Path-Based Authorization for files

Thorsten Schöning tschoening at
Fri Sep 30 02:27:49 CDT 2011


recently there was a posting on users at where one
states that path-based authorization is able to restrict access on
files. In the appropriate section of your book only directories are
mentioned and as this is a common reference, I would appreciate if
your able to add a paragraph just mentioning that everything works
with, files, too, as they are only paths like directories. I attached
a very small patch which I find would be enough for me as a notice.

Index: ch06-server-configuration.xml
--- ch06-server-configuration.xml       (Revision 4098)
+++ ch06-server-configuration.xml       (Arbeitskopie)
@@ -552,7 +552,7 @@
 $ svnserve -i
 ( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops d\
-epth log-revprops atomic-revprops partial-replay ) ) ) 
+epth log-revprops atomic-revprops partial-replay ) ) )
@@ -1539,7 +1539,7 @@
         <para>This example allows both Harry and Sally to connect to
           the same account via public key authentication.  Each of
           them has a custom command that will be executed;
-          the <option>--tunnel-user</option> option 
+          the <option>--tunnel-user</option> option
           tells <command>svnserve</command> to assume that the named
           argument is the authenticated user.  Without
           <option>--tunnel-user</option>, it would appear as though
@@ -1565,7 +1565,7 @@
         <para>Note that this all must be on one line—truly on
-          one line—since SSH <filename>authorized_keys</filename> 
+          one line—since SSH <filename>authorized_keys</filename>
           files do not even allow the conventional backslash character
           (<literal>\</literal>) for line continuation.  The only
           reason we've shown it with a line break is to fit it on
@@ -1918,7 +1918,7 @@
           <ulink url=""
           />.</para></footnote> for managing files containing
           usernames and passwords.</para>
           <para>Basic authentication is <emphasis>extremely</emphasis>
             insecure, because it sends passwords over the network
@@ -1929,7 +1929,7 @@
         <para>First, create a password file and grant access to
           users Harry and Sally:</para>
 $ ### First time: use -c to create the file
@@ -1982,7 +1982,7 @@
               location of the password file to use.</para>
         <para>However, this <literal><Location></literal> block
           doesn't yet do anything useful.  It merely tells Apache that
           <emphasis>if</emphasis> authorization were required, it
@@ -2021,7 +2021,7 @@
       <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
       <sect3 id="svn.serverconfig.httpd.authn.digest">
         <title>Digest authentication</title>
         <para>Digest authentication is an improvement on Basic
           authentication which allows the server to verify a client's
           identity without sending the password over the network
@@ -2643,7 +2643,7 @@
           <para>What if the thing you're trying to view no longer exists
             in the youngest revision of the repository?  That's where a
             peg revision is handy:</para>
@@ -2671,7 +2671,7 @@
             detailed explanation of these <quote>peg revision</quote>
             and <quote>operative revision</quote> concepts.  They can
             be a bit tricky to wrap your head around.</para>
           <para>As a reminder, this feature
             of <command>mod_dav_svn</command> offers only a limited
             repository browsing experience.  You can see directory
@@ -2689,7 +2689,7 @@
             a much wider set of features, including the display of the
             aforementioned property sets, display of content
             differences between file revisions, and so on.</para>
         <sect4 id="svn.serverconfig.httpd.extra.browsing.mimetype">
@@ -3208,7 +3208,7 @@
             Subversion <literal><Location></literal> block with
             the <literal>SVNAdvertiseV2Protocol Off</literal>
             <para>For the best results possible, try to run the same
               version of Subversion on your master and slave
@@ -3293,7 +3293,8 @@
       One set of users may have permission to write to a certain
       directory in the repository, but not others; another directory
       might not even be readable by all but a few special
-      people.</para>
+      people.  As files are paths, too, it's even possible to restrict
+      access on a per file basis.</para>
     <para>Both servers use a common file format to describe these
       path-based access rules.  In the case of Apache, one needs to
@@ -3673,6 +3674,20 @@
+    <para>All of the above examples use directories, because defining
+      access rules on them is the most common case.  But as files are
+      paths just like directories, Subversion is similarly able to
+      restrict access on them.
+    </para>
+    <informalexample>
+      <programlisting>
+harry = rw
+sally = r
+    </informalexample>
     <!-- ### FIXME: This is very Neon-specific. -->
       <title>Partial Readability and Checkouts</title>
@@ -3734,7 +3749,7 @@
       configuration mechanisms—see
       <xref linkend="svn.serverconfig.httpd.extra.logging"/> for
     <para>The following is a list of Subversion action log messages
       produced by its high-level logging mechanism, followed by one or
       more examples of the log message as it appears in the log

Mit freundlichen Grüßen,

Thorsten Schöning

Thorsten Schöning
AM-SoFT IT-Systeme - Hameln | Potsdam | Leipzig
Telefon: Potsdam: 0331-743881-0
E-Mail:  tschoening at

AM-SoFT GmbH IT-Systeme, Konsumhof 1-5, 14482 Potsdam
Amtsgericht Potsdam HRB 21278 P, Geschäftsführer: Andreas Muchow
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ch06-server-configuration.xml.diff
Type: application/octet-stream
Size: 5794 bytes
Desc: not available
URL: <>

More information about the svnbook-dev mailing list