Thomas Stover <c...@thomasstover.com> wrote: >On Thu, 31 May 2012 13:44:52 +1000 >"Chen, Zon" wrote: >> So ideally we want to be able to limit Fossil's Administrator account >> to only work from the local PC (or better yet, from LAN only.) >ok that makes sense. I do know that you can "unlock" the admin account >by just doing a "fossil ui" on it locally, which I have done when I >have just forgotten the password. I'd like to see what the other >answers turn out to be.
My understanding is that the "fossil serve" mode is meant more for very lightweight or ad-hoc usage, and it's recommended that you put a server in front of (i.e. - an http server via cgi, or inetd, or some such) fossil for heavier work. Pretty much required if you want consistent access to multiple repositories. Maybe that's wrong for the windows version, or out of date, or I misunderstood something. But because of that, I expect it to punt hardcore security issues to that "other" server. I just today set up a half-dozen repositories for a client behind lighttpd, using the cgi mode with the recommended fossil script pointed at the directory the repositories reside in. We set remote_user_ok (I think that's it - fossil will log you in as the httpd user name if it has a user by that name). We let the httpd daemon handle auth, and only create users in the repositories we want them to have access to. The downside is we have to create an extra user. The upside is we get a single signon for all our repositories. We didn't create an httpd account for the admin user. This means you can't log in as the admin user at the browser auth point that users normally see. I think you can log in as a user with httpd access, then log into a repository as admin, but that may only work if the user doesn't have access to the repository, or if you log out of fossil first. If you wanted to allow admin access from the LAN as well as localhost, you'd set up the http auth so that admin had an account, but could only log in from the LAN Come to think of it, I did something very similar with svn served by apache. Apache's auth handled restricting access into the repository to members of apache groups. -- Sent from my Android tablet. Please excuse my swyping. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
