[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Protect CVSROOT tree
From: |
Howard Zhou |
Subject: |
Re: Protect CVSROOT tree |
Date: |
Thu, 21 Dec 2000 00:31:09 -0800 |
Dale,
CVSROOT $CVSROOT/CVSROOT/commitinfo_ckuser -user=$USER
Do you put the trigger script in $CVSROOT but not commited? Just curious. I
don't see how -user=$USER works here.
Does this script apply to CVSROOT module only?
What is the checkoutlist mentioned below?
Howard
----- Original Message -----
From: "Dale Miller" <address@hidden>
To: "Howard Zhou" <address@hidden>
Cc: <address@hidden>
Sent: Tuesday, December 19, 2000 6:17 AM
Subject: Re: Protect CVSROOT tree
> Howard Zhou wrote:
>
> > Hi, CVS users,
> >
> > CVSROOT directory tree is protect by a group permission. However this is
not
> > good enough since everybody in the group can go there and make change
> > directly in the CVS repository.
> >
> > If you take off the group permission, then you have to figure out a way
to
> > make change via setuid program. However, cvs seems to ignore effective
> > setuid.
> >
> > Therefore I'd like to know if there is any appropriate way to protect
the
> > CVSROOT repository from being modified besides the owner of the CVSROOT.
> >
> > Thanks in advance.
> >
> > Howard
> >
>
> Howard,
> I responded to this same question once before with the following:
>
> I restrict people from being able to commit to CVSROOT by using
commitinfo.
>
> I added the following line to commitinfo:
> CVSROOT $CVSROOT/CVSROOT/commitinfo_ckuser -user=$USER
>
> I added commitinfo_ckuser in checkoutlist so that it is available with the
> other administrative files.
>
> And my commitinfo_ckuser program looks like the following:
> ---------------------- < cut here > ----------------------------------
> #!/usr/local/bin/perl -ws
> # commitinfo_ckuser D.Miller
> # called by commitinfo
> #
> # $Id: commitinfo_ckuser,v 1.6 2000/09/20 16:06:46 miller Exp $
> #
> # This program is called by $CVSROOT/CVSROOT/commitinfo
> # and is used to verify if user is authorized for changing CVSROOT
> # so that commit to CVSROOT files can be restricted
> #
> # The logfile is not used at this time.
> #
>
> $user = $ENV{"USER"} unless defined $user;
> $CVSROOT = $ENV{"CVSROOT"} unless defined $CVSROOT;
> $logfile = "$CVSROOT/CVSROOT/commitinfo_ckuser.log" unless defined
$logfile;
>
> print "\$CVSROOT=$CVSROOT\n";
>
> %authorized = ($user =>0, #prevent uninitialized variable
> 'miller' =>1, #authorized users for CVSROOT checkin
> 'heuston' =>1,
> 'cmbuild' =>1,
> 'cmvmgr' =>1,
> 'brodzell' =>1
> );
>
>
> ($repository, @files) = @ARGV;
>
> $ck_user = @ck_user = getpwnam $user; # checking if user exists locally
>
> if ($repository =~ /$CVSROOT\/CVSROOT/) {
> if (($authorized{$user} == 0) || ($ck_user == 0)) {
> print "You are not authorized to commit CVSROOT files.\n";
> exit 1; # <<<<----------------------<<<<<<<<<<<
> }
> }
>
> exit 0; # <<<<----------------------<<<<<<<<<<<
>
> # current date and time
> $sec = $mday = $mday = $wday = $wday = $yday = $isdst = 0; #not used
> ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) =
gmtime(time);
> $date = sprintf("%4d%02d%02s-%02d:%02d", ($year + 1900), ($mon + 1),
$mday,
> $hour,
> $min);
>
> open(LOGFILE, ">>$logfile") or die "Cannot append to $logfile: $!\n";
>
> print LOGFILE "$date $user $repository @files\n";
>
> close(LOGFILE);
> ---------------------- < cut here > ----------------------------------
> I currently have the log file code turned off.
> This version has a hard coded list of authorized users, however, I have
also
> done
> it by checking the users group. This version also checks if a person has
a
> local
> account
> using: $ck_user = @ck_user = getpwnam $user; # checking if user exists
> locally
>
> If none of your users have local accounts you could use that method and
have no
> hard coded authorized list.
>
> I find it simple and it works.
> Dale Miller
>
>
>
>
> _______________________________________________
> Info-cvs mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/info-cvs
- Subject: The death, Conspiracy - by Prof. Arnon Samueloff MD - Israel, mnadiv, 2000/12/17
- Re: Protect CVSROOT tree, Derek R. Price, 2000/12/19
- Message not available
- Message not available
- Message not available
- Re: Protect CVSROOT tree, Derek R. Price, 2000/12/20
- Re: Protect CVSROOT tree, Howard Zhou, 2000/12/21
- Re: Protect CVSROOT tree, Derek R. Price, 2000/12/21
- Message not available
- Re: Protect CVSROOT tree, Derek R. Price, 2000/12/29