[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svn commit: rev 3010 - trunk/notes

From: Bill Tutt <rassilon_at_lyra.org>
Date: 2002-08-22 09:41:12 CEST

Commentary on entire proposal:
Trying to mesh Subversion ACL behavior into OS specific and indeed WC
specific visible behavior just seems wrong. Subversion's ACL system
should be about securing SCM operations not defining the assigned ACEs
of the generated files in the working copy.

Specific commentary on bits and pieces of the idea follow.

Bill

> From: jerenkrantz@tigris.org [mailto:jerenkrantz@tigris.org]
> Win32 permissions:
> +Summary: Access Control Lists (ACL) containing multiple Access
Control
> + Entries (ACE)
> +
[...]
> +
> +See:
> + http://www.netapp.com/tech_library/3079.html
> + http://world.std.com/~jimf/papers/nt-security/nt-security.html
> +

This is no longer accurate. Life got much more complex in Windows 2000.
See:
http://msdn.microsoft.com/library/en-us/security/security/order_of_aces_
in_a_dacl.asp?frame=true

In fact the DeltaV ACL model maps very closely to what Windows 2000
supports. (Big surprise there...)
See http://www.webdav.org/acl/

Additionally, naively searching an list of ACEs for denying ACE, and
then searching for allowing ACEs doesn't actually happens. The ACEs are
applied exactly in order.

NT4 has a different preferred order than Win2k+.

> +Proposal:
> +
> +Mimic ACEs in Subversion by defining a combination of the following
> values
> +per file or directory:
> + Read
> + Write
> + Execute
> + Delete
[.....]
Ick. See what I mean by complicated? If we were to define ACEs for
Subversion there would be a bunch more possible operations anyway.

e.g.:
Subversion_LogMessage_Change
Etc...

> +Question: How do we define groups since they are server-side?
> + (Must define the group somewhere - perhaps walk up tree at
each
> + directory looking for a group definition mechanism.)
Ick. We don't walk up directory trees. :)

[.....]
> +Question: How do we resolve unknown/unrecognized users?
> + (Define a special user/group name as catch-all.)
That would be the other/Everyone access rights.

> +Question: Should we inherit recursive nature of Win32 ACLs?
> + (First guess, yes, but may not be desired due to
performance.)
Win32 ACLs are no longer necessarily inheritable. See the MSDN URL above
for how complicated it became. The DeltaV ACL model lets us tell our
clients if things are inheritable or not, so we can change our mind over
time. ;)

> +Question: Should everyone ACL apply to o field in Unix?
> + (Perhaps.)
Assuming this work actually happened, yes, clearly. The o field in Unix
isn't "Authenticated users only" traditionally. It's "everybody".

Win32, and other securable/distributable filesystems &/or security
models do have a concept of "Authenticated User" being different from an
"Everyone".

I know at least AFS has such a thing. (Although IIRC, it's slightly more
complicated and allowed the equivalent of being able to specify
"NTDomain\AuthenticatedUser". I don't know if Win32 lets you do that or
not. I'd imagine Win2k+ might.)

[....]
> +Question: What about sticky bits?
> + (Does Win32 have this concept?)
No, Win32 has nothing like sticky bits.

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Aug 22 12:00:39 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.