[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnu-arch-users] XOuvert vs. Savannah
|
From: |
Tom Lord |
|
Subject: |
[Gnu-arch-users] XOuvert vs. Savannah |
|
Date: |
Mon, 13 Oct 2003 08:07:09 -0700 (PDT) |
The spark that led to the current conflagration about access controls
was, I understand it, a very simple question which I will paraphrase
this way:
Q: I would like to host XOuvert on Savannah. With the default umask
setting on Savannah, an arch archive with multiple writers will not
function properly. We are unable to reliably and rapidly make
admin-level changes to the configuration of Savannah and a
reasonable presumption is that we need a purely client-side
work-around for this problem. What can we do to to rapidly solve
this problem and get a multi-writer archive up and running? (One
idea we had was to add code in tla to set the umask when using sftp
protocol.)
I have taken a look at how accounts on Savannah function. There
appears to be a trivial, short-term work-around available in that
environment with these virtues:
* requires no changes to tla
* requires no administrative work of the savannah-hackers
* solves the immediate problem
* gives the XOuvert project a simple means to enable and disable
write access to the archive on-the-fly, without a need for
administrative work by the savannah-hackers
The solution relies on the way that sftp access works on Savannah:
Authentication for sftp purposes uses a registered SSH shared key.
A given account may have more than a single key registered.
Authentication for the purpose of SSH key registration uses a
web account password
It therefore appears that the immediate problem can be solved by:
1) Creating a savannah user account "xouvertwriter". This user
will be used for all writes to the archive.
2) Registering an SSH shared key for "xouvertwriter" for each
user being granted write access.
This solution can only be regarded as a temporary one, certainly.
It's primary vices are:
a) The owner of the xouvertwriter account is then responsible for
the use of registered ssh keys held by others.
b) Savannah will not have an accurate record associating registered
ssh keys with the external email address of the people using them.
All of the xouvertwriter keys will be associated with a single
address: the owner of the xouvertwriter account.
Nevertheless, under the rather extraordinary constraints that define
the problem (the need for a rapid solution that involves making no
server-side changes), and making the presumption that Xouvert write
access will not be handed out casually, this is a reasonable temporary
solution, giving us more time to design a lasting solution without
having to delay creation of a Xouvert repository.
-t
- [Gnu-arch-users] XOuvert vs. Savannah,
Tom Lord <=