SQLITE_NOTICE(283): recovered 2 frames from WAL file /home/hwaci/fossil/fossil.fossil-wal

Fossil: Differences Between Setup and Admin User

Fossil

Differences Between Setup and Admin User
Login

This document explains the distinction between Setup users and Admin users. For other information about use types, see:

Philosophical Core

The Setup user "owns" the Fossil repository and may delegate a subset of that power to one or more Admin users.

The Setup user can grant Admin capability and take it away, but Admin users cannot grant themselves Setup capability, either directly via the Admin → Users UI page or via any indirect means. (If you discover indirect means to elevate Admin privilege to Setup, it's a bug, so please report it!)

It is common for the Setup user to have administrative control over the host system running the Fossil repository, whereas it makes no sense for Admin users to have that ability. If an Admin-only user had root access on a Linux box running the Fossil instance they are an Admin on, they could elevate their capability to Setup in several ways. (The fossil user command, the fossil sql command, editing the repository DB file directly, etc.) Therefore, if you wish to grant someone Setup-like capability on a Fossil repository but you're unwilling to give them a login on the host system, you probably want to grant them Admin capability instead.

Admin power is delegated from Setup. When a Setup user grants Admin capability, it is an expression of trust in that user's judgement.

Admin-only users must not fight against the policies of the Setup user. Such a rift would be just cause for the Setup user to strip the Admin user's capabilities. This may then create a fork in the project’s development effort as the ex-Admin takes their clone and stands it up elsewhere, so they may become that fork’s Setup user.

A useful rule of thumb here is that Admin users should only change things that the Setup user has not changed from the stock configuration. In this way, an Admin-only user can avoid overriding the Setup user's choices.

You can also look at the role of Admin from the other direction, up through the user power hierarchy rather than down from Setup. An Admin user is usually a “super-developer” role, given full control over the repository’s managed content: versioned artifacts in the block chain, unversioned content, forum posts, wiki articles, tickets, etc.

We’ll explore these distinctions in the rest of this document.

No Granularity

Fossil doesn’t make any distinction between these two user types beyond this binary choice: Setup or Admin.

A few features of Fossil are broken down so that only part of the feature is accessible to Admin, with the rest left only to Setup users, but for the most part each feature affected by this distinction is either Admin + Setup or Setup-only.

We could add more capability letters to break down individual sub-features, but we’d run out of ASCII alphanumerics pretty quickly, and we might even run out of ASCII punctuation and symbols. Then would we need to shift to Unicode?

Consider the Admin → Settings page, which is currently restricted to Setup users only: you might imagine breaking this up into several subsets so that some settings can be changed by Admin users. Is that a good idea? Maybe, but it should be done only after due consideration. It would definitely be wrong to assign a user capability bit to each setting on that page.

Now consider the opposite sort of case, Admin → Skins. Fossil grants Admin users full access to this page so that the Admins can maintain and extend the skin as the repository evolves, not so Admins can switch the entire skin to another without consulting with the Setup user first. How would Fossil decide, using user capabilities only, which skin changes the Admin user is allowed to do, and which must be left to Setup? Do we assign a separate capability letter to each step in /setup_skin? Do we assign one more each to the five sections of a skin? (Header, Footer, CSS, JavaScript, and Details.) It quickly becomes unmanageable.

Capability Groups

We can break up the set of powers the Admin user capability grants into several groups, then defend each group as a coherent whole.

Security

While establishing the Fossil repository's security policy is a task for the Setup user, maintaining that policy is something that Fossil allows a Setup user to delegate to trustworthy users via the Admin user capability:

Some security-conscious people might be bothered by the fact that Admin-only users have these abilities. Think of a large IT organization: if the CIO hires a tiger team to test the company's internal IT defenses, the line grunts fix the reported problems, not the CIO.

Administrivia

It is perfectly fine for a Fossil repository to only have Setup users, no Admin users. The smaller the repository, the more likely the repository has no Admin-only users. If the Setup user neither needs nor wants to grant Admin power to others, there is no requirement in Fossil to do so. Setup capability is a pure superset of Admin capability.

As the number of users on a Fossil repository grows, the value in delegating administrivia also grows, because the Setup user typically has other time sinks they consider more important.

Admin users can take over the following routine tasks on behalf of the Setup user:

Cosmetics

While the Setup user is responsible for setting up the initial "look" of a Fossil repository, the Setup user entrusts Admin users with maintaining that look. An Admin-only user therefore has the following special abilities:

These capabilities allow an Admin-only user to affect the branding and possibly even the back-end finances of a project. This is why we began this document with a philosophical discussion: if you cannot entrust a user with these powers, you should not grant that user Admin capability.

Clones and Backups

Keep in mind that Fossil is a distributed version control system, which means that a user known to Fossil might have Setup capability on one repository but be a mere "user" on one of its clones. The most common case is that when you clone a repository, even anonymously, you gain Setup power over the local clone.

The distinctions above therefore are intransitive: they apply only within a single repository instance.

The exception to this is when the clone is done as a Setup user, since this also copies the user table on the initial clone. A user with Setup capability can subsequently say fossil conf pull all to update that table and everything else not normally synchronized between Fossil repositories. In this way, a Setup user can create multiple interchangeable clones. This is useful not only to guard against rogue Admin-only users, it is a useful element of a load balancing and failover system.

The All-Powerful Setup User

Setup users get every user capability of Fossil except for two exceptionally dangerous capabilities, which they can later grant to themselves or to others.

In addition, Setup users can use every feature of the Fossil UI. If Fossil can do a thing, a Setup user on that repo can make Fossil do it.

Setup users can do many things that Admin users cannot:

The “Admin” feature of Fossil UI is so-named because Admin users can use about half of its functions, but only Setup can use these pages:

Just remember, [user caps affect Fossil’s web interfaces only][webo]. A user is a Setup user by default on their local clone of a repo, and Fossil’s ability to protect itself against malicious (or even simply incorrect) pushes is limited. Someone with clone and push capability on your repo could clone it, modify their local repo, and then push the changes back to your repo. Be careful who you give that combination of capabilities to!

When you run fossil ui, you are the Setup user on that repo through that UI instance, regardless of the capability set defined in the repo’s user table. This is true even if you cloned a remote repo where you do not have Setup caps. This is why ui always binds to localhost without needing the --localhost flag: in this mode, anyone who can connect to that repo’s web UI has full power over that repo.

Dangerous Capabilities Initially Denied to Everyone

There are two capabilities that Fossil doesn’t grant by default to Setup or Admin users automatically. They are exceptionally dangerous, so Fossil makes these users grant themselves (or others) these capabilities deliberately, hopefully after careful consideration.

Write Unversioned

Fossil currently doesn’t distinguish the sub-operations of fossil uv; they’re all covered by WrUnver (“y”) capability. Since some of these operations are unconditionally destructive due to the nature of unversioned content, and since this goes against Fossil’s philosophy of immutable history, nobody gets cap “y” on a Fossil repo by default, not even the Setup or Admin users. A Setup or Admin user must grant cap “y” to someone — not necessarily themselves! — before modifications to remote unversioned content are possible.

Operations on unversioned content made without this capability affect your local clone only. In this way, your local unversioned file table can have different content from that in its parent repo. This state of affairs will continue until your user either gets cap “y” and syncs that content with its parent or you say fossil uv revert to make your local unversioned content table match that of its parent repo.

Private Branch Push

For private branches to remain private, they must never be accidentally pushed to a public repository. It can be difficult to impossible to recover from such a mistake, so nobody gets Private (“x”) capability on a Fossil repo by default, not even Admin or Setup users.

There are two common uses for private branches.

One use is part of a local social contract allowing individual developers to work on some things in private until they’re ready to push them up to the parent repository. This goes against a core tenet of Fossil’s design philosophy, but Fossil allows it, so some development organizations do this. If yours is one of these, you might give cap “x” to the “developer” category.

The other use is in development organizations that follow the Fossil philosophy, where you do not work in private unless you absolutely must. You may have a public-facing project — let’s call it “SQLite” for the sake of argument — but then someone comes along and commissions a custom modification to your project which they wish to keep proprietary. You do your work on a private branch, which you absolutely must never push to the public repo, because that would be illegal. (Breach of contract, copyright violation on a work-for-hire agreement, etc.) If you are using Fossil in this way, we recommend that you give “x” capability to a special developer account only, if at all, to minimize the chance of an accidental push.