[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Restricting access to certain modules in a repository

From: Vishal Jain
Subject: RE: Restricting access to certain modules in a repository
Date: Fri, 1 Mar 2002 14:06:38 -0500

Well, your problem seems quite like mine. We have our repository
mounted on nfs and there is one setGuid "cvs" binary placed. The
whole repository and code is in one user permission only and the
"cvs" is setGuid for this user. A normal user will execute this
setGuid "cvs" and checkout/checkin the code. To limit some users
for doing some basic operations I have installed a perl script to
check the user id ( not effective group id, because that is set
by setGuid "cvs") and do basic ACL checking.

But I am not sure how to disable users while checking out the
modules. I think module file comes into picture only after code
is checked out. But my ACL checking at least limits them to do any
modifications in the CVS :-) that was my basic concern.

I hope this may be of some help to you.

Vishal Jain

-----Original Message-----
From: address@hidden [mailto:address@hidden
Sent: Friday, March 01, 2002 1:48 PM
To: address@hidden
Cc: address@hidden
Subject: Re: Restricting access to certain modules in a repository

Schlitz writes:
> I have a basic system 'cvsuser' user that is used in the passwd file as
> system user name for all users.


> Because the repository is on some kind of network-attached drive (which I
> have no knowledge of), there are (so the sysadmins tell me) complications
> that prevent us from using unix group permissions facilities to control
> access to the different modules in my repository.

Having the repository on a network file system is a very bad idea --
we've had lots of reports of repository corruption caused by subtle bugs
in network file systems.  I strongly suggest moving your repository to a
local disk, which would also avoid the problem with using group

> Is there any way to control all access to some modules in a repository in
> this scenario?  I use scripts to control commit permissions by user name
> a per-module basis, and do the same for tags, there a similar
> facility that can be used for checkouts, or some other technique?

You might be able to use the userid rather than groups, the key point
being that a user only has one userid whereas a user can belong to lots
of groups.  Other than that, I think you're stuck -- there's no script
that's guaranteed to be run during a checkout.

-Larry Jones

Physical education is what you learn from having your face in
someone's armpit right before lunch. -- Calvin

Info-cvs mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]