************
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cabot Communications Ltd.

If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone.

Cabot Communications Limited
Verona House, Filwood Road, Bristol BS16 3RY, UK
+44 (0) 1179584232

Co. Registered in England number 02817269

Please contact the sender if you believe you have received this email in error.

**********************************************************************


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

Anton Prowse

unread,
Mar 18, 2010, 4:56:41 AM3/18/10
to us...@subversion.apache.org

From: Jon Foster <Jon.F...@cabot.co.uk>
Date: 17/03/2010 19:16



> Anton Prowse wrote:
> [...]
>> [/trunk/specialfile]
>> user2 =
> [...]
>> when I authenticate as user2 I receive the following error
>> when trying to create a branch from the trunk of "repos1":
>> Server sent unexpected return value (403 Forbidden) in
>> response to COPY request for '/repos/repos1/!svn/bc/999/trunk'
>
> user2 is trying to copy /trunk/specialfile to somewhere where he'd
> be able to read it.  So Subversion blocks it.  In order to create
> a branch from trunk, you need read access to trunk and every file
> inside it.
>
> Perhaps /trunk/specialfile can be moved somewhere else, so you can
> remove this restrictive permission?  (This may require you to dump
> the repository and use "svndumpfilter" to get rid of the historical
> revisions of /trunk/specialfile).
>

Many thanks for the explanation and advice!
Anton Prowse

Reply all
Reply to author
Forward
0 new messages