[RFC] permissions mgmt

Mon Aug 21 16:26:05 BST 2006

Robert Collins wrote:
> I think the bunch of interactions between permissions and performance
> are a hint :).. and our inability to do the right thing on sftp [at all]
> hints this too...
> 
> I'd like to propose the following changes to our permission support
> logic:
> 
>  - over sftp we dont chmod at all - we do whatever the umask is
> configured to do by the user. We should offer a helper script to set the
> umask before invoking the sftp-server process.

The helper script is, in fact, quite simple, but it needs to be
configured by the admin. This is what I use:

In /etc/ssh/sshd_config:
Subsystem       sftp    /usr/local/bin/sftp-wrapper.sh

In /usr/local/bin/sftp-wrapper.sh:
#!/bin/sh
# Just run sftp-server with the correct umask
umask 0002
# This line is whatever used to be in /etc/ssh/sshd_config
# On Ubuntu it seems to be /usr/lib/openssh/sftp-server
# on FC4 it is /usr/libexec/openssh/sftp-server
exec /usr/libexec/openssh/sftp-server

There might be something you could do as a user config, I think you can
do fancy things with special keys which invoke special commands, I don't
really know how to set that up.

>  - over ssh we offer a umask-setting facility. We will have a native ssh
> non-smart server protocol in 0.11 I think - its the substrate for the
> smart-server-over-ssh.
>  - on local disk we offer a umask setting facility.
> 
> Both the umask-setting facilities are off by default, controlled by a
> file in the repository.

The problem with umask setting, is that it effects both Transports, even
when one has it disabled, and one has it enabled.

> 
> The idea is that by default we can just create files with the right mode
> that we need - read or read-write, and forget about the detail. And when
> permission mgmt is needed, we do it via umask setting rather than
> explicit chmodding.
> 
> Thoughts ?
> 
> -Rob
> 

I've looked through paramiko, and it should be possible to set the open
mode even over sftp. (I'm not sure about directory creation mode, but it
also should be possible).
Paramiko just doesn't expose it in the 'file()' command. You have to
poke into the privates. (Just like using os.open() instead of plain open()).

We can talk to Robey about it, but it would probably be reasonable to
change everything so that we support file modes by creating files with
the correct modes over all transports. And then it is just up to having
the correct umask for bzr to allow things to be more shared than the
default.

The only problem is needing to do the right thing for working-tree
files. Because once you have changed umask so you can alter the .bzr/*
files, it changes how you create new files in the working dir.
And I don't think 2 umask calls (set/reset) for every put would be
faster than 1 chmod call..

We already peek into the internals of paramiko, because in the past it
did not expose a way to open a file in 'O_EXCL' mode.

I would be okay with "We support creating new entries with the correct
(mode & ~umask)". This would be for both local and sftp files.

I suppose we could keep our own umask state, with some sort of a
'startup umask' and 'current umask'. So a Transport could just do a
check, rather than set/unset the umask. And then TreeTransform could
just request that the umask be reset to the 'startup umask'.

A similar method could be used over SSH. And SFTP could just be
restricted to the original umask.

John
=:->

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060821/fc1be4a7/attachment.pgp 