info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Right Permissons !?


From: Andrew McGhee
Subject: RE: Right Permissons !?
Date: Thu, 27 Sep 2001 16:18:13 +0100

Yes - I have to agree with the g+s setting being a security concern In fact,
we shied away
from using it in the end, and went for the ACL patch that allows control
from within CVS
itself, using pserver, also allowing cvs to run as a "non-root" user - which
we prefer.

Our only issue is that pserver is un-encrypted (clear text password).

-----Original Message-----
From: Eric Siegerman [mailto:address@hidden
Sent: 26 September 2001 20:37
To: address@hidden
Subject: Re: Right Permissons !?


On Wed, Sep 26, 2001 at 01:17:08PM +0100, Andrew McGhee wrote:
> -----Original Message-----
> > From: raptor [mailto:address@hidden
> > Sent: 26 September 2001 09:45
> > 
> > I made group developers and set CVS repository so that this group has RW
> > access, but when the user commits it changes the owner/group to his i.e.
> > doesn't preserve "developrs" group on file !!!
>
> I think you'll find you need to do a "chmod -R g+s <module name>" to keep
> the group setting sticky.

DO NOT USE THIS COMMAND AS GIVEN!  It could open up a security
hole!

If you need to set g+s (see below to help you decide), you should
only set it on the directories, NOT on the files.  To do that:
        find $CVSROOT -type d -print | xargs chmod g+s

Think first about your desired security policy.  That will affect
whether to set g+s on on the entire repo or just selected parts.
(If normal users aren't supposed to be able to edit the admin
files in $CVSROOT/CVSROOT, you can either not set g+s on that
directory, or set the flag and put the directory in a different
group).

Whether g+s will help in the first place depends on the server's
flavour of Unix.  SysV variants typically need it (including
Solaris, and maybe Linux but I'm not sure); BSD variants
typically don't.  On SysV systems, setting g+s on directory D
tells the system to propagate D's group to any files or
subdirectories created under D (and to set g+s on subdirectories
-- but not on files -- so that this propagation will recursively
happen to sub-subdirectories).  BSD systems typically propagate
group membership this way all the time; you can't turn it off, so
you don't need to worry about turning it on :-)

--

|  | /\
|-_|/  >   Eric Siegerman, Toronto, Ont.        address@hidden
|  |  /
The world has been attacked.  The world must respond ... [but] we must
be guided by a commitment to do what works in the long run, not by what
makes us feel better in the short run.
        - Jean Chr├ętien, Prime Minister of Canada

_______________________________________________
Info-cvs mailing list
address@hidden
http://mail.gnu.org/mailman/listinfo/info-cvs



reply via email to

[Prev in Thread] Current Thread [Next in Thread]