info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Right Permissons !?


From: Greg A. Woods
Subject: Re: Right Permissons !?
Date: Thu, 27 Sep 2001 15:54:21 -0400 (EDT)

[ On Thursday, September 27, 2001 at 11:15:56 (-0700), Chris Barker wrote: ]
> Subject: Re: Right Permissons !?
>
> I'm all confused by permissions in the repository. First my problem:

It's really quite simple once you understand unix-style file and
directory access controls and once you understand how RCS operations are
done on repository files.

> I set up a repository on my linux box, and have people accessing it with
> the pserver method (all folks accessing the server have accounts on the
> box).

Well, there's the source of one of your confusuions -- you really do not
want to use cvspserver for anything but anonymous read-only access.  Use
real accounts and use RSH/SSH for remote client access.

> I took a look at the directory hierarchy, and noticed that each file was
> owned by the user or added (or last updated?) it. I'm imagining that
> that is the source of the problem.

No, not likely -- that's normal and indented behaviour.

> Why is CVS designed this way?

Because that's the way unix-style file and directory access controls
dictate that RCS operations can be performed.

>From the CVS Manual:

    File permissions
    ----------------

       All `,v' files are created read-only, and you should not change the
    permission of those files.  The directories inside the repository
    should be writable by the persons that have permission to modify the
    files in each directory.  This normally means that you must create a
    UNIX group (see group(5)) consisting of the persons that are to edit
    the files in a project, and set up the repository so that it is that
    group that owns the directory.

       This means that you can only control access to files on a
    per-directory basis.

The important thing to understand is that in a unix filesystem the right
to write to a directory controls the integrity of the files within
(except for their ownership on some systems).  If I can write to a
directory then I can remove any file and create any new file (and on
some systems I can even cause any file I own to be owned by someone
else, though this is a less common capability on modern systems).

In other words if I have write access to a repository directory (as well
as read and search access, of course) then I can commit changes to any
,v file within it.

> I did follow suggestions in the docs, and create a cvs group, and add
> all the users that access cvs to that group, but the files (and new
> directories) get created with primary group of the creater (users),
> rather than group cvs.

Don't worry about the files (so long as they are mode 0444).  Only the
directories matter.....

If you're still having problems then they may be in part due to the use
of cvspserver.

Turn off pserver and use RSH/SSH instead.

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <address@hidden>     <address@hidden>
Planix, Inc. <address@hidden>;   Secrets of the Weird <address@hidden>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]