Re: Right Permissons !?

[Eric Siegerman]

On Wed, Sep 26, 2001 at 01:17:08PM +0100, Andrew McGhee wrote:
> -----Original Message-----
> > From: raptor [mailto:address@hidden
> > Sent: 26 September 2001 09:45
> > 
> > I made group developers and set CVS repository so that this group has RW
> > access, but when the user commits it changes the owner/group to his i.e.
> > doesn't preserve "developrs" group on file !!!
>
> I think you'll find you need to do a "chmod -R g+s <module name>" to keep
> the group setting sticky.

DO NOT USE THIS COMMAND AS GIVEN!  It could open up a security
hole!

If you need to set g+s (see below to help you decide), you should
only set it on the directories, NOT on the files.  To do that:
        find $CVSROOT -type d -print | xargs chmod g+s

Think first about your desired security policy.  That will affect
whether to set g+s on on the entire repo or just selected parts.
(If normal users aren't supposed to be able to edit the admin
files in $CVSROOT/CVSROOT, you can either not set g+s on that
directory, or set the flag and put the directory in a different
group).

Whether g+s will help in the first place depends on the server's
flavour of Unix.  SysV variants typically need it (including
Solaris, and maybe Linux but I'm not sure); BSD variants
typically don't.  On SysV systems, setting g+s on directory D
tells the system to propagate D's group to any files or
subdirectories created under D (and to set g+s on subdirectories
-- but not on files -- so that this propagation will recursively
happen to sub-subdirectories).  BSD systems typically propagate
group membership this way all the time; you can't turn it off, so
you don't need to worry about turning it on :-)

--

|  | /\
|-_|/  >   Eric Siegerman, Toronto, Ont.        address@hidden
|  |  /
The world has been attacked.  The world must respond ... [but] we must
be guided by a commitment to do what works in the long run, not by what
makes us feel better in the short run.
        - Jean Chrétien, Prime Minister of Canada