On 06/30/2013 09:12 PM, Andrew Sullivan wrote:
>
> If you want "easy", then just give different databases per user. If
> you want complicated, you need an administrator; yes, that needs to be
> in some sense under the control of the host. We have roughly 40 years
> of experience with these things, and the evidence is that
> "comprehensive but easy" is either badly insecure or very hard to
> operate well. Which trade do you want to make?
>
This is a false, er, trichotomy? The requirements I listed aren't very
hard to meet. Here's how you do it for a directory on the filesystem
(why do I get the feeling nobody is going to check out the repo):
# Admins can do anything.
setfacl -m group:admins:rwx *-project
setfacl -d -m group:admins:rwx *-project
# The customer's developers can access their own projects.
setfacl -m group:customer-devs:rwx customer-project
setfacl -d -m group:customer-devs:rwx customer-project
# The anonymous user can only read things.
setfacl -m user:anonymous:rx customer-project
setfacl -d -m user:anonymous:rx customer-project
This will work for eternity, and is perfectly secure. "Easy" is
relative, but it's easy for me, and I only have to do it once, so who
cares. I have find/xargs scripts that do the hard part for me.