Permissions are a pest.
Basically, you need to make sure that all of those developers can write to everything in the git repo.
Skip down to The New-Wave Solution for the superior method of granting a group of developers write capability.
The Standard Solution
If you put all the developers in a specially-created group, you can, in principle, just do:
chgrp -R <whatever group> gitrepo
chmod -R g+swX gitrepo
Then change the umask
for the users to 002
, so that new files get created with group-writable permissions.
The problems with this are legion; if you’re on a distro that assumes a umask
of 022
(such as having a common users
group that includes everyone by default), this can open up security problems elsewhere. And sooner or later, something is going to screw up your carefully crafted permissions scheme, putting the repo out of action until you get root
access and fix it up (i.e., re-running the above commands).
The New-Wave Solution
A superior solution—though less well understood, and which requires a bit more OS/tool support—is to use POSIX extended attributes. I’ve only come to this area fairly recently, so my knowledge here isn’t as hot as it could be. But basically, an extended ACL is the ability to set permissions on more than just the 3 default slots (user/group/other).
So once again, create your group, then run:
setfacl -R -m g:<whatever group>:rwX gitrepo
find gitrepo -type d | xargs setfacl -R -m d:g:<whatever group>:rwX
This sets up the extended ACL for the group so that the group members can read/write/access whatever files are already there (the first line); then, also tell all existing directories that new files should have this same ACL applied (the second line).
Hope that gets you on your way.
The National Institute of Standards and Technology (NIST) has some good publications on computer security topics. They are great resources... the publication that you are looking for is NIST Special Publication 800-53. (Believe me, its not as bad as it sounds)
IMO a password policy should be something like this:
- 8 characters
- 3 of the following: capitals, lowercase, numbers, special characters
- no reuse of the last 12 passwords
- 30-90 day password expiration
Best Answer
Edit: Let's do this a little differently, then.
Assuming you're using the Windows 2003 version of Active Directory Users and Computers:
At the "Saved Queries" node at the top of AD, do a "New" / "Query".
Name the query whatever you'd like and supply a description if you'd like. In the query definition, choose the OU above the user accounts for the "Query root".
Click "Define Query". In the "Find Common Queries" dialog, choose "Has a value" from the drop-down list to the right of the "Name" caption on the "Users" tab. Click "OK" and "OK" again to define the query.
Highlight your newly-created query and right-click and choose "Refresh" (or press F5) if the query isn't populating the right pane.
Highlight users in the right-pane, right-click and choose "Properties". Go to the "Account" tab, click the lefthand checkbox beside "Password Never Expires" and leave the check-box to its right (which will become enabled after you click the lefthand check box) empty.