[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: set group id not taking effect?

From: Paul Edwards
Subject: Re: set group id not taking effect?
Date: Thu, 14 Aug 2003 09:06:58 GMT

"Mark D. Baushke" <mdb@cvshome.org> wrote in message 
> Paul Edwards <kerravon@nosppaam.w3.to> writes:
> > My repository is under a particular unix group, say groupa.
> >
> > I have a user who is not in groupa.
> >
> > No problem, I just did a chmod g+s cvs

That was on the executable.

> > and asked them to try again.
> >
> > Nope, it fails because $CVSROOT/CVSROOT is not writable.
> > Indeed, it is not world writable, but I expected the setgid to take
> > care of that.
> The $CVSROOT/CVSROOT directory is group "cvs"

No, it was groupa.

> and had g+rwxs permissions

It so happens that the directory has "s", but that is not important.
I don't care what group new files are created under, I know they
were just trying to do a "cvs diff", so nothing important.

> and your OS honors g+s directory permissions


> and the OS allows g+s
> executables to be honored from the mounted directory?

I think so, but I've since lost my ability to test, because the
admins corrected the user's group overnight, so I'm back to
the old status.

> > Sun Solaris.
> > CVS 1.11.6
> Yes, solaris UFS directories may use g+rwxs permissions. Although I
> believe it is possible for NFS to disable that support. I would hope
> your repository is not NFS mounted.

Both the executable and the directory are on NFS mounts.  We
have 4 machines, and it is more important to be able to compile
fast than do checkouts fast, so the box we have for compiles
accesses the other stuff over the NFS mount.

> > the executable is in a directory that is allowed to have setuid,
> Good.
> > although I just realised I didn't specifically check if setgid was
> > allowed or not.  Certainly the bit was set, but I didn't think of
> > checking /etc/mnttab until just now.  Any ideas?

I didn't find any sign of a "nosgid", which I presume is the
syntax for switching off set group id, given that nosuid was
the syntax for switching off set user id.  I should have done
a simple test yesterday, it never occurred to me that it was
potentially having no effect whatsoever.

> If you want to have cvs run setgid as group cvs, you may want to
> consider adding a '#define SETXID_SUPPORT 1' to your config.h file so
> that things like running $EDITOR do not give your users a shell with the
> egid of the cvs group. However, that can wait until you have things
> working in the first place.

Now there's a trap for young players!  Thanks.

> In the past, I have used a set-gid cvs executable with no problems. I
> believe it should still work with cvs 1.11.6, but I have not actually
> tried it.

Ok, I'll wait until CVS needs to be officially set up before trying again.

BFN.  Paul.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]