Re: [Gnu-arch-users] expert needed: arch doesn't support multi-committer archives!

[Ethan Benson]

On Mon, Oct 06, 2003 at 12:46:08AM -0700, Jonathan Walther wrote:
> 
> Can anyone recommend a change to arch that will let it conform to your
> security policy by default?

looks like this can be solved by getting arch to set the right umask.
quite easy really.

> For instance, I would like the following policy for files and
> directories:
> 
> drwxrwsr-x user group dir/
> -r--r--r-- user group file
> 
> The reason I don't specify -rw-rw-r-- is that all the files I can see in
> the repository are not intended to be modified, EVER.
> 
> Remember the original 4 scenarios I specified?  Here are the policies
> that would work out well for them:
> 
> 1) single user makes commits, project group members can do checkouts.
> drwxr-s--- user group dir/
> -r--r----- user group file

umask 0027

> 2) single user makes commits, everyone else can do checkouts.
> drwxr-sr-x user group dir/
> -r--r--r-- user group file

umask 0022

> 3) project group does commits, noone else can do checkouts.
> drwxrws--- user group dir/
> -r--r----- user group file

umask 0007

> 4) project group does commits, everyone else can do checkouts.
> drwxrwsr-- user group dir/
> -r--r--r-- user group file

umask 0002

> 5) everyone can do commits, everyone can do checkouts.
> drwxrwsrwx user group dir/
> -r--r--r-- user group file

umask 0000

> 6) singer user makes commits, noone else can do checkouts.
> drwx--s--- user group dir/
> -r-------- user group file

umask 0077

> sftp DOES have a umask command built in, so arch can set the permissions
> to whatever the sftp user-login has the ability to.
> 
> So how can we tell arch about these policies?

well either a =meta-info/=umask file, or it can stat the top level
directory (say the cat--branch--version directory).  and set a umask
to match the permissions it has set.

something along the lines of:

stat(branchdir, &st);

mask = 0077;

if (st.st_mode & (S_IROTH|S_IXOTH))
        mask &= ~(S_IROTH|S_IXOTH);
if (st.st_mode & S_IWOTH)
        mask &= ~S_IWOTH;
if (st.st_mode & (S_IRGRP|S_IXGRP))
        mask &= ~(S_IRGRP|S_IXGRP);
if (st.st_mode & S_IWGRP)
        mask &= ~S_IWGRP;

umask(mask);

i wrote a small test program to this affect and it seems to do the
right thing for the cases you specify:

new umask=0000
drwxrwsrwx    2 eb       eb              6 Oct  6 00:23 ,allall
new umask=0002
drwxrwsr-x    2 eb       eb              6 Oct  6 00:23 ,groupall
new umask=0007
drwxrws---    2 eb       eb              6 Oct  6 00:23 ,grouponly
new umask=0022
drwxr-xr-x    2 eb       eb              6 Oct  6 00:23 ,singleall
new umask=0027
drwxr-s---    2 eb       eb              6 Oct  6 00:24 ,singlegroup
new umask=0077
drwx--S---    2 eb       eb              6 Oct  6 00:24 ,singleonly

> How can I make my setup secure without going through contortions?
> I will not change my regular umask, but I am ok with arch changing the
> umask from inside the sftp session, for the duration of the session.

modify tla to set the umask before writing files.

> Xouvert needs to allow group members to make commits to an archive
> without giving the whole world enough access to ruin the
> ++revision-lock.

should be doable.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

pgp0DqBPZIwtz.pgp
Description: PGP signature