Re: [gentoo-user] {OT} Development framework with access restriction?

Re: [gentoo-user] {OT} Development framework with access restriction?

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 1682 bytes --]

On Oct 1, 2011 7:26 AM, "Michael Orlitzky" <michael@orlitzky.com> wrote:
>
> On 09/30/2011 07:59 PM, Grant wrote:
> >
> > Thanks for that.  I haven't thought it all the way through, but if
> > Unix ownership and permissions aren't granular enough and subversion's
> > path-based authorization won't work, I will need to use ACLs.  I think
> > both subversion's path-based authorization and Unix
> > ownership/permissions would be simpler to implement and maintain than
> > ACLs so I'm hoping it doesn't come to that.
> >
>
> ACLs really aren't as bad as they look at first. They work just like
> permissions on Windows, which are one of the few things it does right.
> My example is made much more difficult because /var/www contains
> directories writable by other customers.
>
> I know *my* config.php files are chgrp apache and chmod 660, but I don't
> expect everyone else to be so careful (and they shouldn't have to be).
>
> If you are going to go the version control route, I would suggest
> setting up a new repository with only the code that he will be working
> on. You can use a post-update script (or whatever svn calls them) on the
> server to pull his code into production. He doesn't need to access the
> files directly.
>

+1 on production server pulling from $VCS.

I'm currently assisting a friend of mine, who's the CEO of a business
incubator. In order to force them startups to use the $VCS, we require them
to first commit their codes to the $VCS, then have a script pull the newest
version into production.

At first, they whined. Oh, how they whined! But after the $VCS saved their
bacons many times, now they're firm believers in version control :-)

Rgds,

[-- Attachment #2: Type: text/html, Size: 2073 bytes --]

[gentoo-user] {OT} Development framework with access restriction?

[Grant]

I'd like to hire a freelancer to work on my website.  I don't want to
provide access to all of my code, but instead only the particular file
or files being worked on.  Does anyone know of a development framework
that would help facilitate that sort of thing?  Would no shell access
along with restricted SFTP access be the simplest, safest, most
effective way to go?

- Grant

Re: [gentoo-user] {OT} Development framework with access restriction?

[Michael Orlitzky]

On 09/26/11 16:01, Grant wrote:
> I'd like to hire a freelancer to work on my website.  I don't want to
> provide access to all of my code, but instead only the particular file
> or files being worked on.  Does anyone know of a development framework
> that would help facilitate that sort of thing?  Would no shell access
> along with restricted SFTP access be the simplest, safest, most
> effective way to go?

Why not just send him the stuff he should be working on? He can run his
own Apache/PHP/whatever on his development machine. When he's done, he
can send you a tarball of the site files and maybe a SQL dump if you're
using a database.

That's the easiest one-off solution. If you're looking for something
more permanent, another idea is to have a "public" git repo somewhere
while the developers all work on their own workstations. SQL changes can
be made via numbered migrations, e.g.,

  001-create_users_table.sql
  002-create_nodes_table.sql
  003-disregard_that_drop_users_table.sql

and devs can push everything to the git repo, as long as it's a
fast-forward (so they can't trash the repo history).

Once you're ready to move something live, an admin logs in to the
production box, does a `git pull`, and then runs the migrations or makefile.

Re: [gentoo-user] {OT} Development framework with access restriction?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1709 bytes --]

On Monday 26 Sep 2011 22:37:10 Michael Orlitzky wrote:
> On 09/26/11 16:01, Grant wrote:
> > I'd like to hire a freelancer to work on my website.  I don't want to
> > provide access to all of my code, but instead only the particular file
> > or files being worked on.  Does anyone know of a development framework
> > that would help facilitate that sort of thing?  Would no shell access
> > along with restricted SFTP access be the simplest, safest, most
> > effective way to go?
> 
> Why not just send him the stuff he should be working on? He can run his
> own Apache/PHP/whatever on his development machine. When he's done, he
> can send you a tarball of the site files and maybe a SQL dump if you're
> using a database.
> 
> That's the easiest one-off solution. If you're looking for something
> more permanent, another idea is to have a "public" git repo somewhere
> while the developers all work on their own workstations. SQL changes can
> be made via numbered migrations, e.g.,
> 
>   001-create_users_table.sql
>   002-create_nodes_table.sql
>   003-disregard_that_drop_users_table.sql
> 
> and devs can push everything to the git repo, as long as it's a
> fast-forward (so they can't trash the repo history).
> 
> Once you're ready to move something live, an admin logs in to the
> production box, does a `git pull`, and then runs the migrations or
> makefile.

Or, create a demo-site (in a subdomain blocked by robots.txt so that your 
google rankings are not messed up) and let him rip.  Then diff the live and 
demo files to see what's been changed?  The demo can have different passwds 
and what not to ensure access controls as necessary.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant]

>> I'd like to hire a freelancer to work on my website.  I don't want to
>> provide access to all of my code, but instead only the particular file
>> or files being worked on.  Does anyone know of a development framework
>> that would help facilitate that sort of thing?  Would no shell access
>> along with restricted SFTP access be the simplest, safest, most
>> effective way to go?
>
> Why not just send him the stuff he should be working on? He can run his
> own Apache/PHP/whatever on his development machine. When he's done, he
> can send you a tarball of the site files and maybe a SQL dump if you're
> using a database.

The problem with that is he will need to test his code in the working
system.  I need a way for him to be able to read/write to a certain
file or files within the working system, but have no read/write access
to any other files in the system.

Is SFTP perhaps the way to go for this?

- Grant


> That's the easiest one-off solution. If you're looking for something
> more permanent, another idea is to have a "public" git repo somewhere
> while the developers all work on their own workstations. SQL changes can
> be made via numbered migrations, e.g.,
>
>  001-create_users_table.sql
>  002-create_nodes_table.sql
>  003-disregard_that_drop_users_table.sql
>
> and devs can push everything to the git repo, as long as it's a
> fast-forward (so they can't trash the repo history).
>
> Once you're ready to move something live, an admin logs in to the
> production box, does a `git pull`, and then runs the migrations or makefile.

Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant]

>>> I'd like to hire a freelancer to work on my website.  I don't want to
>>> provide access to all of my code, but instead only the particular file
>>> or files being worked on.  Does anyone know of a development framework
>>> that would help facilitate that sort of thing?  Would no shell access
>>> along with restricted SFTP access be the simplest, safest, most
>>> effective way to go?
>>
>> Why not just send him the stuff he should be working on? He can run his
>> own Apache/PHP/whatever on his development machine. When he's done, he
>> can send you a tarball of the site files and maybe a SQL dump if you're
>> using a database.
>
> The problem with that is he will need to test his code in the working
> system.  I need a way for him to be able to read/write to a certain
> file or files within the working system, but have no read/write access
> to any other files in the system.
>
> Is SFTP perhaps the way to go for this?
>
> - Grant

For some reason I thought SFTP would provide access control but now
I'm thinking it's just like SSH in that access control is based on
file ownership and permissions?  If that's the case, can anyone think
of a better way to control remote access to my files than chmod/chown?
 I think it would be nice if the access control were built into the
transport mechanism, version control system, or something else already
in use, but it doesn't sound like that's going to happen.

- Grant


>> That's the easiest one-off solution. If you're looking for something
>> more permanent, another idea is to have a "public" git repo somewhere
>> while the developers all work on their own workstations. SQL changes can
>> be made via numbered migrations, e.g.,
>>
>>  001-create_users_table.sql
>>  002-create_nodes_table.sql
>>  003-disregard_that_drop_users_table.sql
>>
>> and devs can push everything to the git repo, as long as it's a
>> fast-forward (so they can't trash the repo history).
>>
>> Once you're ready to move something live, an admin logs in to the
>> production box, does a `git pull`, and then runs the migrations or makefile.

Re: [gentoo-user] {OT} Development framework with access restriction?

[Jonas de Buhr]

>> The problem with that is he will need to test his code in the working
>> system.  

why in the production system?

>>I need a way for him to be able to read/write to a certain
>> file or files within the working system, but have no read/write
>> access to any other files in the system.
>>
>> Is SFTP perhaps the way to go for this?
>>
>> - Grant
>
>For some reason I thought SFTP would provide access control but now
>I'm thinking it's just like SSH in that access control is based on
>file ownership and permissions? 

yes.

> If that's the case, can anyone think
>of a better way to control remote access to my files than chmod/chown?

someone already did ;)
http://www.gentoo-wiki.info/HOWTO_Use_filesystem_ACLs

> I think it would be nice if the access control were built into the
>transport mechanism, version control system, or something else already
>in use, but it doesn't sound like that's going to happen.

its certainly possible to control the write access with ACLs. read
access however is a different story because as soon as his code runs in
the context of the webrowser he will likely be able to read the rest of
the code.

Re: [gentoo-user] {OT} Development framework with access restriction?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1660 bytes --]

On Thursday 29 Sep 2011 07:57:49 Jonas de Buhr wrote:
> >> The problem with that is he will need to test his code in the working
> >> system.  
> 
> why in the production system?
> 
> >>I need a way for him to be able to read/write to a certain
> >>
> >> file or files within the working system, but have no read/write
> >> access to any other files in the system.
> >> 
> >> Is SFTP perhaps the way to go for this?
> >> 
> >> - Grant
> >
> >For some reason I thought SFTP would provide access control but now
> >I'm thinking it's just like SSH in that access control is based on
> >file ownership and permissions?
> 
> yes.
> 
> > If that's the case, can anyone think
> >
> >of a better way to control remote access to my files than chmod/chown?
> 
> someone already did ;)
> http://www.gentoo-wiki.info/HOWTO_Use_filesystem_ACLs
> 
> > I think it would be nice if the access control were built into the
> >
> >transport mechanism, version control system, or something else already
> >in use, but it doesn't sound like that's going to happen.
> 
> its certainly possible to control the write access with ACLs. read
> access however is a different story because as soon as his code runs in
> the context of the webrowser he will likely be able to read the rest of
> the code.

I'm not sure if you are overcomplicating this by trying to use Unix 
permission.  Have you instead considered webdav?  You can restrict this to 
particular (apache) users/groups, directories, files.  It also uses lockfiles 
so with two users editing a file simultaneously will cause a warning when you 
try to save it.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant]

> I'm not sure if you are overcomplicating this by trying to use Unix
> permission.  Have you instead considered webdav?  You can restrict this to
> particular (apache) users/groups, directories, files.  It also uses lockfiles
> so with two users editing a file simultaneously will cause a warning when you
> try to save it.

How does webdav relate to something like subversion?  Do they
compliment each other or are they substitutes?

- Grant

Re: [gentoo-user] {OT} Development framework with access restriction?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 765 bytes --]

Am 01.10.2011 01:53, schrieb Grant:
>> I'm not sure if you are overcomplicating this by trying to use Unix
>> permission.  Have you instead considered webdav?  You can restrict this to
>> particular (apache) users/groups, directories, files.  It also uses lockfiles
>> so with two users editing a file simultaneously will cause a warning when you
>> try to save it.
> 
> How does webdav relate to something like subversion?  Do they
> compliment each other or are they substitutes?
> 
> - Grant
> 

WebDAV has no version control. It is just an extension to HTTP for
distributed authoring. It supports locking files and methods which make
it more filesystem-like. AFAIK SVN uses WebDAV for its HTTP transfer
protocol.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant]

>>> I'm not sure if you are overcomplicating this by trying to use Unix
>>> permission.  Have you instead considered webdav?  You can restrict this to
>>> particular (apache) users/groups, directories, files.  It also uses lockfiles
>>> so with two users editing a file simultaneously will cause a warning when you
>>> try to save it.
>>
>> How does webdav relate to something like subversion?  Do they
>> compliment each other or are they substitutes?
>>
>> - Grant
>>
>
> WebDAV has no version control. It is just an extension to HTTP for
> distributed authoring. It supports locking files and methods which make
> it more filesystem-like. AFAIK SVN uses WebDAV for its HTTP transfer
> protocol.

Got it.  It sounds like I could use WebDAV in conjunction with
subversion or git.  I'll look into that.

- Grant

Re: [gentoo-user] {OT} Development framework with access restriction?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1279 bytes --]

On Sunday 02 Oct 2011 00:27:23 Grant wrote:
> >>> I'm not sure if you are overcomplicating this by trying to use Unix
> >>> permission.  Have you instead considered webdav?  You can restrict this
> >>> to particular (apache) users/groups, directories, files.  It also uses
> >>> lockfiles so with two users editing a file simultaneously will cause a
> >>> warning when you try to save it.
> >> 
> >> How does webdav relate to something like subversion?  Do they
> >> compliment each other or are they substitutes?
> >> 
> >> - Grant
> > 
> > WebDAV has no version control. It is just an extension to HTTP for
> > distributed authoring. It supports locking files and methods which make
> > it more filesystem-like. AFAIK SVN uses WebDAV for its HTTP transfer
> > protocol.
> 
> Got it.  It sounds like I could use WebDAV in conjunction with
> subversion or git.  I'll look into that.

The reason I mentioned webdav(s) earlier was because you can have granular 
control of what each user can access.  You need specify only what 
directory/file you want them to be able to access and they shouldn't have 
access to anything else.

Also, you don't need to give them shell access - which I find 
(psychologically) more reassuring.  ;-)
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant]

>> >>> I'm not sure if you are overcomplicating this by trying to use Unix
>> >>> permission.  Have you instead considered webdav?  You can restrict this
>> >>> to particular (apache) users/groups, directories, files.  It also uses
>> >>> lockfiles so with two users editing a file simultaneously will cause a
>> >>> warning when you try to save it.
>> >>
>> >> How does webdav relate to something like subversion?  Do they
>> >> compliment each other or are they substitutes?
>> >>
>> >> - Grant
>> >
>> > WebDAV has no version control. It is just an extension to HTTP for
>> > distributed authoring. It supports locking files and methods which make
>> > it more filesystem-like. AFAIK SVN uses WebDAV for its HTTP transfer
>> > protocol.
>>
>> Got it.  It sounds like I could use WebDAV in conjunction with
>> subversion or git.  I'll look into that.
>
> The reason I mentioned webdav(s) earlier was because you can have granular
> control of what each user can access.  You need specify only what
> directory/file you want them to be able to access and they shouldn't have
> access to anything else.

I believe the same is accomplished through the use of subversion's
path-based authorization.

> Also, you don't need to give them shell access - which I find
> (psychologically) more reassuring.  ;-)

I like that a lot.  The way I understand it, in order to edit a file
with subversion, you would check out the file from the repository to
your local machine, edit it on your local machine, and commit your
changes to the repository.  How does the workflow change with webdav?

- Grant

Re: [gentoo-user] {OT} Development framework with access restriction?

[Michael Mol]

On Mon, Oct 3, 2011 at 6:01 PM, Grant <emailgrant@gmail.com> wrote:
>>> >>> I'm not sure if you are overcomplicating this by trying to use Unix
>>> >>> permission.  Have you instead considered webdav?  You can restrict this
>>> >>> to particular (apache) users/groups, directories, files.  It also uses
>>> >>> lockfiles so with two users editing a file simultaneously will cause a
>>> >>> warning when you try to save it.
>>> >>
>>> >> How does webdav relate to something like subversion?  Do they
>>> >> compliment each other or are they substitutes?
>>> >>
>>> >> - Grant
>>> >
>>> > WebDAV has no version control. It is just an extension to HTTP for
 >>> > distributed authoring. It supports locking files and methods which make
>>> > it more filesystem-like. AFAIK SVN uses WebDAV for its HTTP transfer
>>> > protocol.
>>>
>>> Got it.  It sounds like I could use WebDAV in conjunction with
>>> subversion or git.  I'll look into that.
>>
>> The reason I mentioned webdav(s) earlier was because you can have granular
>> control of what each user can access.  You need specify only what
>> directory/file you want them to be able to access and they shouldn't have
>> access to anything else.
>
> I believe the same is accomplished through the use of subversion's
> path-based authorization.
>
>> Also, you don't need to give them shell access - which I find
>> (psychologically) more reassuring.  ;-)
>
> I like that a lot.  The way I understand it, in order to edit a file
> with subversion, you would check out the file from the repository to
> your local machine, edit it on your local machine, and commit your
> changes to the repository.  How does the workflow change with webdav?

It doesn't need to. From the user's perspective, the URI to the repo
changes. That's pretty much it. (I.e. we went from
svn://servername/path to https://servername/svn/path )

-- 
:wq

Re: [gentoo-user] {OT} Development framework with access restriction?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 461 bytes --]

On Wed, 28 Sep 2011 19:23:30 -0700, Grant wrote:

> For some reason I thought SFTP would provide access control but now
> I'm thinking it's just like SSH in that access control is based on
> file ownership and permissions?  If that's the case, can anyone think
> of a better way to control remote access to my files than chmod/chown?

ACLs.


-- 
Neil Bothwick

It may be that your sole purpose in life is simply to serve as a
warning to others.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] {OT} Development framework with access restriction?

[Michael Orlitzky]

On 09/29/2011 04:13 AM, Neil Bothwick wrote:
> On Wed, 28 Sep 2011 19:23:30 -0700, Grant wrote:
> 
>> For some reason I thought SFTP would provide access control but now
>> I'm thinking it's just like SSH in that access control is based on
>> file ownership and permissions?  If that's the case, can anyone think
>> of a better way to control remote access to my files than chmod/chown?
> 
> ACLs.
> 

We went this route once too. We had a developer ($USER) who was supposed
to have access to just one subdirectory of /var/www.

I took notes, assuming /etc, /root, and /usr have correct permissions:

   1. A group named ssh_users was created. The $USER account was
      added as a member of this group.

   2. The ssh_users group was granted the ability to traverse /var/www:

      setfacl -m group:ssh_users:--x /var/www

      This is necessary to allow the $USER user to chdir into its
      home directory in /var/www/$HIS_HOME_DIR.

   3. A default ACL was set on /var/www which will apply to each new
      subdirectory created within it.

      setfacl -d --set u::rwx,g::rx,g:ssh_users:-,o::rx /var/www

      This prevents members of the ssh_users group from traversing any
      newly-created subdirectories of /var/www.

   4. The default ACL described above was applied manually to each of
      the existing subdirectories of /var/www:

      setfacl -m g:ssh_users:- /var/www/*

      Warning: At the time of writing, there were no regular files in
      /var/www, so the above command makes sense. Don't blindly run it
      again without checking.

   5. The $USER user was granted full read/write/traverse permissions
      on its home directory and all subdirectories/files contained
      therein:

      setfacl -R -m u:$USER:rwx /var/www/$HIS_HOME_DIR

   6. At this point, we need to change the default ACLs of every
      directory within /var/www/$HIS_HOME_DIR. This is so that, when
      $USER creates a new file/directory somewhere beneath its home
      directory, it has access to the newly-created file or directory:

      setfacl -d -R --set u::rwx,u:$USER:rwx,g::rx,o::rx /var/www
      /$HIS_HOME_DIR

      This command sets the default ACL recursively, and is smart
      enough to only apply the command to directories.

Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant]

>>> For some reason I thought SFTP would provide access control but now
>>> I'm thinking it's just like SSH in that access control is based on
>>> file ownership and permissions?  If that's the case, can anyone think
>>> of a better way to control remote access to my files than chmod/chown?
>>
>> ACLs.
>>
>
> We went this route once too. We had a developer ($USER) who was supposed
> to have access to just one subdirectory of /var/www.
>
> I took notes, assuming /etc, /root, and /usr have correct permissions:
>
>   1. A group named ssh_users was created. The $USER account was
>      added as a member of this group.
>
>   2. The ssh_users group was granted the ability to traverse /var/www:
>
>      setfacl -m group:ssh_users:--x /var/www
>
>      This is necessary to allow the $USER user to chdir into its
>      home directory in /var/www/$HIS_HOME_DIR.
>
>   3. A default ACL was set on /var/www which will apply to each new
>      subdirectory created within it.
>
>      setfacl -d --set u::rwx,g::rx,g:ssh_users:-,o::rx /var/www
>
>      This prevents members of the ssh_users group from traversing any
>      newly-created subdirectories of /var/www.
>
>   4. The default ACL described above was applied manually to each of
>      the existing subdirectories of /var/www:
>
>      setfacl -m g:ssh_users:- /var/www/*
>
>      Warning: At the time of writing, there were no regular files in
>      /var/www, so the above command makes sense. Don't blindly run it
>      again without checking.
>
>   5. The $USER user was granted full read/write/traverse permissions
>      on its home directory and all subdirectories/files contained
>      therein:
>
>      setfacl -R -m u:$USER:rwx /var/www/$HIS_HOME_DIR
>
>   6. At this point, we need to change the default ACLs of every
>      directory within /var/www/$HIS_HOME_DIR. This is so that, when
>      $USER creates a new file/directory somewhere beneath its home
>      directory, it has access to the newly-created file or directory:
>
>      setfacl -d -R --set u::rwx,u:$USER:rwx,g::rx,o::rx /var/www
>      /$HIS_HOME_DIR
>
>      This command sets the default ACL recursively, and is smart
>      enough to only apply the command to directories.

Thanks for that.  I haven't thought it all the way through, but if
Unix ownership and permissions aren't granular enough and subversion's
path-based authorization won't work, I will need to use ACLs.  I think
both subversion's path-based authorization and Unix
ownership/permissions would be simpler to implement and maintain than
ACLs so I'm hoping it doesn't come to that.

- Grant

Re: [gentoo-user] {OT} Development framework with access restriction?

[Michael Orlitzky]

On 09/30/2011 07:59 PM, Grant wrote:
> 
> Thanks for that.  I haven't thought it all the way through, but if
> Unix ownership and permissions aren't granular enough and subversion's
> path-based authorization won't work, I will need to use ACLs.  I think
> both subversion's path-based authorization and Unix
> ownership/permissions would be simpler to implement and maintain than
> ACLs so I'm hoping it doesn't come to that.
> 

ACLs really aren't as bad as they look at first. They work just like
permissions on Windows, which are one of the few things it does right.
My example is made much more difficult because /var/www contains
directories writable by other customers.

I know *my* config.php files are chgrp apache and chmod 660, but I don't
expect everyone else to be so careful (and they shouldn't have to be).

If you are going to go the version control route, I would suggest
setting up a new repository with only the code that he will be working
on. You can use a post-update script (or whatever svn calls them) on the
server to pull his code into production. He doesn't need to access the
files directly.

Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant]

>> Thanks for that.  I haven't thought it all the way through, but if
>> Unix ownership and permissions aren't granular enough and subversion's
>> path-based authorization won't work, I will need to use ACLs.  I think
>> both subversion's path-based authorization and Unix
>> ownership/permissions would be simpler to implement and maintain than
>> ACLs so I'm hoping it doesn't come to that.
>>
>
> ACLs really aren't as bad as they look at first. They work just like
> permissions on Windows, which are one of the few things it does right.
> My example is made much more difficult because /var/www contains
> directories writable by other customers.
>
> I know *my* config.php files are chgrp apache and chmod 660, but I don't
> expect everyone else to be so careful (and they shouldn't have to be).
>
> If you are going to go the version control route, I would suggest
> setting up a new repository with only the code that he will be working
> on. You can use a post-update script (or whatever svn calls them) on the
> server to pull his code into production. He doesn't need to access the
> files directly.

I think separate repositories would only be necessary when using
distributed version control (git) as opposed to centralized
(subversion).  I think subversion's path-based authorization should
eliminate the need for separate repositories?

- Grant

Re: [gentoo-user] {OT} Development framework with access restriction?

[Michael Orlitzky]

On 10/01/11 19:46, Grant wrote:
> 
> I think separate repositories would only be necessary when using
> distributed version control (git) as opposed to centralized
> (subversion).  I think subversion's path-based authorization should
> eliminate the need for separate repositories?
> 

Separate repos aren't strictly necessary, but it's much harder to verify
your path permissions than it is to verify that your repositories are
separate.

The first involves config files and cascading information; the second
involves being able to count to two =)

Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant]

>> I think separate repositories would only be necessary when using
>> distributed version control (git) as opposed to centralized
>> (subversion).  I think subversion's path-based authorization should
>> eliminate the need for separate repositories?
>>
>
> Separate repos aren't strictly necessary, but it's much harder to verify
> your path permissions than it is to verify that your repositories are
> separate.
>
> The first involves config files and cascading information; the second
> involves being able to count to two =)

Would multiple repos work in a scenario where different developers
have access to different stuff and some stuff should be accessible to
multiple devs?  I don't think you want the same stuff in more than one
repo.  It seems like managing multiple repos would get out of hand in
that sort of situation and I might be better off with config files and
a single repo.

- Grant

Re: [gentoo-user] {OT} Development framework with access restriction?

[Michael Mol]

On Mon, Oct 3, 2011 at 5:54 PM, Grant <emailgrant@gmail.com> wrote:
>>> I think separate repositories would only be necessary when using
>>> distributed version control (git) as opposed to centralized
>>> (subversion).  I think subversion's path-based authorization should
>>> eliminate the need for separate repositories?
>>>
>>
>> Separate repos aren't strictly necessary, but it's much harder to verify
>> your path permissions than it is to verify that your repositories are
>> separate.
>>
>> The first involves config files and cascading information; the second
>> involves being able to count to two =)
>
> Would multiple repos work in a scenario where different developers
> have access to different stuff and some stuff should be accessible to
> multiple devs?  I don't think you want the same stuff in more than one
> repo.  It seems like managing multiple repos would get out of hand in
> that sort of situation and I might be better off with config files and
> a single repo.

With SVN, you do have 'externals' available:
http://svnbook.red-bean.com/en/1.0/ch07s03.html

Where I work, externals are used for holding common code like large
libraries which are needed or useful to multiple projects.

-- 
:wq

Re: [gentoo-user] {OT} Development framework with access restriction?

[Michael Orlitzky]

On 10/03/2011 05:54 PM, Grant wrote:
> 
> Would multiple repos work in a scenario where different developers
> have access to different stuff and some stuff should be accessible to
> multiple devs?  I don't think you want the same stuff in more than one
> repo.  It seems like managing multiple repos would get out of hand in
> that sort of situation and I might be better off with config files and
> a single repo.

(for the tl;dr, see the last paragraph)

Subversion separates authentication and authorization:

http://svnbook.red-bean.com/en/1.6/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth

You'll hear security people say that a lot, but hopefully an example
makes the difference clear. I'll use Apache in my example, because
that's what we use, and I'm mostly sure I'm not talking out of my ass
this way =)

The "authentication" part is your usernames and passwords.
Authentication is proving who you are. Each developer has his own
username and password -- these only need to be stored once. When you go
the Apache route, Apache itself controls the authentication. In the
"website" definition, we have,


  # The SVN "root" which lists all repos, assuming you're allowed to do
  # that. This would be offered up as e.g. https://svn.example.org/
  #
  <Location />
    Allow from all
    DAV svn
    SVNParentPath /var/svn/repos
    SVNListParentPath on
    AuthType Basic
    AuthName "Subversion Repository"
    AuthUserFile /var/svn/auth/svnusers
    Require valid-user
    SSLRequireSSL
  </Location>


  # Accessible via https://svn.example.org/repo1
  #
  <Location /repo1>
    Allow from all
    DAV svn
    AuthType Basic
    AuthName "Repository One"
    AuthUserFile /var/svn/auth/svnusers
    AuthzSVNAccessFile /var/svn/auth/authz-repo1
    Require valid-user
    SSLRequireSSL
  </Location>


  # Accessible via https://svn.example.org/repo2
  #
  <Location /repo2>
    Allow from all
    DAV svn
    AuthType Basic
    AuthName "Repository Two"
    AuthUserFile /var/svn/auth/svnusers
    AuthzSVNAccessFile /var/svn/auth/authz-repo2
    Require valid-user
    SSLRequireSSL
  </Location>


You'll notice that both repos (and the root) use the same AuthUserFile.
That's just an Apache 'htpasswd2' file with usernames and encrypted
passwords. Some of our developers have access to every repo, but they
still go in that file just once.

The "authorization" part defines what you're allowed to do once you've
authenticated (i.e. we know who you are). Apache calls this "authz" as
opposed to "auth" everywhere, and is a subtle distinction that took me
embarrassingly long to realize.

Each Subversion repository can have its own AuthzSVNAccessFile, and that
format is specified somewhere in the Subversion book. Basically, you
list which users (from the AuthUserFile) can do what. In the example
above, the two repos use different authorization files, because our devs
have different permissions in repo1 than they do in repo2.

So, to answer your question: you separate your projects into
repositories logically, in whatever way makes sense. Then, you define
users and permissions to match that. The authentication and
authorization are flexible enough that you shouldn't have to duplicate
anything.

Re: [gentoo-user] {OT} Development framework with access restriction?

[Jonas de Buhr]

>I'd like to hire a freelancer to work on my website.  I don't want to
>provide access to all of my code, but instead only the particular file
>or files being worked on.  Does anyone know of a development framework
>that would help facilitate that sort of thing?  Would no shell access
>along with restricted SFTP access be the simplest, safest, most
>effective way to go?

svn can restrict access to directories

http://stackoverflow.com/questions/2288810/how-to-restrict-svn-repository-user-account-to-one-directory

Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant]

>>I'd like to hire a freelancer to work on my website.  I don't want to
>>provide access to all of my code, but instead only the particular file
>>or files being worked on.  Does anyone know of a development framework
>>that would help facilitate that sort of thing?  Would no shell access
>>along with restricted SFTP access be the simplest, safest, most
>>effective way to go?
>
> svn can restrict access to directories
>
> http://stackoverflow.com/questions/2288810/how-to-restrict-svn-repository-user-account-to-one-directory

That would be perfect if it allowed access per file instead of per
directory.  I thought about re-arranging the layout to accommodate
that limitation but I don't think it makes sense.

- Grant

Re: [gentoo-user] {OT} Development framework with access restriction?

[Jonas de Buhr]

>> svn can restrict access to directories
>>
>> http://stackoverflow.com/questions/2288810/how-to-restrict-svn-repository-user-account-to-one-directory
>
>That would be perfect if it allowed access per file instead of per
>directory.  I thought about re-arranging the layout to accommodate
>that limitation but I don't think it makes sense.

do you not want him to change it or do you not want him to be able to
read your code?

if you do not want him to read your code i'm guessing thats because of
hardcoded DB-passwords etc? 
move them into config files. or checkout a working copy and replace the
passwords with dummy strings.

if you just don't want him to change your code (or after you cleaned
out the things he is not allowed to read) you could import it into git,
have him clone the repository and make all his changes/developments.
then pull his changes and *carefully* observe the merge to make sure
nothing of your code gets changed.

Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant]

>>> svn can restrict access to directories
>>>
>>> http://stackoverflow.com/questions/2288810/how-to-restrict-svn-repository-user-account-to-one-directory
>>
>>That would be perfect if it allowed access per file instead of per
>>directory.  I thought about re-arranging the layout to accommodate
>>that limitation but I don't think it makes sense.

After more research, I think subversion's path-based authorization
*does* in fact work with files and not just folders.  This might be
the solution I've been looking for.  I will report back on this after
more research.

> do you not want him to change it or do you not want him to be able to
> read your code?

I do not want him to be able to read or write any files except for the
specific file or files I want him to work on.  This becomes
complicated because he needs to be able to test his changes in a
working version of the system as he goes.  The files to be worked on
contain server-side website code all of which I don't want to give
away to the dev.

- Grant