On Thu, Sep 04, 2003 at 09:57:03PM -0500, B. W. Fitzpatrick wrote:
>
> Marc Singer <elf@buici.com> writes:
> > 1) Obviously, a permissions check, if there is one, belongs in the
> > filesystem driver.
> >
> > 2) The cost of the check is minimal. Stat'ing a dozen files is cheap
> > because the OS caches the data. Subsequent access by BDB will open
> > the same files using the cached data.
> >
> > 3) The expense of not performing it is kinda high when we see how
> > often permissions problems plague users. If Subversion isn't easy
> > to use then it won't be used. Admonishing people for failing to
> > read the documentation is a poor sales pitch.
> >
> > 4) AFAICT, there is no fix to be made in svnadmin because this isn't
> > really a setup issue. People change the way that they use
> > their repositories. Sometimes that new behavior, while valid in
> > concept, isn't well executed. It would be *way* helpful if the
> > program let the user know more explicitly what the problem is.
> >
> > The HACKING guide suggests to me that the project bears the value of
> > sturdy design:
> >
> > Input validation is the act of defining legal input and rejecting
> > everything else. The code must perform input validation on all
> > untrusted
> > input.
> >
> > I asked the question to see if this has come up before. It appears
> > that it hasn't.
>
> Actually, I believe that it has, and it was rejected because there is no
> logical mapping between UNIX fs permissions and Windows fs ACLs. I
> recall the consensus being that it wasn't worth it to stuff in a whole
> bunch of platform specific hoo-ha to accomodate this buglet.
That isn't the kind of permissions check I'm talking about.
The BDB backend is a process running within the context of a user, no
what operating system this happens to execute on. If the privilege of
that user is insufficient to write to the database, any operations on
the repository will fail. We can check for this kind of failure.
Moreover, we can check for a privilege failure where the user can
access some files/directories but not all of them. Should the user be
running on Windows and this check is difficult to make, then oh well,
we don't do it. In this case, there no priviledge 'mapping' to be
done.
Cheers.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Sep 5 17:20:33 2003