Strange behaviour of mod_authz_svn

Question

I've configured my svn server on apache2 like this:

<Location /svn_test>
    DAV svn
    SVNParentPath /path/to/SvnTest
    AuthType Basic
    AuthName "Subversion repository"
    AuthUserFile "/path/to/passwd"
    AuthzSVNAccessFile "/path/to/authz"
    Require valid-user
    SVNAdvertiseV2Protocol Off
    AuthzSVNAnonymous Off
</Location>

And authz file configured like this:

[groups]
g=hy

[test:/]
hy=r
*=

[test:/subdir]
hy=r
*=

[test:/subdir1]
hy=rw
*=

The problem is, I want to control the subdir's permission separate from other directories, but if i change the permission of subdir1 to "rw", i can write to subdir, and if i change the permission of subdir1 to "r", subdir's permission become "r" as expected.

In fact, if i change any directory's permission to "rw", those directories i want it to be read-only, become writable.

I pasted some apache logs below, in case it's helpful.

Everytime i restart apache2, it complains about mismatch python version, but in spite of that, everything is normal, I'm sure if it's relevant:

[Fri Mar 27 15:55:44.381138 2015] [mpm_worker:notice] [pid 10693:tid 140245999884160] AH00295: caught SIGTERM, shutting down
[Fri Mar 27 15:55:45.111049 2015] [:error] [pid 13438:tid 139851301021568] python_init: Python version mismatch, expected '2.7.5+', found '2.7.4'.
[Fri Mar 27 15:55:45.111523 2015] [:error] [pid 13438:tid 139851301021568] python_init: Python executable found '/usr/bin/python'.
[Fri Mar 27 15:55:45.111556 2015] [:error] [pid 13438:tid 139851301021568] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
[Fri Mar 27 15:55:45.111585 2015] [:notice] [pid 13438:tid 139851301021568] mod_python: Creating 8 session mutexes based on 6 max processes and 25 max threads.
[Fri Mar 27 15:55:45.111600 2015] [:notice] [pid 13438:tid 139851301021568] mod_python: using mutex_directory /tmp 
[Fri Mar 27 15:55:45.122215 2015] [mpm_worker:notice] [pid 13438:tid 139851301021568] AH00292: Apache/2.4.6 (Ubuntu) SVN/1.7.9 mod_python/3.3.1 Python/2.7.4 configured -- resuming normal operations
[Fri Mar 27 15:55:45.122280 2015] [core:notice] [pid 13438:tid 139851301021568] AH00094: Command line: '/usr/sbin/apache2'

Answer 1

http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html :

By default, nobody has any access to the repository at all.

So you don't need to explicitly deny access for your paths.

I'd rewrite your config as follows:

[groups]
g = hy

[test:/]
hy = r

# Permissions are inherited from parent to child directory 
# and hy already has read access to the root of the repo and its subdirectories,
# so this can be skipped:
#[test:/subdir]
#hy = r

[test:/subdir1]
hy = rw