[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Repository "other" read access
From: |
Rahul |
Subject: |
Re: Repository "other" read access |
Date: |
15 Feb 2006 10:31:45 -0800 |
User-agent: |
G2/0.2 |
Stas -
Here are some best practises using WANdisco for CVS Enterprise Edition
for security.
You can get away from mucking with file level permissions for
controlling read access. You can setup an extremely secure server
installtion as following:
1. Setup /cvs permissions for single cvs-server account 'cvsd'
For example:
drwx------ 4 cvsd cvsd /cvs
drwx------ 4 cvsd cvsd /cvs/project
drwx------ 4 cvsd cvsd /cvs/project2
So now the repository can not be written or read by anyone other than
'cvsd'.
2. Using WANdisco WebUI, setup role based access control to map
roles/sub-groups
to specific projects. For instance you could define a role:
project2Engineering and
then have project2Engineering setup with list/read/write access to
/cvs/project2. If
project2Engineering maps to a LDAP/NIS/Active Directory group, you
can via the
webUI import user-group associations into WANdisco security database.
This allows
you to scale to large number of users easily. If a user migrates to
another
project (say /cvs/project) you can go to to the WebUI and with couple
of clicks map
them to a different role/group. If latter you want to restrict access
to specific branch
you can edit the ACL and specify branch or a branch pattern (full Perl
style regular expression). This works with SSH or Pserver access to the
repository.
3. By default everyone is denied to unless you explictly give access to
/cvs/project, the
project2Engineering role/sub-group will not have access to
/cvs/project.
4. All access (with client's IP Paddress) gets logged into an audit
database that
can be configured with a SQL backend.
5. If you have multisite CVS setup, then all the security policies can
be configured to automatically replicate to other sites when you mahe
changes to them, so you dont have to worry about setting up file
permissions at all the sites to be in sync
Also take a look at the CVS FAQ -
http://ximbiot.com/cvs/wiki/index.php?title=CVS_FAQ#How_do_I_control_list_or_read_access_within_the_repository.3F
Regards,
Rahul Bhargava
WANdisco, Inc
http://www.wandisco.com