You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Ali Soleimani <al...@gmail.com> on 2008/01/07 05:16:12 UTC
File access control
hello
How can I define access level for files not directories?
I have a Delphi project and many developers have access to dcu and dfm files
but pas files are readable and writable by only some developers.
Re: File access control
Posted by Ryan Schmidt <su...@ryandesign.com>.
On Jan 6, 2008, at 23:50, Ali Soleimani wrote:
>> The only way is via a pre-commit hook, as far as I know. Subversion
>> security only works on the directory level.
>
> thanks for reply.
> I have to restrict user in "update" command; so is there pre-
> update hook?
No, there isn't a pre-update hook. I don't think there's a way to do
what you want in Subversion. Access controls in Subversion are at the
directory level, not the file level. If you can move the files you
need to protect into a directory of their own, then that could be a
workaround.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File access control
Posted by Sohail Somani <so...@taggedtype.net>.
On Mon, 07 Jan 2008 09:20:48 +0330, Ali Soleimani wrote:
>> The only way is via a pre-commit hook, as far as I know. Subversion
>> security only works on the directory level.
Why don't you just put all the sensitive files in a directory and put
security permissions on the directory? That makes more sense.
--
Sohail Somani
http://uint32t.blogspot.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File access control
Posted by Ali Soleimani <al...@gmail.com>.
>
> The only way is via a pre-commit hook, as far as I know. Subversion
> security only works on the directory level.
>
thanks for reply.
I have to restrict user in "update" command; so is there pre-update hook?
Re: File access control
Posted by Sohail Somani <so...@taggedtype.net>.
On Mon, 07 Jan 2008 08:46:12 +0330, Ali Soleimani wrote:
> hello
> How can I define access level for files not directories? I have a Delphi
> project and many developers have access to dcu and dfm files but pas
> files are readable and writable by only some developers. hello<br>How
> can I define access level for files not directories?<br>I have a Delphi
> project and many developers have access to dcu and dfm files but pas
> files are readable and writable by only some developers.<br>
The only way is via a pre-commit hook, as far as I know. Subversion
security only works on the directory level.
--
Sohail Somani
http://uint32t.blogspot.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: Re: File access control
Posted by "Harvey, Edward" <Ed...@patni.com>.
> Harvey, Edward schrieb:
> > Then you would create permissions like this:
> > [myrepository:/]
> > *=rw
> >
> > [myrepository:/trunk/private]
> > *=r
> >
> > [myrepository:/trunk/private/john]
> > *=
> > john=rw
>
> But what would prevent another user from doing the following?
>
> svn cp svn://myserver/myrepository/trunk
> svn://myserver/myrepository/mycopy
>
> svn co svn://myserver/myrepository/mycopy/private/john
It is true, if some user has access to a directory, there's nothing to
prevent that user from giving it to another user that would otherwise be
denied access. I guess this goes without saying though, the user who
has access could just copy it to a CD or upload it someplace on the
internet or whatever.
http://www.patni.com
World-Wide Partnerships. World-Class Solutions.
_____________________________________________________________________
This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at netadmin@patni.com and delete this mail.
_____________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File access control
Posted by Andreas Schweigstill <an...@schweigstill.de>.
Hello!
Harvey, Edward schrieb:
> Then you would create permissions like this:
> [myrepository:/]
> *=rw
>
> [myrepository:/trunk/private]
> *=r
>
> [myrepository:/trunk/private/john]
> *=
> john=rw
But what would prevent another user from doing the following?
svn cp svn://myserver/myrepository/trunk
svn://myserver/myrepository/mycopy
svn co svn://myserver/myrepository/mycopy/private/john
Regards
Andreas Schweigstill
--
Dipl.-Phys. Andreas Schweigstill
Schweigstill IT | Embedded Systems
Schauenburgerstraße 116, D-24118 Kiel, Germany
Phone: (+49) 431 5606-435, Fax: (+49) 431 5606-436
Mobile: (+49) 171 6921973, Web: http://www.schweigstill.de/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Re: Re: File access control
Posted by Andy Levy <an...@gmail.com>.
On Jan 10, 2008 4:33 PM, Harvey, Edward <Ed...@patni.com> wrote:
> > Subversion does not provide for access restrictions on a
> > per-file basis. Only directories.
>
> I am able to use authz to control permissions of my repository on a
> per-file basis. Strangely, when I remove myself from access to a file,
> I can still read it; I just can't write it. So the per-file permissions
> although present, don't seem to be implemented quite right.
>
> (With this setting, I can do an update to read the file; but I can't
> commit changes to the file.)
> [myrepository:/foo/junk.txt]
> eharvey =
>
> (With this setting, I have full access.)
> [myrepository:/foo/junk.txt]
> eharvey = rw
I think you're exploiting a bug, not taking advantage of a half-baked feature.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: Re: Re: File access control
Posted by "Harvey, Edward" <Ed...@patni.com>.
> Subversion does not provide for access restrictions on a
> per-file basis. Only directories.
I am able to use authz to control permissions of my repository on a
per-file basis. Strangely, when I remove myself from access to a file,
I can still read it; I just can't write it. So the per-file permissions
although present, don't seem to be implemented quite right.
(With this setting, I can do an update to read the file; but I can't
commit changes to the file.)
[myrepository:/foo/junk.txt]
eharvey =
(With this setting, I have full access.)
[myrepository:/foo/junk.txt]
eharvey = rw
http://www.patni.com
World-Wide Partnerships. World-Class Solutions.
_____________________________________________________________________
This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at netadmin@patni.com and delete this mail.
_____________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Re: File access control
Posted by Andy Levy <an...@gmail.com>.
On Jan 9, 2008 2:19 AM, Ali Soleimani <al...@gmail.com> wrote:
>
>
>
>
> On Jan 8, 2008 7:36 PM, Harvey, Edward <Ed...@patni.com> wrote:
> >
> >
> >
> > >> On Jan 7, 2008 5:22 PM, Harvey, Edward <Ed...@patni.com> wrote:
> > >> If you're using http, you can add "AuthzSVNAccessFile /path/to/svn-
> > >> access-file"
> > >> And then populate /path/to/svn-access-file with something like this:
> > >>
> > >> [groups]
> > >> group1 = user1, user2, user3
> > >>
> > >> [repo1:/]
> > >> * = rw
> > >>
> > >> [repo1:/path/to/sensitive/file]
> > >> @group1 = rw
> > >> * =
> > >>
> > >> If you're not using http, I think you're out of luck.
> > >
> > >
> > > There are trunk, tags, and branches directory in repository, and in
> > > tags and branches directory there are branched directories, so the how
> > > is path access?
> >
> > Ok, suppose you have this file structure in the repository:
> > /
> > /trunk/
> > /trunk/shared/
> > /trunk/shared/hello.c
> > /trunk/private/
> > /trunk/private/john/
> > /trunk/private/john/mysecret.txt
> >
> > Then you would create permissions like this:
> > [myrepository:/]
> > *=rw
> >
> > [myrepository:/trunk/private]
> > *=r
> >
> > [myrepository:/trunk/private/john]
> > *=
> > john=rw
> >
> >
> > http://www.patni.com
> > World-Wide Partnerships. World-Class Solutions.
>
> hi,
> thanks for reply,
> what is the solution if I have this structure?
> there is two user: sally and harry.
> sally has full access to repository and harry
> has full access but has not access to untPrivate.pas.
Subversion does not provide for access restrictions on a per-file
basis. Only directories.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Re: File access control
Posted by Ali Soleimani <al...@gmail.com>.
On Jan 8, 2008 7:36 PM, Harvey, Edward <Ed...@patni.com> wrote:
> >> On Jan 7, 2008 5:22 PM, Harvey, Edward <Ed...@patni.com> wrote:
> >> If you're using http, you can add "AuthzSVNAccessFile /path/to/svn-
> >> access-file"
> >> And then populate /path/to/svn-access-file with something like this:
> >>
> >> [groups]
> >> group1 = user1, user2, user3
> >>
> >> [repo1:/]
> >> * = rw
> >>
> >> [repo1:/path/to/sensitive/file]
> >> @group1 = rw
> >> * =
> >>
> >> If you're not using http, I think you're out of luck.
> >
> >
> > There are trunk, tags, and branches directory in repository, and in
> > tags and branches directory there are branched directories, so the how
> > is path access?
>
> Ok, suppose you have this file structure in the repository:
> /
> /trunk/
> /trunk/shared/
> /trunk/shared/hello.c
> /trunk/private/
> /trunk/private/john/
> /trunk/private/john/mysecret.txt
>
> Then you would create permissions like this:
> [myrepository:/]
> *=rw
>
> [myrepository:/trunk/private]
> *=r
>
> [myrepository:/trunk/private/john]
> *=
> john=rw
>
> http://www.patni.com
> World-Wide Partnerships. World-Class Solutions.
>
hi,
thanks for reply,
what is the solution if I have this structure?
there is two user: sally and harry.
sally has full access to repository and harry
has full access but has not access to untPrivate.pas.
/trunk/untMain.pas
/trunk/untMain.dfm
/trunk/untMain.dcu
/trunk/project.dpr
/trunk/untPrivate.pas
/trunk/untPrivate.dfm
/trunk/untPrivate.dcu
/tags/Pre-release-1.0/untMain.pas
/tags/Pre-release-1.0/untMain.dfm
/tags/Pre-release-1.0/untMain.dcu
/tags/Pre-release-1.0/project.dpr
/tags/Pre-release-1.0/untPrivate.pas
/tags/Pre-release-1.0/untPrivate.dfm
/tags/Pre-release-1.0/untPrivate.dcu
/branches/stable-1.0/untMain.pas
/branches/stable-1.0/untMain.dfm
/branches/stable-1.0/untMain.dcu
/branches/stable-1.0/project.dpr
/branches/stable-1.0/untPrivate.pas
/branches/stable-1.0/untPrivate.dfm
/branches/stable-1.0/untPrivate.dcu
/branches/stable-1.1/untMain.pas
/branches/stable-1.1/untMain.dfm
/branches/stable-1.1/untMain.dcu
/branches/stable-1.1/project.dpr
/branches/stable-1.1/untPrivate.pas
/branches/stable-1.1/untPrivate.dfm
/branches/stable-1.1/untPrivate.dcu
RE: Re: File access control
Posted by "Harvey, Edward" <Ed...@patni.com>.
>> On Jan 7, 2008 5:22 PM, Harvey, Edward <Ed...@patni.com> wrote:
>> If you're using http, you can add "AuthzSVNAccessFile /path/to/svn-
>> access-file"
>> And then populate /path/to/svn-access-file with something like this:
>>
>> [groups]
>> group1 = user1, user2, user3
>>
>> [repo1:/]
>> * = rw
>>
>> [repo1:/path/to/sensitive/file]
>> @group1 = rw
>> * =
>>
>> If you're not using http, I think you're out of luck.
>
>
> There are trunk, tags, and branches directory in repository, and in
> tags and branches directory there are branched directories, so the how
> is path access?
Ok, suppose you have this file structure in the repository:
/
/trunk/
/trunk/shared/
/trunk/shared/hello.c
/trunk/private/
/trunk/private/john/
/trunk/private/john/mysecret.txt
Then you would create permissions like this:
[myrepository:/]
*=rw
[myrepository:/trunk/private]
*=r
[myrepository:/trunk/private/john]
*=
john=rw
http://www.patni.com
World-Wide Partnerships. World-Class Solutions.
_____________________________________________________________________
This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at netadmin@patni.com and delete this mail.
_____________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: File access control
Posted by Ali Soleimani <al...@gmail.com>.
On Jan 7, 2008 5:22 PM, Harvey, Edward <Ed...@patni.com> wrote:
> If you're using http, you can add "AuthzSVNAccessFile
> /path/to/svn-access-file"
>
> And then populate /path/to/svn-access-file with something like this:
>
>
>
> [groups]
>
> group1 = user1, user2, user3
>
>
>
> [repo1:/]
>
> * = rw
>
>
>
> [repo1:/path/to/sensitive/file]
>
> @group1 = rw
>
> * =
>
>
>
> If you're not using http, I think you're out of luck.
>
> There are trunk, tags, and branches directory in repository, and in tags
and branches directory there are branched directories, so the how is path
access?
RE: File access control
Posted by "Harvey, Edward" <Ed...@patni.com>.
If you're using http, you can add "AuthzSVNAccessFile
/path/to/svn-access-file"
And then populate /path/to/svn-access-file with something like this:
[groups]
group1 = user1, user2, user3
[repo1:/]
* = rw
[repo1:/path/to/sensitive/file]
@group1 = rw
* =
If you're not using http, I think you're out of luck.
From: Ali Soleimani [mailto:alisol911@gmail.com]
Sent: Monday, January 07, 2008 12:16 AM
To: users@subversion.tigris.org
Subject: File access control
hello
How can I define access level for files not directories?
I have a Delphi project and many developers have access to dcu and dfm
files but pas files are readable and writable by only some developers.
http://www.patni.com
World-Wide Partnerships. World-Class Solutions.
_____________________________________________________________________
This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at netadmin@patni.com and delete this mail.
_____________________________________________________________________