[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVS dir permissions
Mark D. Baushke
Re: CVS dir permissions
Thu, 11 Dec 2003 11:10:02 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Chris Croswhite <address@hidden> writes:
> I have been digging into the manual for security and directory
> permissions. So far I have not found what I am looking to implement
> and that is to cut off others outside specific groups from seeing the
> cvs repository. Currently I must maintain 755 on all the dirs inorder
> for cvs to work. If I change to 750, even someone with the same group
> membership, cvs will not run properly.
Are you using client/server with :ext: or :pserver: or are you using
:local: as the access method?
I suggest you may want to run 770 and depending on your OS, you may want
to use the group sticky-bit to force newly created files and directories
to be in the same group as the parent directory. Everyone in the group
for those directories will be able to commit to the repository.
> I need to know how to implement simple dir permissions to cut off the
> outside world e.g. 750. Any help is greatly appreciated.
I don't see how 750 will ever work for you unless you are using
:pserver: and then you could use 700 as the access.
If you need to use :ext: access, then there is another way to approach
/path1 is user root and group 'software' and has 750 permissions
/path1/cvsroot is user root and group 'cvs' and has 770 permissions
/usr/bin/cvs is user bin and group 'cvs' and has 1555 permissions
Now, only users in group software are able to see inside the /path1
directory to get to /path1/cvsroot and even folks that are able to get
inside are unable to do anything to the directory structure outside of
the cvs command.
Of course, this is not perfect security as anyone able to commit into
the CVSROOT module could do things and it might be possible to use the
EDITOR to grant themselves extra permissions... and you will also need
to be careful about the scripts that are run from commitinfo, verifymsg,
loginfo and taginfo (perl scripts will need to be taintperl clean). You
may be able to control this depending on the access you allow to the cvs
server machine and by keeping the cvs executable free of set-gid
characteristics on any machine other than the server.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
-----END PGP SIGNATURE-----