RE: Granting full access to a directory, readonly access to path to directory, deny access to rest of tree?

From: Bob Archer <Bob.Archer_at_amsi.com>
Date: Thu, 5 Aug 2010 12:26:47 -0400

> Suppose I have a bunch of projects, and I want to grant full access
> to a group, but no access to anything else. Please don't call me
> anti-social.
>
> /trunk/proja
> /trunk/projb
> /trunk/projc
>
> I want to grant full access to proja to groupa, but no access to
> the others. How can I do this?
>
> [repo:/]
> @groupa = r
> @others = rw
>
> [repo:/trunk/proja]
> @groupa = rw
>
> [repo:/trunk/projb]
> @groupa =
>
> [repo:/trunk/projc]
> @groupa =
>
> However, this does not scale well. When I add projd, I need to
> make sure that I remove access (@groupa=;) for all the groups that
> should not have access. That is, I am practicing negative access
> control (deny access), which is error prone.
>
> Is there a way for the permissions to not be recursive, so that I
> could grant @groupa access to / without it applying to /**?
>
> We could reorg the repo (/trunk/secret and /trunk/groupa), but that
> seems like the tail wagging the dog (security issues dictating repo
> layout).
>

How about something like:

[repo:/]
@groupa =
@others = rw

[repo:/trunk/proja]
@groupa = rw

This way groupa has no rights to root... and rw to /trunk/proja.

I'm pretty sure this works... although there was a bug with the group being able to create a branch in their allowed path if they didn't have read access to root. However, I think this was fixed in a recent version .10 or newer perhaps. You can check the change logs.

If other are everyone else I think you can even do:

[repo:/]
@groupa =
* = rw

[repo:/trunk/proja]
@groupa = rw

But, not sure, you would have to test.

BOb
Received on 2010-08-05 18:27:28 CEST

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]