You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Matthias Fechner <id...@fechner.net> on 2008/05/31 21:28:32 UTC
File Permissions
Hi,
is their a possibility to store the permissions to files stored in the
repository?
The background is I would like to have all my config files in a
repository and some files their need special permissions like ssh keys.
Thx,
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Matthias Fechner <id...@fechner.net>.
Hi Marc,
Marc Haisenko wrote:
> Yes, on http://subversion.tigris.org/tools_contrib.html I found "asvn"
> (http://svn.collab.net/repos/svn/trunk/contrib/client-side/asvn).
thanks a lot for your answer, that asvn will do exactly what I need.
I tried it now on my mac to verify that it works fine.
But if I do a asvn up I got:
asvn up
At revision 2.
this is the post checkout process
find: !: no following expression
find: -printf: unknown option
It seems that the script need gnu-find to work fine. I will try it this
weekend on a FreeBSD PC and on a linux PC to test if it works there.
Bye,
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Vincent Lefevre <vi...@vinc17.org>.
On 2008-06-04 11:00:14 +0200, Marc Haisenko wrote:
> The client hook would of course allow to implement something like
> that, but that issue has also been discussed already, as far as I
> remember, and I think the developers thought it might not be a good
> idea (but please search the archive yourself, I'm not entirely
> sure). You care about just yourself, and seem to assume that you
> will be the only user of that specific repository.
But this would be one of the goal of client-side hooks: each user
does whatever he wants with them. The user could also check that
updated XML files are well-formed/valid if he wants to, update
other files (not managed by Subversion) if some file is modified
(e.g. to update an index), and so on.
Also, as I've said, such a feature would be useful mainly for users
who manage their own files with Subversion; so yes, in these cases,
the user cares about himself and is the only user of the repository.
Not all repositories have to use client-side hooks after all!
Note that concerning user-side (client-side) configuration, this
is already the case of umask: Subversion doesn't enforce an umask
value specified at the repository level, so that different users
can already end up with different permissions. I don't see such a
feature very different to what client-side hooks could provide.
> The SubVersion developers have to think a bit bigger and then issues
> that are none to you become huge. One issue would be: Where would
> those hooks be stored ?
In the ~/.subversion directory, for instance.
> If every user has to install the hook himself
Yes, every user *must* install the hook himself.
> then inconsistencies can occur (e.g. not every user has that hook,
> maybe they have different versions, etc. pp.).
Client-side hooks should be optional. So, fatal inconsistencies
would be an error from the users.
> If the hooks are stored in the repository you have a huge security
> desaster
Of course. That's why the user must install hooks himself. The hook
can also contain code to update itself (e.g. if a copy is stored in
the repository); of course, in such a case, there would be security
implications if the repository is shared by several users (i.e. it
is not a repository for the user's own files), but there are also
security implications by typing "make" in a development project
managed by Subversion (or any other VCS).
BTW, about the security, a client-side hook could also do some
checks on the files that have been updated, e.g. the presence of
a virus or suspicious code. Such a feature isn't that bad, is it?
> So if all you need that feature for is archiving some stuff (like
> you /etc directory) you are better off using an external script like
> the "asvn" script already present,
You didn't take into account the problems I mentioned about asvn:
* it is inefficient because it doesn't know which files have been
updated;
* it doesn't fix the permissions in real time (this point is less
important).
IMHO, these two problems can only be solved cleanly with client-side
hooks or something similar, i.e. with some feedback given by svn.
Well, if someone knows how to parse its output without any drawback
(there are often problems with signals[1] and/or buffering[2]), then
I think this could be a solution too (though I'd prefer client-side
hooks).
[1] This one, for instance:
http://subversion.tigris.org/issues/show_bug.cgi?id=3014
[2] Well, it seems that buffering should not be a problem since 1.4.0
as I can see
* flush stdout after each status/notification line (r19476 -656)
in the CHANGES file. But it is listed under "Developer-visible changes".
So, I wonder...
--
Vincent Lefèvre <vi...@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Marc Haisenko <ha...@comdasys.com>.
On Wednesday 04 June 2008, Vincent Lefevre wrote:
> On 2008-06-02 18:01:12 +0200, Marc Haisenko wrote:
> > As far as I remember that feature is not included in SubVersion because
> > it opens a few cans of worms. For example, not every OS supports the same
> > permissions (Windows file permissions vs. UNIX file permissions vs. ACLs
> > vs. Mainframe). How to deal with that ?
>
> Well, Unix file permissions would be applied under Unix only and so on.
> IMHO, permissions are mainly (if not only) useful when the user manages
> his own files with Subversion. And if he is only under Unix, then this
> is fine. Now I think that a client-side hook (as I suggested) would be
> a better solution as it allows to do exactly what the user wants. And
> this is 100% safe as the hook would be installed by the owner of the
> working copy (security holes can only be introduced by the user himself,
> but this isn't specific to Subversion).
Having separate file permission management for each OS is asking for trouble,
IMHO. If you set the permissions to 0444 on Unix (only reading allowed) and
then someone checks that file out on Windows and has write permissions I can
already hear the bug report being entered.
The client hook would of course allow to implement something like that, but
that issue has also been discussed already, as far as I remember, and I think
the developers thought it might not be a good idea (but please search the
archive yourself, I'm not entirely sure). You care about just yourself, and
seem to assume that you will be the only user of that specific repository.
The SubVersion developers have to think a bit bigger and then issues that are
none to you become huge. One issue would be: Where would those hooks be
stored ? If every user has to install the hook himself then inconsistencies
can occur (e.g. not every user has that hook, maybe they have different
versions, etc. pp.). If the hooks are stored in the repository you have a
huge security desaster (e.g. imagine I check in a client hook that
runs "rm -rf ~" or one that adds my SSH public key to your authorized_keys so
I can log on to your account without having to know your password).
So if all you need that feature for is archiving some stuff (like you /etc
directory) you are better off using an external script like the "asvn" script
already present, IMHO: you really know that you are doing something
not "standard" because you call a different command.
Marc
--
Marc Haisenko
Comdasys AG
Rüdesheimer Str. 7
80686 München
Germany
Tel.: +49 (0)89 548 433 321
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Matthias Fechner <id...@fechner.net>.
Hi Vincent,
Vincent Lefevre wrote:
> Well, Unix file permissions would be applied under Unix only and so on.
here you are absolutly right. But I will use it only to have a history
on my configuration files of my Unix PCs (/etc and /usr/local/etc) so
they will run always with linux or BSD.
Bye,
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Vincent Lefevre <vi...@vinc17.org>.
On 2008-06-02 18:01:12 +0200, Marc Haisenko wrote:
> As far as I remember that feature is not included in SubVersion because it
> opens a few cans of worms. For example, not every OS supports the same
> permissions (Windows file permissions vs. UNIX file permissions vs. ACLs vs.
> Mainframe). How to deal with that ?
Well, Unix file permissions would be applied under Unix only and so on.
IMHO, permissions are mainly (if not only) useful when the user manages
his own files with Subversion. And if he is only under Unix, then this
is fine. Now I think that a client-side hook (as I suggested) would be
a better solution as it allows to do exactly what the user wants. And
this is 100% safe as the hook would be installed by the owner of the
working copy (security holes can only be introduced by the user himself,
but this isn't specific to Subversion).
On 2008-06-03 11:51:21 +0200, Marc Haisenko wrote:
> On Monday 02 June 2008, Matthias Fechner wrote:
> > Marc Haisenko schrieb:
> > > There are scripts that can store the permissions in SubVersion
> > > properties and restore them from there.
> >
> > oh that is a great info. Do you have a link to such scripts?
>
> Yes, on http://subversion.tigris.org/tools_contrib.html I found "asvn"
> (http://svn.collab.net/repos/svn/trunk/contrib/client-side/asvn).
But if I understand correctly such a script does a lot of useless work
(e.g. getting permissions on all the files, even those that have not
changed and those that are not managed by Subversion), thus is slow
on a large working copy. Moreover permissions are not restored (for
updated files) in real time, i.e. just after a file has been updated.
So, I think there is a real need for client-side hooks. For instance,
each time a file/directory is updated a hook could be executed with
the necessary information (e.g. the file/directory name and a way to
retrieve the properties, or there could be a special property for the
client-side hooks, whose contents are specified by the users).
--
Vincent Lefèvre <vi...@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Marc Haisenko <ha...@comdasys.com>.
On Monday 02 June 2008, Matthias Fechner wrote:
> Hi Marc,
>
> Marc Haisenko schrieb:
> > There are scripts that can store the permissions in SubVersion properties
> > and restore them from there.
>
> oh that is a great info. Do you have a link to such scripts?
>
> Bye
> Matthias
Yes, on http://subversion.tigris.org/tools_contrib.html I found "asvn"
(http://svn.collab.net/repos/svn/trunk/contrib/client-side/asvn).
Bye,
Marc
--
Marc Haisenko
Comdasys AG
Rüdesheimer Str. 7
80686 München
Germany
Tel.: +49 (0)89 548 433 321
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Matthias Fechner <id...@fechner.net>.
Hi Marc,
Marc Haisenko schrieb:
> There are scripts that can store the permissions in SubVersion properties and
> restore them from there.
oh that is a great info. Do you have a link to such scripts?
Bye
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Marc Haisenko <ha...@comdasys.com>.
On Monday 02 June 2008, Matthias Fechner wrote:
> Hi Ryan,
>
> Ryan Schmidt wrote:
> > No. The only permission a repository can store is a file's executable
> > bit, via the presence or absence of the svn:executable property on a
> > file.
>
> thanks a lot for your answer that was the reason why I could not find
> anything who to do it.
>
> Maybe that would be a nice feature for the future?
>
> Best regards,
> Matthias
As far as I remember that feature is not included in SubVersion because it
opens a few cans of worms. For example, not every OS supports the same
permissions (Windows file permissions vs. UNIX file permissions vs. ACLs vs.
Mainframe). How to deal with that ?
The SubVersion developers thus agreed that the most important and widely
supported file permission is whether a file is executable or not and added
support for just that permission.
There are scripts that can store the permissions in SubVersion properties and
restore them from there.
Bye,
Marc
--
Marc Haisenko
Comdasys AG
Rüdesheimer Str. 7
80686 München
Germany
Tel.: +49 (0)89 548 433 321
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Matthias Fechner <id...@fechner.net>.
Hi Ryan,
Ryan Schmidt wrote:
> No. The only permission a repository can store is a file's executable
> bit, via the presence or absence of the svn:executable property on a file.
thanks a lot for your answer that was the reason why I could not find
anything who to do it.
Maybe that would be a nice feature for the future?
Best regards,
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Vincent Lefevre <vi...@vinc17.org>.
On 2008-06-01 17:56:46 -0500, Ryan Schmidt wrote:
> On May 31, 2008, at 16:28, Matthias Fechner wrote:
>> is their a possibility to store the permissions to files stored in the
>> repository?
>
> No. The only permission a repository can store is a file's executable
> bit, via the presence or absence of the svn:executable property on a
> file.
Shouldn't an enhancement request be filled on the issue tracker?
IMHO, the feature should be more general: a client-side hook called
after a file is added/updated in the working copy. So, the user could
use a restricted umask, and fix the permissions (or other attributes)
in the hook. BTW, that could be a way to solve bug 2332 ("Keyword
expansion in non-UTF8 documents results in mixed charsets").
--
Vincent Lefèvre <vi...@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File Permissions
Posted by Ryan Schmidt <su...@ryandesign.com>.
On May 31, 2008, at 16:28, Matthias Fechner wrote:
> is their a possibility to store the permissions to files stored in
> the repository?
No. The only permission a repository can store is a file's executable
bit, via the presence or absence of the svn:executable property on a
file.
> The background is I would like to have all my config files in a
> repository and some files their need special permissions like ssh
> keys.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org