Using linux system accounts for SVN

Question

I am trying to set a svn server to use the linux system account for authentication instead an independent htpasswd file. I use Fedora 16 and followed this manual in order to install and set up mod_authnz_external and pwauth, then I set the /etc/httpd/conf.d/subversion.conf as follows:

LoadModule dav_svn_module          modules/mod_dav_svn.so
LoadModule authz_svn_module        modules/mod_authz_svn.so
LoadModule authnz_external_module  modules/mod_authnz_external.so

AddExternalAuth pwauth /usr/local/libexec/pwauth
SetExternalAuthMethod pwauth pipe 

<Location /svn>
   DAV svn
   SVNParentPath /var/www/svn
   AuthType Basic
   AuthName "Subversion repositories PAM"
   AuthBasicProvider external
   AuthExternal pwauth
   Require valid-user
</Location>

But I cannot access to the repository, all passwords are rejected. The Apache log file shows the following error:

exec of '/usr/local/libexec/pwauth' failed: (13) Permission denied
[Tue Jan 29 11:23:18 2013] [error] [client ::1] AuthExtern pwauth [/usr/local/libexec /pwauth]: Failed (255) for user tom
[Tue Jan 29 11:23:18 2013] [error] [client ::1] user tom: authentication failure for "/svn/project/trunk": Password Mismatch

What am I doing wrong? Thanks in advance.

P.S. I have tried pwauth for apache user (sudo -u apache /usr/local/libexec/pwauth) and it works fine….

Answer 1

I have had the same experience trying to get pwauth to run on Scientific Linux 6.3 (another RH-based distro.) SL comes with SELinux enabled by default. I did a

setenforce permissive

and things started working. /var/log/messages still has lots of messages. Eg.

Feb 7 14:59:26 VC-L001614-01 kernel: type=1400 audit(1360270766.350:44): avc: denied { execute } for pid=32154 comm="sh" name="pwauth" dev=dm-0 ino=290254 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

I am going to try and get rid of the logging by disabling SELinux in /etc/selinux/conf and save correcting the SELinux security context issues for another day.

Answer 2

Stoping the enforcement of selinux policies is rarely a solution. The best is to find the boolean which would allow the apache sever to execute the needed commands, or at worse to define a new policy for that (the audit2allow might help for this last point).

The 'setenforce permissive' command is useful only for checking that selinux is the problem while keeping the logs active.

You might want to have a look at the following booleans: allow_httpd_mod_auth_pam

I think there is also one for the execusion of system binaries but cannot find it back.

To have a list of available booleans: getsebool -a

To set a given boolean setsebool

Answer 3

In the status code page for pwauth it says:

If you see a negative error code (or a number like 255 or 254) reported in the Apache error log, then that is an error code from mod_authnz_external and means that it was unable to run pwauth at all.

following the documentation to mod-auth-external it says:

The second error message is actually generated by mod_auth_external. It just says authentication failed for the user. Normally it would give the status code returned by the authenticator in parenthesis, but if the authenticator could not be executed it will show a phoney status code of -1 (which some systems display as 255).

It looks like you can't run pwauth from apache, are you sure that you have switched to the right user at this point (as you can run it as apache)