Can I set up ssh access to my linux box for
- few developers working on different RoR and Wordpress&php projects
- so they have rw access only to their projects?
if yes, can I make a set up to run svn over ssh without write access to svn repository directory for these developers?
-
You can have ssh restrict them to a chroot after login; see the
ChrootDirectorydirective inman sshd_config. You'll need to make sure all tools they need are available inside the chroot (there are several chroot tutorials on the net that explain that).You probably also want to use a
Match GrouporMatch Userblock insshd_configthen, if you don't want yourself locked into a chroot...Subversion is a matter of configuring it right and making sure everything needed is available in their chroot. (You might want to use something like svnserve if you need different access rights for different users.)
Radek : really nice explanation ...From JanC -
Yes - set up a separate group for each project and the associated users and make the files associated with this group writeable/executable, not writeable/executable by others. The webserver should access the files/dirs as the 'other' user (so it needs to be readable for others, and also executable if its a directory).
Directories for the project should have the group sticky bit set so that new files / directories are created as owned by that group.
Finally, it'd be good practice to restrict SSH access to these groups you've added.
Radek : @symcbean: but if others can read files that means the each project user can read every other project files, right? I don't want them to be able to read anything but their project files...symcbean : @Radek - you didn't state that was a requirement. There is no way to represent this using the Unix permissions model securely - since all files must be readable by the webserver - therefore while a particular developer cannot read files from another project directly, their code can.From symcbean
0 comments:
Post a Comment