/[docman2]/doc/trustee.html
This is repository of my old source code which isn't updated any more. Go to git.rot13.org for current projects!
ViewVC logotype

Diff of /doc/trustee.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 1.1.1.1 by dpavlin, Sun Jul 21 13:25:15 2002 UTC revision 1.8 by dpavlin, Wed Jun 11 03:26:29 2003 UTC
# Line 5  concept of trustees for Linux kernel by Line 5  concept of trustees for Linux kernel by
5  <zavadsky@braysystems.com>  <zavadsky@braysystems.com>
6  </p>  </p>
7    
8  <p>Trustiees are used to controll access right, and special fetures  <p>Trustees are used to control access right, and special features
9  (like notify on change)  (like <a href="notify.html">notify on change</a>)
10    </p>
11    
12    <p>For each path (which can be file or directory) all trustees are
13    evaluated. However, <b>deny</b> has precedence over <b>allow</b> (which
14    is default in no trustee is specified).
15  </p>  </p>
16    
17  <h2>Format of trustee file</h2>  <h2>Format of trustee file</h2>
# Line 14  concept of trustees for Linux kernel by Line 19  concept of trustees for Linux kernel by
19  <p>Comments are written using hash (#) as first character in line  <p>Comments are written using hash (#) as first character in line
20  <br><tt># this is a comment</tt></p>  <br><tt># this is a comment</tt></p>
21    
22  <p>Group can be used instead of username in all ACLs. You can't have user  <p>Group can be used instead of user-name in all ACL. You can't have user
23  which has same name as group or vice-versa. It's written using plus (+) as  which has same name as group or vice-versa. It's written using plus (+) as
24  first character in line.  first character in line.
25  <br>+<i>group</i>:<i>user</i>[,<i>user</i>...]</p>  <br>+<i>group</i>:<i>user</i>[,<i>user</i>...]</p>
# Line 25  first character in line. Line 30  first character in line.
30  Valid modifiers:  Valid modifiers:
31  <ul>  <ul>
32  <li><tt>!</tt> trustee applies to all except user or group  <li><tt>!</tt> trustee applies to all except user or group
33  <li><tt>C</tt> clear the persmission (default is to set)  <li><tt>C</tt> clear the permission (default is to set)
34  <li><tt>D</tt> deny access (default is grant)  <li><tt>D</tt> deny access (default is grant)
35    <li><tt>O</tt> one-level trustee only <small>(this means that those permissions
36            will not be inherited on directories and files downwards from current
37            level -- it's useful for <a href="#anonymous">anonymous access</a>)
38            </small>
39  </ul>  </ul>
40    
41  Valid permissions:  Valid permissions:
# Line 34  Valid permissions: Line 43  Valid permissions:
43  <li><tt>R</tt> read (file)  <li><tt>R</tt> read (file)
44  <li><tt>W</tt> write (file)  <li><tt>W</tt> write (file)
45  <li><tt>B</tt> browse (directory)  <li><tt>B</tt> browse (directory)
46  <li><tt>N</tt> notify (e-mail change)  <li><tt>N</tt> <a href="notify.html">notify</a> (e-mail change)
47  </ul>  </ul>
48    
49  <h2>Examples</h2>  <h2>Examples</h2>
50    
51  <pre>  <pre>
52  # dpavlin is admin (grant all access to members of root group)  # dpavlin is administrator (grant all access to members of root group)
53  +root:dpavlin  +root:dpavlin
54  /:root:RWB  /:root:RWB
55  # give read-only access to all users  # give read-only access to all users
# Line 59  read-only access) you could write: Line 68  read-only access) you could write:
68  /secret.txt:*:DRWB:joe:R  /secret.txt:*:DRWB:joe:R
69  </pre>  </pre>
70    
71  That is wrong. <b>deny</b> rules will take precedance over allow read  That is wrong. <b>deny</b> rules will take precedence over allow read
72  to joe. So, you should write:  to joe. So, you should write:
73    
74  <pre>  <pre>
# Line 68  to joe. So, you should write: Line 77  to joe. So, you should write:
77    
78  Which will work.  Which will work.
79    
80  <big>FIX</big> write more examples, beter descriptions...  <p>If you want to allow just one user (<i>editor</i>) to have write
81    persmissions on file <i>one_editor.txt</i> while all others can read it, you
82    could do something like:
83    
84    <pre>
85    /one_editor.txt:*:DW:editor:CRWB
86    </pre>
87    
88    Order of statements is not important. Trustees are always evaluated from
89    universal ones (e.g. ones for all users; with *) to specific for this
90    user (in this case, for user <i>editor</i>). However, this example
91    wouldn't work without <b>C</b> for user <i>editor</i> because <b>deny</b>
92    for write would have precidence.
93    
94    <p>
95    <big>FIX</big> write more examples, better descriptions...
96    </p>
97    
98    <a name="anonymous">
99    <h3>Anonymous access</h3>
100    
101    <p>One of great advantages of using trustees is that you can allow
102    anonymous access (without login). You should pay attention to access
103    right, because you probably don't want anonymous users to see all files
104    or folders in your repository.
105    </p>
106    
107    <p>First, you will have to add browse trustee to anonymous user
108    on root directory -- docman will ignore all anonymous users if
109    you don't do this.
110    <pre>
111            /:anonymous:BO
112    </pre>
113    You really <b>want to use flags <tt>BO</tt></b> and not just <tt>B</tt> because
114    if you specify just <tt>B</tt> anonymous users will be able to browse (see
115    directory names) of your whole repository. This way you can explicitly
116    allow (or deny) which sub-directories you want anonymous users to browse.
117    <br>For example, this will allow anonymous users to see and read everything
118    in <tt>/pub</tt> and to store documents in <tt>/incoming</tt>:
119    <pre>
120            /pub:anonymous:RB
121            /incoming:anonymous:RWB
122    </pre>
123    You might also want to hide some directory from anonymous users, and you
124    can do that using:
125    <pre>
126            /private:anonymous:DB
127    </pre>
128    If you would like to <b>give all your users</b> which are authenticated via
129    login and password <b>all access</b> to all files (like in old docman v1.x) you
130    also have to add
131    <pre>
132            /:*:RWB
133    </pre>
134    However, that <b>will not add all
135    permission to anonymous users</b>. If you want to add all that permission
136    to anonymous users (which will create wiki-like community for sharing files)
137    you must explicitly say that you allow that to anonymous users:
138    <pre>
139            /:anonymous:RWB
140    </pre>
141    All those setting will create environment which is very like docman v1.x,
142    but with anonymous users allowed to see document in <tt>/pub</tt> and
143    upload them in <tt>/incoming</tt>.
144    </p>
145    
146  <h2>Default security</h2>  <h2>Default security</h2>
147    
# Line 81  users) Line 154  users)
154  <h2>docman without trustee configuration</h2>  <h2>docman without trustee configuration</h2>
155    
156  <p>If you <b>don't have</b> <tt>realm/http_virtual_host.trustee</tt> you  <p>If you <b>don't have</b> <tt>realm/http_virtual_host.trustee</tt> you
157  will fall-back to default docman v1.x behaviour: whole group will have  will fall-back to default docman v1.x behavior: whole group will have
158  all right on all files except <i>anonymous</i> users (which won't be able  all right on all files except <i>anonymous</i> users (which won't be able
159  to login anyway).  to login anyway).
160  </p>  </p>
161    
162    <p>See also:
163    <a href="admin.html">Administration manual</a>
164    </p>
Legend:
Removed from v.1.1.1.1  
changed lines
  Added in v.1.8
  ViewVC Help
Powered by ViewVC 1.1.26