info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: how to implement user level security in cvs ?


From: Muhammad Shakeel
Subject: Re: how to implement user level security in cvs ?
Date: Fri, 17 May 2002 12:19:47 +0500
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1

Dear Noel,

Thanks for your reply. I implemented a ACL on a folder in my repository, when some one checkin in this folder, loginfo execute the script and refreshes the whole ACL recursively  in that folder. But when  a user who is not the owner of the files in repository (Although he has rwx permissions), check in a file the script on its execution gives an error message :

not a owner of the file/folder.

It means scripts with loginfo execute with the permission of that user who is checking in.
To  add or modify a ACL, some one should be the owner of the ACL.
It means script failded at that point.

Instead of above script, If in another script if i try to copy the ACL of a parent folder to the newly  created folder in that folder, then how to send its paths of bothe folder from loginfo to the script in the arguments ?

Instead of using script to refresh the whole ACL or copy the ACL. I also implement the default ACL at the start to a folder. But
Default ACL permission also do not reflect all the ACL in the new folder created  within that folder.

Please help to proceed. It seems i am stuck again.

:-[

Regards,
shakeel





Noel Yap wrote:
--- Muhammad Shakeel
<address@hidden> wrote:
Thanks a lot for quick and valuable reply. I
implemented the ACL but
did not implemented ACL on file level. Therefore on
file level i had
given a read permission to others (r--r--r--) by
setting CVSUMASK.

Be careful that you're not turning off file execute
bits for scripts.

Therefore the folders also got the read permission
in others field. Is
this only read permission can make any security risk
?

Read perms for other is only a security risk if you
the info within the repository is so confidential that
others on the system should not be able to see it.

It seems without 
execute permission on a folder no one can access the
files inside that
folder.

Yes, as I think I stated in my previous email, execute
permissions will be necessary for anyone who needs
access to the repository.

 Yes, It is important to refresh the ACL after
checkin, because CVS
changes the file ownership and group information to
the one who checked
in the file.

File ownership doesn't matter, really (except for
being able to change file permissions). The file
permissions are more important.

Also the PreservePermission in
CVSROOT/config file does
seems to be properly implemented.

Don't use it. I've think I've heard it's so bad that
it should be ripped out.

 From the last paragraph of ur reply shows files
level ACL is also
required. Should we need to implement ACL for files
too ? Is any
referece script for loginfo ACL is available ?

File-level permissioning is necessary to guarantee
that those that need read permissions get them (of
course, you could grant read permissions to everyone
if you don't think your stuff is that confidential).
It's also important to preserve the execute bit (CVS
does this automatically for normal permissions, but
not for ACLs).

I'll see if I can dig up my script.

Noel



__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

From - Thu May 16 09:36:14 2002
X-UIDL: 3af5815d000035da
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <address@hidden>
Received: from fencepost.gnu.org (fencepost.gnu.org [199.232.76.164])
by isb. streaming-networks.com (8.11.0/8.11.0) with ESMTP id g4FGqgs08635
for <address@hidden>; Wed, 15 May 2002 21:52:47 +0500
Received: from localhost ([127.0.0.1] helo=fencepost.gnu.org)
by fencepost.gnu.org with esmtp (Exim 3.34 #1 (Debian))
id 1780rs-0007xj-00; Wed, 15 May 2002 11:39:08 -0400
Received: from web21409.mail.yahoo.com ([216.136.232.79])
by fencepost.gnu.org with smtp (Exim 3.34 #1 (Debian))
id 1780rE-0007rM-00
for <address@hidden>; Wed, 15 May 2002 11:38:28 -0400
Message-ID: <address@hidden>
Received: from [65.215.21.55] by web21409.mail.yahoo.com via HTTP; Wed, 15 May 2002 08:38:27 PDT
From: Noel Yap <address@hidden>
Subject: Re: how to implement user level security in cvs ?
To: Muhammad Shakeel <address@hidden>
Cc: address@hidden
In-Reply-To: <address@hidden-

-


reply via email to

[Prev in Thread] Current Thread [Next in Thread]