Re: Directory based Access Control

[Larry Jones]

Infoman: Martin Kretschmar writes:
> 
> For test purposes I have two different users, "user_rw" and
> "user_ro". Both belong to the "developers" group, but for a
> specific subdirectory the owner is set to "localcvsadmin",
> the owning group is "specialists". "user_rw" belongs to
> "specialists" but "user_ro" not. The file ownerships for all
> files in the subdirectory are "localcvsadmin.specialists",
> the permissions identical "rw-rw----".

In general, files in the repository should not be writable.  The key is
directory permissions: users must have read permission on a directory to
checkout its contents and must have write permission on a directory to
checkin changes to its contents.  You have to use LockDir= to put the
lock files elsewhere if you want people to be able to checkout
directories that they don't have write access to.

> If "o+w" is set for this directory, using WinCVS 1.2 with ssh
> for "user_rw" and "user_ro" allows both to checkout as they
> should but also both to commit changes. The permissions work
> as they should for local logins.

Well sure, you've just given everyone permission to write in that
directory.  What you want to do (it appears) is give everyone read
permission but only members of the specialists group write permission,
so you'll want to do "g=rwx,o=rx".  Since this is Linux, you'll probably
want to set the SGID bit on the directory too to ensure that any new
subdirectories created in this directory get the same ownership and
permission, so you'll really want to do "g=rwxs,o=rx".

-Larry Jones

Hey!  What's the matter?  Can't you take a joke?!  It was a JOKE! -- Calvin