[p4] Closing down permissions on all a depot metadata
Robert Cowham
robert at vaccaperna.co.uk
Thu May 18 01:47:10 PDT 2006
You have hit on a Perforce protections weakness: changelist existence and
comments (and jobs) are always available - you may not be able to see the
files in a changelist due to permissions, but you can certainly see the rest
of the changelist which can be very enlightening!
Yes the only real option is to have a separate Repository.
I have had this conversation with Perforce, and the answer was along the
lines of - well the performance hit would be large to implement proper
security, and we think our customers care more about performance than they
do about security.
Of course if that equation changes (or at least Perforce's perception of
it!) then who knows...
As an aside, there is no point having an exclude line at the start of your
protections table - it has no effect, since until you give them access
people have no access (i.e. you can't take away what they haven't yet got!).
That said, it doesn't hurt - it's just unnecessary.
Robert
> I would like to remove permissions on a depot in such a way
> that without an explicit granted access, no user would be
> able to access any files **nor any metadata** on this depot.
>
> I have a group called p4users which actually only lists all
> other groups as subgroups, thus making sure it contains all users.
> The first lines of p4 protect are :
> list user remote * -//...
> list group p4users * -//...
> The server security level is set to 2.
>
> Now, if I login as a non-priviledged user, issuing "p4
> depots" she will not see a depot for which she has not been
> granted permissions by a subsequent p4 protect entry. This is fine.
> Unfortunately, "p4 changes" will display all changelists
> along with their descriptions to this user , even for
> changelists that contained files in non-accessible depots.
> Granted, the files she doesn't have access to will not be
> listed in "p4 describe", but the changelist's description
> will still be readable : this information alone can sometimes
> give too much :-)
>
> I am thinking that the only way to provide some real metadata
> isolation is to run multiple perforce servers, possibly using P4AUTH ?
>
> What is your opinion on this setup ? Did I miss something obvious ?
More information about the perforce-user
mailing list