path based permissions vulnerability
48 views
Skip to first unread message
zerat...@gmail.com
Mar 18, 2020, 9:16:45 AM3/18/20
to TortoiseSVN
Hi guys,
we are using path based permissions with windows basic authentication. Users have to enter their username and password when running SVN commands.
1. I cleared all authentication data in tortoise and restarted the computer and svn server.
2. In the repo browser the permissions are correct. I don´t see folders without the permission.
3. But on windows filesystem I can checkout the folders without permissions (Tortoise askes for credentials and I am entering credentials of a user without permissions - same as in the repo browser).
I am logged in as administrator. Is that the problem? Does tortoise use the windows integrated authentication before basic authentication?
Client is: 1.12.0
Server: Apache 2.4.33
Thanks, Greetings
Andy
Stefan
Mar 19, 2020, 1:33:03 PM3/19/20
to TortoiseSVN
I think you should ask on how to set up path-based authorization in Apache for SVN on the Subversion users list, because that's server related, not really TSVN related:
zerat...@gmail.com
Mar 20, 2020, 4:35:41 AM3/20/20
to TortoiseSVN
I don´t think It´s server related.
TSVN uses integrated windows authentication before basic authentication. Even if you enter basic credentials.
TSVN uses integrated windows authentication before basic authentication. Even if you enter basic credentials.
That´s not a big problem, but people should know it...
Stefan
Mar 21, 2020, 3:39:49 AM3/21/20
to TortoiseSVN
On Friday, March 20, 2020 at 9:35:41 AM UTC+1, (unknown) wrote:
I don´t think It´s server related.
TSVN uses integrated windows authentication before basic authentication. Even if you enter basic credentials.That´s not a big problem, but people should know it...
yes, but that's the authentication. The problem here is authorization (i.e., which already authenticated user has access to which folders).
zerat...@gmail.com
Apr 3, 2020, 12:05:38 PM4/3/20
to TortoiseSVN
Hi Stefan,
I am still not sure, what the problem is.
1. I cleared all stored windows credentials in the windows credentials manager tool and cleared all tortoise (aut)h caches as admin.
2. I created a new windows users and logged in to windows with this newly created user.
3. Then I did a checkout and entered the newly created users credentials in the basic authentication window popup.
Tortoise checkout all folders - even folders without permission! (in the Repo-Browser everything is correct)
Where is the authorization cached?
If I use a new computer which never used tortoise before and log in with the same newly user, tortoise checks out only the permitted folders. So my permissions are correct at serverside!
Greetings
Andy
Stefan
Apr 6, 2020, 1:16:51 AM4/6/20
to TortoiseSVN
check the server logs. You can find there which user got authenticated.
Reply all
Reply to author
Forward
0 new messages