FusionForge

Difference between revisions of "User accounts"

From FusionForge Wiki
Jump to: navigation, search
(Precisions)
(Clarifications)
Line 1: Line 1:
 
= On the web front-end =
 
= On the web front-end =
  
Users are usually registered using a traditional login + password + verified e-mail address combo.
+
Forge users are registered using a traditional login&password, with a verified e-mail address.
  
 
Numerous [[Plugins]] also exist to provide external authentication, e.g. via LDAP or CAS.
 
Numerous [[Plugins]] also exist to provide external authentication, e.g. via LDAP or CAS.
Line 11: Line 11:
 
This is done via <code>libnss-pgsql</code>, which automatically maps a shell account for each user in the PostgreSQL database, if they are part of a project.
 
This is done via <code>libnss-pgsql</code>, which automatically maps a shell account for each user in the PostgreSQL database, if they are part of a project.
  
User can then securely access their repository via SSH keys, and login to manage their webpages area. If full login is not desirable, it is also possible to install a restricted shell such as <code>rssh</code> to limit shell access to e.g. Git, SVN and SFTP only.
+
User can then securely access their repository via SSH keys, and login to manage their webpages files. If full login is not desirable, it is also possible to install a restricted shell such as <code>rssh</code> to limit shell access to e.g. Git, SVN and SFTP only.
  
 
Each project is similarly mapped to 3 POSIX groups:
 
Each project is similarly mapped to 3 POSIX groups:
Line 18: Line 18:
 
* ''projectname''_scmrw : read/write access to source repositories
 
* ''projectname''_scmrw : read/write access to source repositories
  
User accounts have appropriate group memberships so they can only access projects depending on the [[RBAC]] permissions.
+
User accounts have appropriate group memberships so they can only access projects for which they have [[RBAC]] permissions.
  
Important: users and groups are not created (i.e. no useradd) - they are directly mapped to the database through libnss-pgsql.
+
Important: users and groups are not created (i.e. no <code>useradd</code>) - they are directly mapped to the database through <code>libnss-pgsql</code>.
  
 
= Web access to repositories =
 
= Web access to repositories =
  
When accessing repositories though HTTPS, FusionForge uses mpm-itk, an Apache module, so that each Apache process is run using the matching shell account, with appropriate groups membership.
+
When accessing Git&SVN repositories though HTTPS, FusionForge uses <code>mpm-itk</code>, an Apache module, where each Apache process is run using the matching shell user account, with appropriate groups memberships.
  
This means project members can install custom repository hooks and run them securely.
+
In particular, repository hooks are securely run under the user's account (i.e. '''not''' <code>apache</code>/<code>www-data</code>).
  
Apache doesn't use the database because modules aren't easily available in all distros. Instead, FusionForge automatically generates:
+
Apache doesn't use the database for authentication because modules aren't easily available in all distros.
 +
Instead, FusionForge automatically generates:
 
* <code>/var/lib/fusionforge/scm-passwd</code>: users and hashed password using .htpasswd format
 
* <code>/var/lib/fusionforge/scm-passwd</code>: users and hashed password using .htpasswd format
 
* <code>/var/lib/fusionforge/scm-auth.inc</code>: declares valid users with repo access (e.g. Git)
 
* <code>/var/lib/fusionforge/scm-auth.inc</code>: declares valid users with repo access (e.g. Git)
* <code>/var/lib/fusionforge/scmsvn-auth.inc</code>: additional declaration for SVN access due to mod_svn idiosyncrasies
+
* <code>/var/lib/fusionforge/scmsvn-auth.inc</code>: declares valid users specificially for SVN access due to <code>mod-svn</code> idiosyncrasies
  
FusionForge's daemon, fusionforge-systasksd, automatically regenerates the files and reloads Apache, when new users and groups are added or removed, so that repository access is immediately active.  
+
FusionForge's daemon, <code>fusionforge-systasksd</code>, automatically regenerates the files and reloads Apache when new users and groups are added or removed, so that repository access is immediately active.  
  
 
= nscd =
 
= nscd =
Line 45: Line 46:
 
= Database schema =
 
= Database schema =
  
You shouldn't need to into the details, but in case you need to plug an additional component to the NSS database, here's some information.
+
You shouldn't need to go into these details, but in case you need to plug an external application to the database, here's some information.
  
 
Users and groups are mapped on the system as soon as they match the following criteria:
 
Users and groups are mapped on the system as soon as they match the following criteria:
Line 51: Line 52:
 
* groups: approved
 
* groups: approved
  
When they do, they are added to the nss_* tables:
+
When they do, they are added to the <code>nss_*</code> tables:
 
* <code>nss_passwd</code> (view) : user accounts
 
* <code>nss_passwd</code> (view) : user accounts
 
* <code>nss_shadow</code> (view) : generally unused, available if you have precise password-authentication needs
 
* <code>nss_shadow</code> (view) : generally unused, available if you have precise password-authentication needs
Line 57: Line 58:
 
* <code>nss_usergroups</code> (table) : groups membership
 
* <code>nss_usergroups</code> (table) : groups membership
  
See <code>/etc/nss-pgsql.conf</code> for the basic SQL queries.
+
See <code>/etc/nss-pgsql.conf</code> for the reference SQL queries.
  
 
[[Category:Admin documentation]]
 
[[Category:Admin documentation]]

Revision as of 15:43, 22 September 2015

On the web front-end

Forge users are registered using a traditional login&password, with a verified e-mail address.

Numerous Plugins also exist to provide external authentication, e.g. via LDAP or CAS.

Shell accounts

FusionForge's security model is based directly on the Linux kernel, using POSIX user accounts (privilege separation).

This is done via libnss-pgsql, which automatically maps a shell account for each user in the PostgreSQL database, if they are part of a project.

User can then securely access their repository via SSH keys, and login to manage their webpages files. If full login is not desirable, it is also possible to install a restricted shell such as rssh to limit shell access to e.g. Git, SVN and SFTP only.

Each project is similarly mapped to 3 POSIX groups:

  • projectname : access to group directory, including webpages
  • projectname_scmro : read-only access to source repositories
  • projectname_scmrw : read/write access to source repositories

User accounts have appropriate group memberships so they can only access projects for which they have RBAC permissions.

Important: users and groups are not created (i.e. no useradd) - they are directly mapped to the database through libnss-pgsql.

Web access to repositories

When accessing Git&SVN repositories though HTTPS, FusionForge uses mpm-itk, an Apache module, where each Apache process is run using the matching shell user account, with appropriate groups memberships.

In particular, repository hooks are securely run under the user's account (i.e. not apache/www-data).

Apache doesn't use the database for authentication because modules aren't easily available in all distros. Instead, FusionForge automatically generates:

  • /var/lib/fusionforge/scm-passwd: users and hashed password using .htpasswd format
  • /var/lib/fusionforge/scm-auth.inc: declares valid users with repo access (e.g. Git)
  • /var/lib/fusionforge/scmsvn-auth.inc: declares valid users specificially for SVN access due to mod-svn idiosyncrasies

FusionForge's daemon, fusionforge-systasksd, automatically regenerates the files and reloads Apache when new users and groups are added or removed, so that repository access is immediately active.

nscd

NSCD is the Name Service Cache Daemon. It is used to cache database results for users and groups mapping, for performances reasons. In the case of libnss-pgsql, it's necessary to install nscd, to fix an authentication loop when the database is installed on the same server as the shell server.

NSCD is provided either by nscd (part of glibc), or unscd, which is lighter and protects against bugs in NSS modules.

FusionForge's daemon, fusionforge-systasksd, automatically clears nscd's cache when new users and groups are added or removed, so that shell accounts are immediately active.

Database schema

You shouldn't need to go into these details, but in case you need to plug an external application to the database, here's some information.

Users and groups are mapped on the system as soon as they match the following criteria:

  • users: active, member of a project
  • groups: approved

When they do, they are added to the nss_* tables:

  • nss_passwd (view) : user accounts
  • nss_shadow (view) : generally unused, available if you have precise password-authentication needs
  • nss_groups (table) : groups for projects
  • nss_usergroups (table) : groups membership

See /etc/nss-pgsql.conf for the reference SQL queries.