Re: (Default) Group permissions

On 06/30/2013 09:12 PM, Andrew Sullivan wrote:
>
> If you want "easy", then just give different databases per user.  If
> you want complicated, you need an administrator; yes, that needs to be
> in some sense under the control of the host.  We have roughly 40 years
> of experience with these things, and the evidence is that
> "comprehensive but easy" is either badly insecure or very hard to
> operate well.  Which trade do you want to make?
>

This is a false, er, trichotomy? The requirements I listed aren't very
hard to meet. Here's how you do it for a directory on the filesystem
(why do I get the feeling nobody is going to check out the repo):

  # Admins can do anything.
  setfacl    -m group:admins:rwx *-project
  setfacl -d -m group:admins:rwx *-project

  # The customer's developers can access their own projects.
  setfacl    -m group:customer-devs:rwx customer-project
  setfacl -d -m group:customer-devs:rwx customer-project

  # The anonymous user can only read things.
  setfacl    -m user:anonymous:rx customer-project
  setfacl -d -m user:anonymous:rx customer-project

This will work for eternity, and is perfectly secure. "Easy" is
relative, but it's easy for me, and I only have to do it once, so who
cares. I have find/xargs scripts that do the hard part for me.