Re: [fossil-users] Fossil added to AstLinux
On Thu, Aug 27, 2015 at 9:47 PM, Lonnie Abelbeck li...@lonnie.abelbeck.com wrote: On Aug 27, 2015, at 6:27 PM, Ron W ronw.m...@gmail.com wrote: Why a and not d (developer)? Seems to me that would cover the needed permissions to manager the Astrix and AstLinux conf files. I meant 'v', not 'd' ('v' is developer permissions, which is a macro for the combined permissions assigned to developer, anonymous' and 'nobody'.) Since the user has lighttpd's admin privileges under the AstLinux web interface, it seemed reasonable to us that a privileges in Fossil would be appropriate. Possibly we are allowing some privilege we really don't want, but in our testing things seemed appropriate. If there is some reference describing the extra permissions of 'a' vs. 'dei' I would appreciate it. #1 under Notes in the User admin page states that 'a' (Admin) permissions are Create and Delete Users. Since your user management is done outside Fossil, this would seem to not be needed. Apparently, 'a' inherits 'v' permissions, though this is not mentioned. (Not sure, have not tested this, but your experience implies it is inherited.) BTW, starting Fossil server with fossil server $REPOSITORY --scgi --localhost --port 8055 (adding the --scgi option) - and configuring lighttpd to treat Fossil as an SCGI service - will allow Fossil to know the user name as authenticated by lighttpd. (see Fossil as SCGI on https://www.fossil-scm.org/index.html/doc/trunk/www/server.wiki) ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil added to AstLinux
On Aug 28, 2015, at 11:40 AM, Ron W ronw.m...@gmail.com wrote: On Thu, Aug 27, 2015 at 9:47 PM, Lonnie Abelbeck li...@lonnie.abelbeck.com wrote: On Aug 27, 2015, at 6:27 PM, Ron W ronw.m...@gmail.com wrote: Why a and not d (developer)? Seems to me that would cover the needed permissions to manager the Astrix and AstLinux conf files. I meant 'v', not 'd' ('v' is developer permissions, which is a macro for the combined permissions assigned to developer, anonymous' and 'nobody'.) Since the user has lighttpd's admin privileges under the AstLinux web interface, it seemed reasonable to us that a privileges in Fossil would be appropriate. Possibly we are allowing some privilege we really don't want, but in our testing things seemed appropriate. If there is some reference describing the extra permissions of 'a' vs. 'dei' I would appreciate it. #1 under Notes in the User admin page states that 'a' (Admin) permissions are Create and Delete Users. Since your user management is done outside Fossil, this would seem to not be needed. Apparently, 'a' inherits 'v' permissions, though this is not mentioned. (Not sure, have not tested this, but your experience implies it is inherited.) BTW, starting Fossil server with fossil server $REPOSITORY --scgi --localhost --port 8055 (adding the --scgi option) - and configuring lighttpd to treat Fossil as an SCGI service - will allow Fossil to know the user name as authenticated by lighttpd. (see Fossil as SCGI on https://www.fossil-scm.org/index.html/doc/trunk/www/server.wiki) Thanks Ron ! That is helpful, much appreciated. Lonnie ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil added to AstLinux
On Wed, Aug 26, 2015 at 4:12 PM, Lonnie Abelbeck li...@lonnie.abelbeck.com wrote: Fossil hit our radar, and we wondered if it could be used to track changes to these configuration files in a way a non-developer type could easily understand. Long story short, success, Fossil is a gem ! Good to hear. Since any HTTPS access to /admin/fossil/ is authenticated by lighttpd, we set Fossil's nobody permissions to a (admin) and add the admin user for s (setup) permissions. Why a and not d (developer)? Seems to me that would cover the needed permissions to manager the Astrix and AstLinux conf files. (Yes SourceForge SVN, our project is over 10 years old, old habits die hard :-) ) FYI, chiselapp.com provides Fossil hosting for open source projects. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil added to AstLinux
Hi Ron, On Aug 27, 2015, at 6:27 PM, Ron W ronw.m...@gmail.com wrote: Since any HTTPS access to /admin/fossil/ is authenticated by lighttpd, we set Fossil's nobody permissions to a (admin) and add the admin user for s (setup) permissions. Why a and not d (developer)? Seems to me that would cover the needed permissions to manager the Astrix and AstLinux conf files. Since the user has lighttpd's admin privileges under the AstLinux web interface, it seemed reasonable to us that a privileges in Fossil would be appropriate. Possibly we are allowing some privilege we really don't want, but in our testing things seemed appropriate. If there is some reference describing the extra permissions of 'a' vs. 'dei' I would appreciate it. Lonnie ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil added to AstLinux
On Aug 26, 2015, at 2:12 PM, Lonnie Abelbeck li...@lonnie.abelbeck.com wrote: we wondered if it could be used to track changes to these configuration files in a way a non-developer type could easily understand. Did you look at etckeeper, and if so, why did you reject it? https://joeyh.name/code/etckeeper/ Long story short, success, Fossil is a gem ! Glad to hear it! I’m sure there many Fossil users who can’t or won’t tell how and why they are using it, so it is nice when someone decides to step out of the shadows. Since any HTTPS access to /admin/fossil/ is authenticated by lighttpd, we set Fossil's nobody permissions to a (admin) and add the admin user for s (setup) permissions. Why? Does doing one require the other, or does it merely *allow* the other? It seems to me that you had an opportunity to construct some defense-in-depth here, but chose instead of replace one defense layer with another, so that you still have a single point of failure. (Yes SourceForge SVN, our project is over 10 years old, old habits die hard :-) ) What with your newfound Fossil love and SourceForge turning evil,[1] maybe it’s time to consider self-hosting your project in Fossil. I documented my process for migrating a 15-year-old svn repo to Fossil here, which has some advantages over the method described on the Fossil pages: http://goo.gl/Zr6YQw The attached script will require some local adjustment, but the code should be clear enough to make that straightforward. [1] https://www.google.com/webhp?hl=en#hl=enq=sourceforge+evil ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil added to AstLinux
Hi Warren, On Aug 26, 2015, at 5:28 PM, Warren Young w...@etr-usa.com wrote: On Aug 26, 2015, at 2:12 PM, Lonnie Abelbeck li...@lonnie.abelbeck.com wrote: we wondered if it could be used to track changes to these configuration files in a way a non-developer type could easily understand. Did you look at etckeeper, and if so, why did you reject it? https://joeyh.name/code/etckeeper/ I had not heard of etckeeper before, but seems to work around package managers, we don't have any. The code we implemented to manage the fossil commit is quite small, we did not include any version control binary on our image until we added Fossil. Our images are like firmware and size matters, currently around 50 MB compressed. Long story short, success, Fossil is a gem ! Glad to hear it! I’m sure there many Fossil users who can’t or won’t tell how and why they are using it, so it is nice when someone decides to step out of the shadows. Since any HTTPS access to /admin/fossil/ is authenticated by lighttpd, we set Fossil's nobody permissions to a (admin) and add the admin user for s (setup) permissions. Why? Does doing one require the other, or does it merely *allow* the other? It seems to me that you had an opportunity to construct some defense-in-depth here, but chose instead of replace one defense layer with another, so that you still have a single point of failure. AstLinux has it's own web interface (PHP), we run Fossil's web interface within an HTML iframe. We do the same for Monit, Darkstat and phpLiteAdmin . This allows for one common set of admin credentials to access these services. (Yes SourceForge SVN, our project is over 10 years old, old habits die hard :-) ) What with your newfound Fossil love and SourceForge turning evil,[1] maybe it’s time to consider self-hosting your project in Fossil. I documented my process for migrating a 15-year-old svn repo to Fossil here, which has some advantages over the method described on the Fossil pages: http://goo.gl/Zr6YQw The attached script will require some local adjustment, but the code should be clear enough to make that straightforward. Thanks for sharing ! I'm sure that day will come. :-) Lonnie ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users