[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cvs admin fails in invalid circumstance

From: Mark D. Baushke
Subject: Re: cvs admin fails in invalid circumstance
Date: Mon, 07 Mar 2005 08:33:03 -0800

Hash: SHA1

Tim Connors <address@hidden> writes:

> > cvs --version
> Concurrent Versions System (CVS) 1.12.1 (client/server)
> I am on a network, and I have my own private repository which I share with
> no-one. All the ,v files, and the checked out files, are owned by me.
> There unfortunately happens to be a shared repository on the same network,
> and hence a cvsadmin group. I only access my repository using local file
> access, and ssh. Since I have no need to be a member of the shared
> repository, I am not a cvsadmin member.

The repository owner (you) have complete control over what folks in a
non-cvsadmin group are able to do.

Add a UserAdminOptions=ibcaAeluLUnNmostIqxVk line to your CVSROOT/config
file and you should be able to use all of the cvs admin options available
without being a cvsadmin group member.

> Why then, does cvs check to see whether I am a member of cvsadmin, despite
> me having permissions to the files anyway? 

Because after a user does a checkin to the repository, they will own all
of the files in the repository, so that is not a sufficient guarentee that
they are permitted to do administration on the repository.

> This is a useless security measure, if it is one, because I can either
> hack cvs myself, or I can simply take to the ,v files with a
> chainsaw^Weditor.

It is not useless as it requires shell access to the repository which is
not always granted by all cvs administrators. You can 'hack' cvs yourself
by creating your own executable with the 

   ./configure --without-cvs-admin-group

or by using your own special group

   ./configure --with-cvs-admin-group=mygroup

if you wish to create your own cvs executable. However, I suggest the
administrator of the other repository will be unhappy with you if you
use your own cvs executable on the shared repository.

> Is it just a case of forgetting to turn off the test when accessing over
> non pserver etc methods?

No, it is not.

        -- Mark

For further reading consider the following documentation.


     Control what options will be allowed with the cvs admin co
     section admin--Administration) for users not in the cvsadm
     value string is a list of single character options which s
     If a user who is not a member of the cvsadmin group tries
     cvs admin option which is not listed they will will receiv
     message reporting that the option is restricted.       
     If no cvsadmin group exists on the server, CVS will ignore
     UserAdminOptions keyword (see section admin--Administratio
     When not specified, UserAdminOptions defaults to `k'. In o
     defaults to allowing users outside of the cvsadmin group t
     admin command only to change the default keyword expansion
     As an example, to restrict users not in the cvsadmin group
     admin to change the default keyword substitution mode, loc
     unlock revisions, and replace the log message, use `UserAd
Version: GnuPG v1.2.3 (FreeBSD)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]