[Gnu-arch-users] Re: expert needed: arch doesn't support multi-committer archives!

[Pau Aliagas]

On Mon, 6 Oct 2003, Ethan Benson wrote:

> On Mon, Oct 06, 2003 at 09:46:09AM -0700, Tom Lord wrote:
> > In short, I think James has nailed the answer cold and I'm not sure
> > why his solution was so glibly brushed aside in favor of all the other
> > discussion.
> 
> because from a system administrators point of view shared accounts are
> simply unacceptable.  they provide absolutly no accountability for who
> is doing what.

They provide enough in this situation.

> with a shared sftp account anyone granted access to it can sftp in and
> rm -rf the entire archive, and nobody can ever hope to figure out who
> it was who did it.

You can setup the permissions in ways they will work:

Create userA.groupA to hold the archives:
* archive dir belongs to userA.groupA
* archive premissions: u+rw, g+rws, o+r

Create an account users_rw that belongs to groupA:
* give access to the members that need rw access (put ssh pub keys in place)
* all the members that are given sftp through this account will be able to 
  read/write the archive
* accounting will be logged

Create an account users_ro that does not belong to groupA:
* give access to the members that need ro access (put ssh pub keys in place)
* all the members that are given sftp through this account will be able to 
  read the archive but not write to it.
* this would be easierly achieved with a public mirror, if it's going to 
  be public anyway.


Pau