Re: [gentoo-user] {OT} Development framework with access restriction?

[Grant <emailgrant@gmail.com>]

>>> For some reason I thought SFTP would provide access control but now
>>> I'm thinking it's just like SSH in that access control is based on
>>> file ownership and permissions?  If that's the case, can anyone think
>>> of a better way to control remote access to my files than chmod/chown?
>>
>> ACLs.
>>
>
> We went this route once too. We had a developer ($USER) who was supposed
> to have access to just one subdirectory of /var/www.
>
> I took notes, assuming /etc, /root, and /usr have correct permissions:
>
>   1. A group named ssh_users was created. The $USER account was
>      added as a member of this group.
>
>   2. The ssh_users group was granted the ability to traverse /var/www:
>
>      setfacl -m group:ssh_users:--x /var/www
>
>      This is necessary to allow the $USER user to chdir into its
>      home directory in /var/www/$HIS_HOME_DIR.
>
>   3. A default ACL was set on /var/www which will apply to each new
>      subdirectory created within it.
>
>      setfacl -d --set u::rwx,g::rx,g:ssh_users:-,o::rx /var/www
>
>      This prevents members of the ssh_users group from traversing any
>      newly-created subdirectories of /var/www.
>
>   4. The default ACL described above was applied manually to each of
>      the existing subdirectories of /var/www:
>
>      setfacl -m g:ssh_users:- /var/www/*
>
>      Warning: At the time of writing, there were no regular files in
>      /var/www, so the above command makes sense. Don't blindly run it
>      again without checking.
>
>   5. The $USER user was granted full read/write/traverse permissions
>      on its home directory and all subdirectories/files contained
>      therein:
>
>      setfacl -R -m u:$USER:rwx /var/www/$HIS_HOME_DIR
>
>   6. At this point, we need to change the default ACLs of every
>      directory within /var/www/$HIS_HOME_DIR. This is so that, when
>      $USER creates a new file/directory somewhere beneath its home
>      directory, it has access to the newly-created file or directory:
>
>      setfacl -d -R --set u::rwx,u:$USER:rwx,g::rx,o::rx /var/www
>      /$HIS_HOME_DIR
>
>      This command sets the default ACL recursively, and is smart
>      enough to only apply the command to directories.

Thanks for that.  I haven't thought it all the way through, but if
Unix ownership and permissions aren't granular enough and subversion's
path-based authorization won't work, I will need to use ACLs.  I think
both subversion's path-based authorization and Unix
ownership/permissions would be simpler to implement and maintain than
ACLs so I'm hoping it doesn't come to that.

- Grant