[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ACL status
Re: ACL status
Fri, 14 Jan 2005 08:27:20 -0500
Rafael Sanz wrote:
> Thanks Peter and Arthur.
> About the contrib scripts are not enough because only restrict commits
> (currently, I'm resolved this with a perl script hook at commitinfo and
> taginfo events).
Gross permissions with cvs (not sure about CVSNT under windows) are done at
the filesystem level, i.e., either you can read from the project repo or not
depending on the filesystem permissions.
Writing to the repo is controlled also by the filesystem permissions, but
can have further fine grained control using cvs_acls scripts.
If you are using pserver the reader/writer set performs much the same gross
permissions as the filesystem permissions, but should be backed up by the
filesystem permissions, because the filesystem permissions are more sure to
work if the person is logging in with an operating system loggin instead of
a pserver password. If you are really concerned about security and
segregating your users, be aware pserver has not had a great track record
(in the last couple of years at least), check the archives of this list for
> The only way that I found is using the SO groups and users, is similar in
> CVSNT if I understand well. But I don't understand how work chacl exactly:
Please clarify what you mean by SO groups... I do not immediately recognize
Do you mean Italian for Operating System?
(Assuming you do for this email)
> -change the SO permission of repository file?
Not files, directories. cvs_acls may allow per file.
> -Are stored the permission in somewhere? (I understand is in the SO
> repository file attribute, then how is controlled the branch?)
for cvs_acls it is in cvsacl file, read the "Admin Setup" section of
> -And my Achilles heel, chacl close the read permission for specific
> I'm reading this manual http://www.cvsnt.org/wiki/SetAcl but I don't
> understand completely the differences in ACL control between CVS and CVSNT
> (except native commands to do it in CVSNT)
> Currently I manage a CVS server on Solaris and the security rules of SO
> administrators are in conflict to grant access over modify users/groups, if
> I must change to cvsnt is a valid option but I need understand the gains of
> this, because the mechanism in CVSNT (if I understand well) have the same
What conflict do they really have?
Do they not want to maintain the file, or is it that they do not want to let
you maintain it? If it is they don't want to maintain it, some one should
remind them it is their job to support the users (either they make changes
or allow you to), if it is that they don't want to let you change the file
(directly) I can understand their perspective as an admin myself, but they
must chose one of the two update methods and go forward.
For my building, the task (or project) lead identifies the people working
for him/her and notifies the admin group who they want in the unix group
file for their project, the admin makes the change and then the task lead
uses the unix group for their repository. For my building this has always
been enough, i.e., we have not had to use cvs_acls and the like.
> Some other link that clarify me?
If someone's user id & group id does not have read access to the repo
directories, then they can't read the data from cvs. see:
Look for LockDir in the next one
> Thanks in advanced, again.
> -----Mensaje original-----
> De: Arthur Barrett [mailto:address@hidden
<pointed out some ACL stuff is already integrated in CVSNT>
> -----Original Message-----
> From: address@hidden
> [mailto:address@hidden On
> Behalf Of Rafael Sanz
> Sent: Friday, 14 January 2005 2:31 AM
> To: address@hidden
> Subject: ACL status
> Hello, I need to extend my cvs server with fine grain of Access Control
> Level (beyond writers or readers files natives in CVS standar).
> I'm found some references to patches at C code
> (http://www.unixgods.org/~tilo/CVS_ACL/), but any is standard...
> What is the develop status of ACL in cvs server for UNIX?? Is in
> Nothing about?
> Whatever, some link better to ACL solutions that deal with read
> for files or directories?
> Thanks in advanced.
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter