[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cvsnt] setting file access permissions with ACL??
|
From: |
Rogier |
|
Subject: |
[cvsnt] setting file access permissions with ACL?? |
|
Date: |
15 Dec 2004 01:40:55 -0800 |
|
User-agent: |
G2/0.2 |
Hi everybody,
I'm trying to limit the access to certain files for some users, but
didn't succeed so far. I'm using cvsnt 2.0.58d on both server and
clients.
First I tried on the following on the server (in some dir within the
repository): cvs chacl -u john -a nowrite bla.h
Hoping this would allow john to checkout/update "bla.h" but not commit
it.
(first got an error about CVSROOT not being set - I never did any cvs
things on the server yet, only created a repository there using the gui
and used TortoiseCvs on client machines...)
Then it said:
cvs chacl: in directory .:
cvs [chacl aborted]: CVS directory without administration files
present. Cannot continue until this directory is deleted or renamed.
When I tried "cvs lsacl", same thing. Is changing ACL stuff not
supposed to happen on the server?
I also tried on a client PC (where I use the cvs account "rogier"), and
it seemed to work now, when doing "cvs lsacl" afterwards I get this:
Directory: .
Owner: peter
<default>
read
write
create
tag
File: bla.h
user=john
write(deny)
However... john can still commit changes to bla.h :(
Since all cvs users in our repository map to the same single Windows
guest account on the server ("CvsDummyUser", see also * below), I
thought maybe the rights refer to real windows users rather than the
'virtual' cvs users in the passwd file.. so I did the same chacl
command with CvsDummyUser instead of "john", but still no difference.
On the server, the cvs\fileattr.xml file looked ok though (see also
lsacl result above which seemed all right)
Three questions:
- What am I doing wrong? :)
- Isn't it scary that clients can change the ACL rights, i.e. what
prevents a user from increasing his own rights to certain files?
- About the 'noread' access: can I also enforce that a user doesn't
even SEE a dir or file at all? So when he checks out or updates, he
only gets the stuff I want him to get, and no errors about dirs that he
can't access?
Thanks a lot,
Rogier
(*) this is because I don't want to mess with system-dependant user
rights or NTFS file permissions. I want to control file access on
database level only, if I need to host this CVS respository on another
server tomorrow I don't want to have to perform all kinds of system
changes there.
- [cvsnt] setting file access permissions with ACL??,
Rogier <=