Re: new authentication mode

[Derek Robert Price]

Markus Grabner wrote:

> Am Dienstag, 30. Juli 2002 00:12 schrieben Sie:
>  
>
> > >                                                [...] Our modified CVS
> > > server checks for the system password if "+" is given in CVSROOT/passwd
> > > instead of the encrypted password
> > >      
> > Vielleicht uebersehe ich ja was, aber:
> >
> > Fuer "echte" Benutzer sind doch gar keine CVSROOT/passwd-Eintraege noetig.
> > Die werden ganz normal ueber ihr System-Passwort authentifiziert.
> > (Es sei denn, CVSROOT/config sagt:   SystemAuth=No, das ist aber
> > eher ungewoehnlich.)
> >    
> The question was what this is good for since "real" users are authenticated by 
> their system password and don't need a CVSROOT/passwd entry.
>
> That's right, but if more persons want to use the same archive and some access 
> restrictions should apply on a per-propject basis, the recommended way in CVS 
> to do so is to map the CVS user ids of all project membes to a unique system 
> user. Currently this also requires to specify a password for each CVS user 
> (or omit it to allow the user to access the repository without 
> authentication). The new code makes it possible to map user ids (e.g., for 
> project management purposes), but still to use system authentication. This 
> avoids having to manually update the CVSROOT/passwd file each time a user 
> changes its password.
> We faced some problems organizing several CVS projects at our site (different 
> student classes, research projects etc.). Our first attempt was to use Unix' 
> standard user/group management, but this failed since CVS doesn't care about 
> group ids (unlike, e.g., Samba, which does a perfect job on this). Indeed, I 

I'm not quite sure what you're talking about.  CVS handles UNIX group 
IDs just fine, though on Linux systems you have to set the directory 
setgid bit for the repository.  `man chmod' for more, but basically, 
`chmod g+s', and then use UNIX groups as you'd probably expect.  From 
<http://www.cvshome.org/docs/manual/cvs_2.html#SEC13>:

> All `,v' files are created read-only, and you should not change the 
> permission of those files. The directories inside the repository 
> should be writable by the persons that have permission to modify the 
> files in each directory. This normally means that you must create a 
> UNIX group (see group(5)) consisting of the persons that are to edit 
> the files in a project, and set up the repository so that it is that 
> group that owns the directory. (On some systems, you also need to set 
> the set-group-ID-on-execution bit on the repository directories (see 
> chmod(1)) so that newly-created files and directories get the group-ID 
> of the parent directory rather than that of the current process.)


Derek

--
               *8^)

Email: derek@ximbiot.com
Public key available from www.keyserver.net - Key ID 5ECF1609
Fingerprint 511D DCD9 04CE 48A9 CC07  A421 BFBF 5CC2 56A6 AB0E

Get CVS support at http://ximbiot.com
--
"I tried to think but nothing happened!"
           - Curly