[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: how to implement user level security in cvs ?

From: Muhammad Shakeel
Subject: Re: how to implement user level security in cvs ?
Date: Wed, 15 May 2002 20:57:46 +0500
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1

Dear Noel,

Thanks a lot for quick and valuable reply. I implemented the ACL but  did not implemented ACL on file level. Therefore on file level i had given a read permission to others (r--r--r--) by setting CVSUMASK. Therefore the folders also got the read permission in others field. Is this only read permission can make any security risk ? It seems without execute permission on a folder no one can access the files inside that folder.

 Yes, It is important to refresh the ACL after checkin, because CVS changes the file ownership and group information to the one who checked in the file. Also the PreservePermission in CVSROOT/config file does seems to be properly implemented.
>From the last paragraph of ur reply shows files level ACL is also required. Should we need to implement ACL for files too ? Is any referece script for loginfo ACL is available ?


Noel Yap wrote:
1. CVS recreates (ie copies and removes) the archive
file each time there is a checkin.
2. CVS, by default, creates locks within the repo
directory. The location of the locks can be
configured by setting LockDir within CVSROOT/config.
3. A user can create and remove files within a
directory if and only if (iff) that user has write
permissions to that directory.
4. A user can use a directory iff that user has
execute permissions to that directory.
5. A user can modify a file iff that user has write
permissions to that file.

1. A user will need repo file and directory read
permissions to checkout/checkin a file.
2. A user will need repo directory write permissions
to checkin a file.
3. It is safer if a user did not have repo file write

1. Default ACLs cannot tell the difference between
directories and files.
2. Repo directory permissions need to be treated
differently from repo file permissions.

1. A loginfo script will need to reset file ACLs for
each commit. It will also need to set ACLs on new
elements. Typically, this setting is a combination of
inheritance from the parent directory for ACL users
and groups and read permissions, files are never
writable, files may need to be executable, and
directories are always writable and executable.


--- Muhammad Shakeel
<address@hidden> wrote:
Dear Noel yap,

Sorry i am asking a question related to little older
thread in mailing
list. I implemeted ACL on directory level as was
suggested, and do not
implemented on files. But what is reason that it is
not recomended ? If
a user have a permission on folder but not on a
file then he cannot
checkout the code.

Can u please also recall to tell me what is required
to do in loginfo
file in this case ?


Noel Yap wrote:

The answer is a little trickier than this,
I remember having to put something in loginfo so
ACLs would get properly created from the directory
(default ACLs aren't appropriate here since you
probably don't want the directory's execute and
bits to be inherited by the files).

--- gabriel rosenkoetter <address@hidden> wrote:

On Thu, Apr 18, 2002 at 09:28:38PM +0500, Muhammad
Shakeel wrote:

Can i use solaris access control list ? Is cvs

works fine when using acl ?


(Think about this logically: cvs is run as the
performing the
action. Therefore, it can only affect a file in a
given way if the
user has permission to do so.)

Beware ownership changes of files, though. (And
that you
probably don't want to use ACLs on files anyway,
want to use
them on directories.)

gabriel rosenkoetter

ATTACHMENT part 2 application/pgp-signature 

Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax

Info-cvs mailing list


Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience

Info-cvs mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]