[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Repository "other" read access

From: Rahul
Subject: Re: Repository "other" read access
Date: 15 Feb 2006 10:31:45 -0800
User-agent: G2/0.2

Stas -

Here are some best practises using WANdisco for CVS Enterprise Edition
for security.

You can get away from mucking with file level permissions for
controlling read access. You can setup an extremely secure server
installtion as following:

1. Setup /cvs permissions for single cvs-server account 'cvsd'

For example:

drwx------    4 cvsd   cvsd    /cvs
drwx------    4 cvsd   cvsd    /cvs/project
drwx------    4 cvsd    cvsd   /cvs/project2

So now the repository can not be written or read by anyone other than

2. Using WANdisco WebUI, setup role based access control to map
to specific projects. For instance you could define a role:
project2Engineering and
then have project2Engineering  setup with list/read/write access to
/cvs/project2. If
project2Engineering  maps to a LDAP/NIS/Active Directory  group, you
can via the
webUI import user-group associations into WANdisco security database.
This allows
you to scale to large number of users easily. If a user migrates to
project (say /cvs/project) you can go to to the WebUI and with couple
of clicks map
them to a different role/group. If latter you want to restrict access
to specific branch
you can edit the ACL and specify branch or a branch pattern (full Perl
style regular expression). This works with SSH or Pserver access to the

3. By default everyone is denied to unless you explictly give access to
/cvs/project, the
project2Engineering  role/sub-group will not have access to

4. All access (with client's IP Paddress)  gets logged into an audit
database that
can be configured with a SQL backend.

5. If you have multisite CVS setup, then all the security policies can
be configured to automatically replicate to other sites when you mahe
changes to them, so you dont have to worry about setting up file
permissions at all the sites to be in sync

Also take a look at the CVS FAQ -

Rahul Bhargava
WANdisco, Inc

reply via email to

[Prev in Thread] Current Thread [Next in Thread]