[cap-talk] More Heresey: ACLs not inherently bad
Mark Seaborn
mrs at mythic-beasts.com
Fri Sep 19 13:33:46 CDT 2008
"Jonathan S. Shapiro" <shap at eros-os.com> wrote:
> On Thu, 2008-09-18 at 21:46 +0100, Mark Seaborn wrote:
> > "Jonathan S. Shapiro" <shap at eros-os.com> wrote:
> > As far as I can tell, the 6 requirements you listed on
> > http://www.eros-os.org/pipermail/cap-talk/2008-September/011633.html
> > are satisfied by the DSCM gatekeeper I suggested....
> >
> > You don't need ACLs *or* capabilities to satisfy your requirements.
>
> How is requirement 2 satisfied without an ACL of some sort? The criteria
> for legal updates is principal based?
Requirement 2: "In order to revise a file whose name ends in .c or .h,
the user must be in the developer group."
When the gatekeeper is pulling a changeset from Fred's branch, the
gatekeeper looks at the list of files the changeset touches. If the
changeset touches a *.c or *.h file and Fred is not on the
gatekeeper's list as a developer, the changeset is rejected, and the
gatekeeper will not merge it into the main branch. The gatekeeper
also requires that the changeset lists Fred as the author/committer.
Only Fred can write to Fred's branch. With Git and Bazaar a typical
way to set that up is with SSH and a Unix account for each user.
It's not an ACL system because the .c and .h files are not labelled.
Instead, the gatekeeper is applying filename-based checks.
> Also, how is problem of protecting the underlying state in the file
> system addressed without ACLs?
Fred doesn't have direct access to the underlying state. The only way
he can get changesets into the main branch and so change the main
branch's underlying state is via the gatekeeper.
That's the too-obvious answer. I think you're trying to get at
something but I don't know what it is.
Regards,
Mark
More information about the cap-talk
mailing list