Re: CVSROOT file permissions (history val-tags)

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVSROOT file permissions (history val-tags)

From:	Todd Denniston
Subject:	Re: CVSROOT file permissions (history val-tags)
Date:	Tue, 26 Jul 2005 13:06:30 -0500

"Bulgrien, Kevin" wrote:
> 
> It seems odd that history and val-tags require write permissions
> when all other cvs repository files do not.  It seem particularly
> odd for history and val-tags to be created with world write
> permissions by default...

They are more logging files than control[1] files, the rest are control
files. The history file logs  MOST actions taken by the cvs server. The
val-tags file IIRC is an optimization for when a tag has been used once and
found valid the server does not have to walk the whole tree to report
whether the tag is valid or not. 

IIRC when they exist, but are not write-able by the user CVS drops a few
warnings, which can be irritating.

> 
> I would like to see these files created and functional with the same
> permissions that the other CVS files have, and particularly, the removal
> of the default assignment of world write permissions to any repository
> file.

For those of us who are only slightly paranoid, the following seems to work:
mkdir $CVSROOT
chown :mygroup $CVSROOT
chmod g+ws $CVSROOT
cvs init
chmod g-ws $CVSROOT/CVSROOT
chmod o-rw $CVSROOT/CVSROOT/history $CVSROOT/CVSROOT/val-tags

and of course if the paranoia level was up a bit, you would look into chroot
jails and ssh command limitations. :)
<SNIP>
> Under this setup, a user not in group me can easily modify files if the
> enclosing directories allow world traversal even if rw is denied to world.
> Ok, I know that top-level directories should be controlled, but this still
> seems to be unneccessary when CVS already finds a way to write files that
> are read-only to everyone.
> 
I usually control my $CVSROOT/CVSROOT directory such that only the admin has
write privs in the directory, however so I get logging I set history
val-tags ug+rw
/CVSROOT$ ls -l history val-tags -d .
drwxr-xr-x    3 me mygroup         4096 Jul 26 11:00 ./
-rw-rw----    1 me mygroup          570 Jul 26 11:45 history
-rw-rw----    1 me mygroup            0 Jul 26 11:00 val-tags
So there can be a reason to allow users, who can not write to this
directory, the ability to write to these two files.

[1] by control file, I mean they often are used to prevent or modify
access/changing of data in the repository, and should be controlled by the
admin.

-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane) 
Harnessing the Power of Technology for the Warfighter

[Prev in Thread]

Current Thread

[Next in Thread]

CVSROOT file permissions (history val-tags), Bulgrien, Kevin, 2005/07/26
- Re: CVSROOT file permissions (history val-tags), Todd Denniston <=

Prev by Date: CVSROOT file permissions (history val-tags)
Next by Date: Build cvs on Windows
Previous by thread: CVSROOT file permissions (history val-tags)
Next by thread: Build cvs on Windows
Index(es):
- Date
- Thread