[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cvs admin fails in invalid circumstance
|
From: |
Mark D. Baushke |
|
Subject: |
Re: cvs admin fails in invalid circumstance |
|
Date: |
Mon, 07 Mar 2005 08:33:03 -0800 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim Connors <tconnors+bug_cvs@astro.swin.edu.au> writes:
> > cvs --version
> Concurrent Versions System (CVS) 1.12.1 (client/server)
>
> I am on a network, and I have my own private repository which I share with
> no-one. All the ,v files, and the checked out files, are owned by me.
>
> There unfortunately happens to be a shared repository on the same network,
> and hence a cvsadmin group. I only access my repository using local file
> access, and ssh. Since I have no need to be a member of the shared
> repository, I am not a cvsadmin member.
The repository owner (you) have complete control over what folks in a
non-cvsadmin group are able to do.
Add a UserAdminOptions=ibcaAeluLUnNmostIqxVk line to your CVSROOT/config
file and you should be able to use all of the cvs admin options available
without being a cvsadmin group member.
> Why then, does cvs check to see whether I am a member of cvsadmin, despite
> me having permissions to the files anyway?
Because after a user does a checkin to the repository, they will own all
of the files in the repository, so that is not a sufficient guarentee that
they are permitted to do administration on the repository.
> This is a useless security measure, if it is one, because I can either
> hack cvs myself, or I can simply take to the ,v files with a
> chainsaw^Weditor.
It is not useless as it requires shell access to the repository which is
not always granted by all cvs administrators. You can 'hack' cvs yourself
by creating your own executable with the
./configure --without-cvs-admin-group
or by using your own special group
./configure --with-cvs-admin-group=mygroup
if you wish to create your own cvs executable. However, I suggest the
administrator of the other repository will be unhappy with you if you
use your own cvs executable on the shared repository.
> Is it just a case of forgetting to turn off the test when accessing over
> non pserver etc methods?
No, it is not.
-- Mark
For further reading consider the following documentation.
https://www.cvshome.org/docs/manual/cvs-1.12.11/cvs_16.html#SEC132
https://www.cvshome.org/docs/manual/cvs-1.12.11/cvs_18.html#SEC205
UserAdminOptions=value
Control what options will be allowed with the cvs admin co
section admin--Administration) for users not in the cvsadm
value string is a list of single character options which s
If a user who is not a member of the cvsadmin group tries
cvs admin option which is not listed they will will receiv
message reporting that the option is restricted.
If no cvsadmin group exists on the server, CVS will ignore
UserAdminOptions keyword (see section admin--Administratio
When not specified, UserAdminOptions defaults to `k'. In o
defaults to allowing users outside of the cvsadmin group t
admin command only to change the default keyword expansion
As an example, to restrict users not in the cvsadmin group
admin to change the default keyword substitution mode, loc
unlock revisions, and replace the log message, use `UserAd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQFCLII+3x41pRYZE/gRAqttAJ9FPHN2O1k4zI7FbFsyLUQvJyd/iACfUEIx
5fE5jsHl3pZs+50ApJk3xx8=
=bov2
-----END PGP SIGNATURE-----