[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: authz: what has precidence when user is multiply referenced for a particular path?

From: Jeb <jeb.beasley_at_penske.com>
Date: 2006-05-19 13:55:23 CEST

Lieven,

I think that is contrary to most interpretations of best practice for
security models. Most severe restriction should apply. This is the way
most OSs and Databases interpret multiple access rights paths. I
realise they probably did this for efficiency, but I feel it should be
changed to act on the most restrictive.

Jeb Beasley

Lieven Govaerts wrote:

>Quoting "B. Smith-Mannschott" <benpsm@gmail.com>:
>
>
>
>>Respectfully, no, ... it isn't.
>>
>>[paint:/projects/paint]
>>@paint-developers = rw
>>jane = r
>>
>>Since "jane" is also a member of paint-developers, does she have
>>read-only or read-write permssion? Which takes precidence? The more
>>permissive? The more restrictive? The first? The last? This should
>>be clarified.
>>
>>
>
>Hi Ben,
>
>I think you're right in that it should be clarified.
>
>If you like to have more detailed information on some topics, you can look at
>the python tests of authorization. They're not complete yet, but we're working
>on that:
>http://svn.collab.net/repos/svn/trunk/subversion/tests/cmdline/authz_tests.py
>
>To answer your specific question, I found that once you grant the user a right
>(@paint-developers=rw), you can't remove that right on the next line(jane=r).
>In fact, subversion just parses the first line, sees that you jane has rw
>rights through the paint-developers group and just stops parsing.
>
>Hope this helps,
>
>Lieven.
>
>
>
>----------------------------------------------------------------
>This message was sent using IMP, the Internet Messaging Program.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
>
Received on Fri May 19 13:56:53 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.