FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 09-26-2011, 08:01 PM
Grant
 
Default {OT} Development framework with access restriction?

I'd like to hire a freelancer to work on my website. I don't want to
provide access to all of my code, but instead only the particular file
or files being worked on. Does anyone know of a development framework
that would help facilitate that sort of thing? Would no shell access
along with restricted SFTP access be the simplest, safest, most
effective way to go?

- Grant
 
Old 09-26-2011, 09:37 PM
Michael Orlitzky
 
Default {OT} Development framework with access restriction?

On 09/26/11 16:01, Grant wrote:
> I'd like to hire a freelancer to work on my website. I don't want to
> provide access to all of my code, but instead only the particular file
> or files being worked on. Does anyone know of a development framework
> that would help facilitate that sort of thing? Would no shell access
> along with restricted SFTP access be the simplest, safest, most
> effective way to go?

Why not just send him the stuff he should be working on? He can run his
own Apache/PHP/whatever on his development machine. When he's done, he
can send you a tarball of the site files and maybe a SQL dump if you're
using a database.

That's the easiest one-off solution. If you're looking for something
more permanent, another idea is to have a "public" git repo somewhere
while the developers all work on their own workstations. SQL changes can
be made via numbered migrations, e.g.,

001-create_users_table.sql
002-create_nodes_table.sql
003-disregard_that_drop_users_table.sql

and devs can push everything to the git repo, as long as it's a
fast-forward (so they can't trash the repo history).

Once you're ready to move something live, an admin logs in to the
production box, does a `git pull`, and then runs the migrations or makefile.
 
Old 09-27-2011, 11:27 AM
Mick
 
Default {OT} Development framework with access restriction?

On Monday 26 Sep 2011 22:37:10 Michael Orlitzky wrote:
> On 09/26/11 16:01, Grant wrote:
> > I'd like to hire a freelancer to work on my website. I don't want to
> > provide access to all of my code, but instead only the particular file
> > or files being worked on. Does anyone know of a development framework
> > that would help facilitate that sort of thing? Would no shell access
> > along with restricted SFTP access be the simplest, safest, most
> > effective way to go?
>
> Why not just send him the stuff he should be working on? He can run his
> own Apache/PHP/whatever on his development machine. When he's done, he
> can send you a tarball of the site files and maybe a SQL dump if you're
> using a database.
>
> That's the easiest one-off solution. If you're looking for something
> more permanent, another idea is to have a "public" git repo somewhere
> while the developers all work on their own workstations. SQL changes can
> be made via numbered migrations, e.g.,
>
> 001-create_users_table.sql
> 002-create_nodes_table.sql
> 003-disregard_that_drop_users_table.sql
>
> and devs can push everything to the git repo, as long as it's a
> fast-forward (so they can't trash the repo history).
>
> Once you're ready to move something live, an admin logs in to the
> production box, does a `git pull`, and then runs the migrations or
> makefile.

Or, create a demo-site (in a subdomain blocked by robots.txt so that your
google rankings are not messed up) and let him rip. Then diff the live and
demo files to see what's been changed? The demo can have different passwds
and what not to ensure access controls as necessary.
--
Regards,
Mick
 
Old 09-27-2011, 12:19 PM
Jonas de Buhr
 
Default {OT} Development framework with access restriction?

>I'd like to hire a freelancer to work on my website. I don't want to
>provide access to all of my code, but instead only the particular file
>or files being worked on. Does anyone know of a development framework
>that would help facilitate that sort of thing? Would no shell access
>along with restricted SFTP access be the simplest, safest, most
>effective way to go?

svn can restrict access to directories

http://stackoverflow.com/questions/2288810/how-to-restrict-svn-repository-user-account-to-one-directory
 
Old 09-29-2011, 01:18 AM
Grant
 
Default {OT} Development framework with access restriction?

>> I'd like to hire a freelancer to work on my website. *I don't want to
>> provide access to all of my code, but instead only the particular file
>> or files being worked on. *Does anyone know of a development framework
>> that would help facilitate that sort of thing? *Would no shell access
>> along with restricted SFTP access be the simplest, safest, most
>> effective way to go?
>
> Why not just send him the stuff he should be working on? He can run his
> own Apache/PHP/whatever on his development machine. When he's done, he
> can send you a tarball of the site files and maybe a SQL dump if you're
> using a database.

The problem with that is he will need to test his code in the working
system. I need a way for him to be able to read/write to a certain
file or files within the working system, but have no read/write access
to any other files in the system.

Is SFTP perhaps the way to go for this?

- Grant


> That's the easiest one-off solution. If you're looking for something
> more permanent, another idea is to have a "public" git repo somewhere
> while the developers all work on their own workstations. SQL changes can
> be made via numbered migrations, e.g.,
>
> *001-create_users_table.sql
> *002-create_nodes_table.sql
> *003-disregard_that_drop_users_table.sql
>
> and devs can push everything to the git repo, as long as it's a
> fast-forward (so they can't trash the repo history).
>
> Once you're ready to move something live, an admin logs in to the
> production box, does a `git pull`, and then runs the migrations or makefile.
 
Old 09-29-2011, 01:23 AM
Grant
 
Default {OT} Development framework with access restriction?

>>I'd like to hire a freelancer to work on my website. *I don't want to
>>provide access to all of my code, but instead only the particular file
>>or files being worked on. *Does anyone know of a development framework
>>that would help facilitate that sort of thing? *Would no shell access
>>along with restricted SFTP access be the simplest, safest, most
>>effective way to go?
>
> svn can restrict access to directories
>
> http://stackoverflow.com/questions/2288810/how-to-restrict-svn-repository-user-account-to-one-directory

That would be perfect if it allowed access per file instead of per
directory. I thought about re-arranging the layout to accommodate
that limitation but I don't think it makes sense.

- Grant
 
Old 09-29-2011, 02:23 AM
Grant
 
Default {OT} Development framework with access restriction?

>>> I'd like to hire a freelancer to work on my website. *I don't want to
>>> provide access to all of my code, but instead only the particular file
>>> or files being worked on. *Does anyone know of a development framework
>>> that would help facilitate that sort of thing? *Would no shell access
>>> along with restricted SFTP access be the simplest, safest, most
>>> effective way to go?
>>
>> Why not just send him the stuff he should be working on? He can run his
>> own Apache/PHP/whatever on his development machine. When he's done, he
>> can send you a tarball of the site files and maybe a SQL dump if you're
>> using a database.
>
> The problem with that is he will need to test his code in the working
> system. *I need a way for him to be able to read/write to a certain
> file or files within the working system, but have no read/write access
> to any other files in the system.
>
> Is SFTP perhaps the way to go for this?
>
> - Grant

For some reason I thought SFTP would provide access control but now
I'm thinking it's just like SSH in that access control is based on
file ownership and permissions? If that's the case, can anyone think
of a better way to control remote access to my files than chmod/chown?
I think it would be nice if the access control were built into the
transport mechanism, version control system, or something else already
in use, but it doesn't sound like that's going to happen.

- Grant


>> That's the easiest one-off solution. If you're looking for something
>> more permanent, another idea is to have a "public" git repo somewhere
>> while the developers all work on their own workstations. SQL changes can
>> be made via numbered migrations, e.g.,
>>
>> *001-create_users_table.sql
>> *002-create_nodes_table.sql
>> *003-disregard_that_drop_users_table.sql
>>
>> and devs can push everything to the git repo, as long as it's a
>> fast-forward (so they can't trash the repo history).
>>
>> Once you're ready to move something live, an admin logs in to the
>> production box, does a `git pull`, and then runs the migrations or makefile.
 
Old 09-29-2011, 06:43 AM
Jonas de Buhr
 
Default {OT} Development framework with access restriction?

>> svn can restrict access to directories
>>
>> http://stackoverflow.com/questions/2288810/how-to-restrict-svn-repository-user-account-to-one-directory
>
>That would be perfect if it allowed access per file instead of per
>directory. I thought about re-arranging the layout to accommodate
>that limitation but I don't think it makes sense.

do you not want him to change it or do you not want him to be able to
read your code?

if you do not want him to read your code i'm guessing thats because of
hardcoded DB-passwords etc?
move them into config files. or checkout a working copy and replace the
passwords with dummy strings.

if you just don't want him to change your code (or after you cleaned
out the things he is not allowed to read) you could import it into git,
have him clone the repository and make all his changes/developments.
then pull his changes and *carefully* observe the merge to make sure
nothing of your code gets changed.
 
Old 09-29-2011, 06:57 AM
Jonas de Buhr
 
Default {OT} Development framework with access restriction?

>> The problem with that is he will need to test his code in the working
>> system. *

why in the production system?

>>I need a way for him to be able to read/write to a certain
>> file or files within the working system, but have no read/write
>> access to any other files in the system.
>>
>> Is SFTP perhaps the way to go for this?
>>
>> - Grant
>
>For some reason I thought SFTP would provide access control but now
>I'm thinking it's just like SSH in that access control is based on
>file ownership and permissions?

yes.

> If that's the case, can anyone think
>of a better way to control remote access to my files than chmod/chown?

someone already did
http://www.gentoo-wiki.info/HOWTO_Use_filesystem_ACLs

> I think it would be nice if the access control were built into the
>transport mechanism, version control system, or something else already
>in use, but it doesn't sound like that's going to happen.

its certainly possible to control the write access with ACLs. read
access however is a different story because as soon as his code runs in
the context of the webrowser he will likely be able to read the rest of
the code.
 
Old 09-29-2011, 07:32 AM
Mick
 
Default {OT} Development framework with access restriction?

On Thursday 29 Sep 2011 07:57:49 Jonas de Buhr wrote:
> >> The problem with that is he will need to test his code in the working
> >> system.
>
> why in the production system?
>
> >>I need a way for him to be able to read/write to a certain
> >>
> >> file or files within the working system, but have no read/write
> >> access to any other files in the system.
> >>
> >> Is SFTP perhaps the way to go for this?
> >>
> >> - Grant
> >
> >For some reason I thought SFTP would provide access control but now
> >I'm thinking it's just like SSH in that access control is based on
> >file ownership and permissions?
>
> yes.
>
> > If that's the case, can anyone think
> >
> >of a better way to control remote access to my files than chmod/chown?
>
> someone already did
> http://www.gentoo-wiki.info/HOWTO_Use_filesystem_ACLs
>
> > I think it would be nice if the access control were built into the
> >
> >transport mechanism, version control system, or something else already
> >in use, but it doesn't sound like that's going to happen.
>
> its certainly possible to control the write access with ACLs. read
> access however is a different story because as soon as his code runs in
> the context of the webrowser he will likely be able to read the rest of
> the code.

I'm not sure if you are overcomplicating this by trying to use Unix
permission. Have you instead considered webdav? You can restrict this to
particular (apache) users/groups, directories, files. It also uses lockfiles
so with two users editing a file simultaneously will cause a warning when you
try to save it.
--
Regards,
Mick
 

Thread Tools




All times are GMT. The time now is 09:42 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org