Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-22-2006, 08:23 AM
|
#1
|
|
Member
Registered: Jun 2004
Location: Tampa, FL
Distribution: CentOS 3.x
Posts: 33
Rep: 
|
mod_security and Subversion (WebDAV?)
I can get Subversion to work ONLY if I disable mod_security. I believe this is because Subversion (using Apache) uses WebDAV, which uses methods besides GET, POST, etc.
Anyone know how to setup mod_secuity to allow Subversion? I'm guessing the most secure way would be to allow it only for the location to Subversion.
Thanks |
|
|
|
|
03-22-2006, 08:40 AM
|
#2
|
|
Moderator
Registered: May 2001
Posts: 29,415
|
Last time I checked DAV uses methods like LOCK, UNLOCK, PROPFIND, PROPPATCH, COPY, MOVE and MKCOL.
So AFAIK for each method you'd need some rule something like: "SecFilter "LOCK " pass". Maybe a <location> container works, just try it. FWIW, it's easier/faster/more efficient to post actual error messages.
|
|
|
|
|
03-22-2006, 09:04 AM
|
#3
|
|
Member
Registered: Jun 2004
Location: Tampa, FL
Distribution: CentOS 3.x
Posts: 33
Original Poster
Rep:
|
Sorry, I made a conclusion on what the issue was, and forgot to mention the symptoms. This is what the SVN client (TortoiseSVN for Windows)is reporting:
Quote:
MKCOL of/svn/proj/!svn/wrk/3619e3f3-83b2-874a-815b-7f80fe548963/proj_web/trunk':
405 Method Not Allowed (http://www.<domain>.com)
|
I'll try the suggestions you made above.
Thanks for the response |
|
|
|
|
03-22-2006, 10:08 AM
|
#4
|
|
Member
Registered: Jun 2004
Location: Tampa, FL
Distribution: CentOS 3.x
Posts: 33
Original Poster
Rep:
|
Reenabled mod_security, and I'm getting a "403 Forbidden" error when its trying to do a PUT.
Here is my mod_security configuration:
Code:
LoadModule security_module /usr/lib/httpd/modules/mod_security.so
# Enable mod_security
SecFilterEngine On
# Retrieve request payload
SecFilterScanPOST On
# Reasonable automatic validation defaults
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat Off
SecFilterNormalizeCookies Off
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 0 255
# Reject invalid requests with status 403
SecFilterDefaultAction deny,log,status:403
# Only record the relevant information
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/audit_log
# Where to store temporary and intercepted files
SecUploadDir /var/log/httpd/files
# Do not store intercepted files for the time being
SecUploadKeepFiles Off
# Use 0 for the debug level in production
# and 4 for testing
SecFilterDebugLog /var/log/httpd/modsec_debug_log
SecFilterDebugLevel 0
SecServerSignature "Microsoft-IIS/5.0"
SecFilter PUT "allow"
|
|
|
|
|
03-22-2006, 03:48 PM
|
#5
|
|
Moderator
Registered: May 2001
Posts: 29,415
|
Reenabled mod_security, and I'm getting a "403 Forbidden" error when its trying to do a PUT.
Maybe a <location> container works, just try it.
|
|
|
|
|
03-23-2006, 10:23 AM
|
#6
|
|
Member
Registered: Jun 2004
Location: Tampa, FL
Distribution: CentOS 3.x
Posts: 33
Original Poster
Rep:
|
To answer my own question in case anyone else comes across this issue, unSpawn had the right idea.
The following worked great for me:
Code:
<Location /svn/proj>
SecFilterEngine Off
</Location>
Where /svn/proj is the location of the subversion repository. |
|
|
|
|
03-23-2006, 02:18 PM
|
#7
|
|
Moderator
Registered: May 2001
Posts: 29,415
|
Code:
SecFilterEngine Off
So now it' doesn't filter anything AFAIK wrt /svnproj.
Shouldn't it be followed by what you want to filter for (like in the main portion of your config) leaving out only the WebDAV specific stuff? |
|
|
|
All times are GMT -5. The time now is 03:59 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
