[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: rev 3010 - trunk/notes

From: Justin Erenkrantz <jerenkrantz_at_apache.org>
Date: 2002-08-22 18:56:48 CEST

On Thu, Aug 22, 2002 at 12:41:12AM -0700, Bill Tutt wrote:
> Commentary on entire proposal:
> Trying to mesh Subversion ACL behavior into OS specific and indeed WC
> specific visible behavior just seems wrong. Subversion's ACL system
> should be about securing SCM operations not defining the assigned ACEs
> of the generated files in the working copy.

My question back to you is why shouldn't it? If I can't modify
the file on the repository, why should I (by default) be able to
modify the file locally?

(Yes, this is about smashing preconceptions here. We could provide
an opt-out in the client config if they wanted to set everything to
APR_OS_DEFAULT rather than intelligently setting the attributes. Or,
make it opt-in - I don't care.)

> This is no longer accurate. Life got much more complex in Windows 2000.
> See:
> http://msdn.microsoft.com/library/en-us/security/security/order_of_aces_
> in_a_dacl.asp?frame=true

Well, the last time I used a Windows box was about two years ago.
But, the key concept seems the same.

> In fact the DeltaV ACL model maps very closely to what Windows 2000
> supports. (Big surprise there...)
> See http://www.webdav.org/acl/

Ah, yes, I forgot about DeltaV's ACL (prolly because no one is using
it yet). Yeah, so let's expand what I was saying for the SVN ACL
side to at least encompass a DeltaV ACL implementation.

Fair enough? That just seems to mean that properties are now
explicitly controlled.

> Additionally, naively searching an list of ACEs for denying ACE, and
> then searching for allowing ACEs doesn't actually happens. The ACEs are
> applied exactly in order.

Right. As was pointed out in several lists, that seemed to be a flaw
in NT's security model. I wouldn't need to see that 'feature'
replicated in SVN if we implemented ACLs.

Specifically, we'd want: DAV:specific-deny-overrides-grant.

> Ick. See what I mean by complicated? If we were to define ACEs for
> Subversion there would be a bunch more possible operations anyway.
> e.g.:
> Subversion_LogMessage_Change
> Etc...

Do we really need or want this level of specificity? Hmm.
Subversion's log doesn't quite fit anywhere, so perhaps, that gets a
repository-wide ACE? (Doesn't seem that DeltaV ACL has this

> > +Question: How do we define groups since they are server-side?
> > + (Must define the group somewhere - perhaps walk up tree at
> each
> > + directory looking for a group definition mechanism.)
> Ick. We don't walk up directory trees. :)

As I said somewhere later on, maybe not.

But, it looks like this is how DAV:group-membership is defined
(indirect reference). -- justin

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Aug 22 18:57:24 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.