Fossil Forum

unix user separation
Login

unix user separation

unix user separation

(1) By Richard Bowden (sentinel) on 2022-01-18 06:51:49 [link] [source]

I am currently hosting a number of fossils behind a reverse proxy, each url maps to a localhost on port 80xx.

each fossil is running as fossil server --port 8081 --localhost --https /home/{user}/myfossil.fossil

currently each fossil server runs under a seperate unix user. The proxy is running under its own user

this does work but I am doubting the fossil repo separation by unix user accounts... does anyone have any comments or thoughts about this? my gut is saying just use one fossil unix user to simply things. Though I am not sure...posting here as having the discussion with my self is not going anywhere :)

(2.1) By Stephan Beal (stephan) on 2022-01-18 07:08:49 edited from 2.0 in reply to 1 [source]

currently each fossil server runs under a seperate unix user.

If you're doing that for a sense of security, it's generally unnecessary and administratively cumbersome. Each repository is its own sandbox and you can make each completely private, only visible to logged-in users. i host about 50 repos on my server, all living in the same directory and each accessed via its own CGI wrapper script (though many people prefer the directory-serving mode, i prefer to keep the repo files themselves stored outside of the web-accessible storage).

(3) By Warren Young (wyoung) on 2022-01-18 16:30:52 in reply to 1 [link] [source]

Are these users interactive accounts? Can anyone SSH into them and do things with the one Fossil repo file they own?

(4) By Roy Keene (rkeene) on 2022-01-18 17:47:30 in reply to 1 [link] [source]

ChiselApp.com uses the CGI mode with each ChiselApp.com user running as its own user ID and within a chroot and some resource limits applied.

Since Fossil's web UI can reach out to the OS for things like SSH, mail in various ways, Tcl support (enabled on ChiselApp.com), and login groups this isolation keeps ChiselApp.com users from interfering with each other and seems like it could do the same for your users (although, they could still see OS files if you didn't chroot).

The way in which ChiselApp.com does this is here: https://chiselapp.com/user/rkeene/repository/flint/dir?ci=trunk&name=scripts/fossil-as-user&type=tree