Read-Only and Read-Write SVN Repositories

Just got a comment on one of my posts from a while back about public SVN access wondering how to get it configured.  The basic idea is to have a single repository with anonymous read-only access, and have the same repository allow read-write access to authenticated users.  Further, you want to configure that on a per-directory basis (with inheritance, of course), so you can have different areas require different principals, and allow some sections to require authentication even for read access.

So without further ado, here's the magic configuration bits.

<Location /svn/barneyb>
    DAV             svn
    SVNPath         /path/to/svnroot/barneyb

    AuthType        Basic
    AuthName        "Subversion/Trac"
    AuthUserFile    /path/to/apache/conf/htpasswd

    AuthzSVNAccessFile  /path/to/apache/conf/authz.conf

    Satisfy     any
    Require     valid-user

In this case I'm just using Basic auth with an htpasswd file for authentication.  The magic line is the "AuthzSVNAccessFile" line, which defines the file to use for authorization.  Here's a snippet:

barneyb = rw

* = r
barneyb = rw

The first section says that for the root of the repository (/), only barneyb (me) is allowed access, and I'm allowed to read and write.  The second section says that for the /bicycle_dashboard path, I'm still allowed to read and write, but anyone is allowed to read.

The gotcha is that explicitly specified directories do not inherit from their parents.  At each specified level, you must define the full auth spec.  Full details on the authorization file can be found in the Subversion Book.  That link is for the nightly, so if you've got an old version of Subversion, you might want to go grab and older version of the book as well.  The general Apache docs can be found here.

40 responses to “Read-Only and Read-Write SVN Repositories”

  1. Nic Cottrell

    Would it be possible to have anonymous read-only access somehow? Or would I have to create an account in the passwords file called "anonymous" with a blank password or something to make this happen?

  2. Nic Cottrell

    Ok, so there's no need to have a username "*" in the specified AuthUserFile? I assumed that apache would authenticate against that file first before passing the request onto modsvn to check the per-directory authentication.

  3. TheElitist

    Hey Barney,

    Thanks a lot for this short guide, I was looking for this.
    If you don't mind I'll write a blog post on my own blog about this, But I'll note your url as the source.

    Regards, TheElitist

  4. Santhosh Kumar

    My subversion.conf file

       DAV svn
    SVNPath /var/www/svn/repos
          AuthType Basic
          AuthName "Authorization Realm"
    	AuthUserFile /etc/svn-auth-conf
    #      AuthUserFile /path/to/passwdfile
    #   SVNParentPath /var/www/svn
    	AuthzSVNAccessFile /etc/svn-authz
    	Satisfy any
      Require valid-user
    #   # Limit write permission to list of valid users.
    #      # Require SSL connection for password protection.
    #      # SSLRequireSSL

    My /etc/svn-authz File

    * = r
    san = rw
    santhosh = rw

    Only the santhosh and san are able to do commit. But if am trying from a differnt machine to my SVN server it's not asking for password or username. Please assit me

  5. Santhosh

    Yes , I agree with your words, The problem is only from one linux system it's not asking for password. I do not know why it is. Except this machine I tried from all other, it is working fine . While configuring for test purpose I used this particular machine as client, I had set ssl that time. I am not sure of the route cause of this.

    Now I want to configure SVN as follows..

    I have two svn server, if I am commiting from !st server it should reflect in the second server also. Is there any chance to execute this. If Yes, please assist me by telling how?

    Thanks for the reply… Waiting for your answer.

    Thanks a lot Barneyb……………..

    Santhosh Kumar K V

  6. Xeross


    Hmm for the syncing what you could do is this, you create a post-commit hook, in this post-commit hook script you execute a command on the remote server that pulls in all new changes, (svn export or something).

    Or you do something similar but with 10 minute (or more) intervals through a cron-job on the second server.

  7. Santhosh Kumar

    Hi barneyb and Xeross ..
    Thanks for your support. I have done it using rsync. But I have the problem existing still. Only from one client machine it's not asking for password. What could be the reason?

    I have used this particular machine while setting up the SVN Server.

  8. Santhosh Kumar

    Yes, It helped me!!!!!! Thanks a lot!!!!!!!!!!!

  9. Santhosh Kumar

    Hi barneyb

    Now I have another requirement… Please help me to solve this.
    The SVN User Should be able to change his own password.
    How to get this solved
    Thanks in advance!!!!

  10. Xeross

    @Santhosh: As you are using a passwd file to store users in you'd have to make that editable, but that would present a security risk, an alternative would be to use the MySQL auth module with Apache but I don't know how well that would work.

  11. Santhosh Kumar

    Yes! I am facing the same . Is there any alternative for it than MySQL

  12. Venugopal Prabhoo

    We have built a product (web application) , which helps you to manage a lot more in addition to user/user group authentication/authorization (htpasswd/path based authorization) , automatic backup scheduling etc for multiple project repositories. If anyone is interested, I can post the screencasts

  13. Rakesh

    Can you let me know how to make a trunk in the subversion repository as Read-Only?

    we want to use the branch to make all the changes to the code and leave the trunk as read only so that the code is not messed up.

    Thank you.

  14. Rakesh

    Barney, don't know if i'm being dumb, but where should I do this?

  15. Spuds


    Do you know of anyway in SVN to make a file read-only, besides the svn lock mechanism?

    I have a requirement to make one file read-only in SVN but know that SVN locks can be compromised easily.

    Thank you.

    - Spuds

  16. Counterpoint

    Some people seem to have problems protecting their repositories, I'm the opposite! Tried to add anonymous read access:

    * = r
    @aliro = rw

    but any attempt to access via Apache SSL demands a valid user name and password. How can I fix this?

  17. Counterpoint

    Thanks, Barney. You're right, I didn't have Satisfy Any. Also added AuthzSVNAnonymous On and AuthzSVNNoAuthWhenAnonymousAllowed On. I'm not certain whether they were necessary or not – it seems very difficult to find any relevant documentation. Seems to work though :)

  18. Mike

    Hi –
    Can you please explain what you mean by your last paragraph:

    " The gotcha is that explicitly specified directories do not inherit from their parents. At each specified level, you must define the full auth spec."

    As per:
    "Of course, permissions are inherited from parent to child directory."
    (The same text is also in version 1.0 of the SVN book – c. 2004?)

    Are you referring to something else?

  19. mike

    Thanks, Barney!

  20. vishal

    Santhosh, you can use system passwd file to authenticate the SVN on SVN server, so if user want to change their password they can login to the server and change their system password which will be used by SVN authentication .

    I think above solves your problem.

  21. Kalpesh Soni

    I have a reverse problem

    I wanted every one with valid user id having write access

    and a guest account with blank password having readonly access



    this does not work

    apache matched guest account with second line (as it is also part of *)

    and hence guest gets read write access!

    what do i do now?

  22. satheesh

    Am using svnserve 1.4 in windows 7. i want to set permission in authz file.
    i want to give the rw permission to the subfolder if root folder is read protected . why bcoz in my repository i have lot of files & folder. so want to give rw permission for some of files & sub folders only . other folders are invisible to the user…. means…. I want to give the rw permissions to the some of the sub folders only not the entire directory….. & sub directory

        group1 =
        group1 = rw
        group1 = rw

    If i give above code. Nothing is displayed…. Bcoz

        group1 =

    If i give

        group1 = rw

    All folders are visible to the "group1″. I dont want like this…

    other option is

        group1 =
        group1 =

    like all sub folder that are not needed for group1. i dont want do like this….

    pls anyone help me…………..

  23. sanjog

    Hello barneyb,

    I am very new to svn.
    I just have setup the server and client.
    I have created some repositories.
    My question is –>

    How do i restrict the access to some folder in a repository ? (That is, those folder should not even be visible to the user).

    Kindly suggest with the code.

  24. Karthik

    Hi Barney

    I’ve got both authentication and authorization working as they should be in my setup. However, path based restrictions don’t seem to work for sub folders. Please see Authz snippet below:

    ctrlMusers = user1, user2, user3
    [/]@ctrlM = r
    @ctrlM = rw
    @developers = r
    * =

    From the above, I’m restricting write access only to ctrlMusers. But sadly, ControlM folder has too many sub directories (SVNCOPY/ControlM/trunk/AciCore/build/release1)

    user3 is not able to commit a file under SVNCOPY/ControlM/trunk/AciCore/build/release1 even though he has RW access at the parent folder level (ControlM). How do I go about resolving this issue? Thanks.

  25. Karthik

    Barney – Thanks for your reply. I have got it working now. Yes, my repo name is all in caps (SVNCOPY) but the actual issue was that I didn't have to specify the repo name at all. Since I declared realm name as SYNCOPY, I guess it only needed to know the parent folder names at the root level. When I corrected, it started working as expected.

    Karthik Durairajan

  26. Matteo

    Hi Barney,
    I need exaclty what you explained in this post: a repo with RW acces to authenticated users, but with a subpath with anonymous readonly access. So i configured apache as you suggested:

    # Authorization
    AuthzSVNAccessFile my_auth_file
    Satisfy any
    Require valid-user

    And the authz file is as follows
    matteo = rw
    * = r
    mbrunettini = rw

    But it does not work on subversion 1.6.17
    Where Am I wrong?
    Thanks for you help.

  27. Matteo

    The problem is that if I do a chekcout of the anonymous-enabled subpath "public"as follows:
    svn co https://repo_url/public
    Apache always ask for a username and password