Re: pserver groups

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pserver groups

From:	Noel L Yap
Subject:	Re: pserver groups
Date:	Fri, 1 Dec 2000 16:29:17 -0500

This looks like it'll act much the same as Solaris's implementation.

Now, what I don't mention too often is how to use ACLs to your advantage.  Here
it is:

It's well known what permissions are needed for users to use the repository:
$CVSROOT directories must be readable by everyone and writable by those who need
commit privileges.
LockDir directories must be writable by everyone.
Archive files must be readable by everyone.

Let's say you have three modules A, B, and AB and four groups coA, coB, ciA, and
ciB:
coA needs only checkout privileges only on A and AB.
coB needs only checkout privileges only on B and AB.
ciA needs both checkin and checkout privileges only on A and AB.
ciB needs both checkin and checkout privileges only on B and AB.
Everyone else must have no privileges.

So, set the permissions accordingly:
find $CVSROOT LockDir | xargs chmod o-rwx
find $CVSROOT/A $CVSROOT/AB -type d | xargs setfacl -m g:coA:r-x,g:ciA:rwx
find $CVSROOT/A $CVSROOT/AB -type f | xargs setfacl -m g:coA:r--,g:ciA:r--  # in
reality, set x bit accordingly
find $CVSROOT/B $CVSROOT/AB -type d | xargs setfacl -m g:coB:r-x,g:ciB:rwx
find $CVSROOT/B $CVSROOT/AB -type f | xargs setfacl -m g:coB:r--,g:ciB:r--  # in
reality, set x bit accordingly
find LockDir/A LockDir/B LockDir/AB -type d | xargs setfacl -m
g:coA:rwx,g:ciA:rwx,g:coB:rwx,g:ciB:rwx

Then place users into the groups they belong:
foo needs only checkout privileges only on A and AB so foo belongs in coA.
bar needs checkin privileges on everything so bar belongs in ciA and ciB.
Everyone else must not belong in any of coA, coB, ciA, or ciB.

You may also be more granular with regards to your groups, using rA, wA, rB, and
wB:
find $CVSROOT LockDir | xargs chmod o-rwx
find $CVSROOT/A $CVSROOT/AB -type d | xargs setfacl -m g:rA:r-x,g:wA:-wx
find $CVSROOT/A $CVSROOT/AB -type f | xargs setfacl -m g:rA:r--,g:wA:r--    # in
reality, set x bit accordingly
find $CVSROOT/B $CVSROOT/AB -type d | xargs setfacl -m g:rB:r-x,g:wB:-wx
find $CVSROOT/B $CVSROOT/AB -type f | xargs setfacl -m g:rB:r--,g:wB:r--    # in
reality, set x bit accordingly
find LockDir/A LockDir/B LockDir/AB -type d | xargs setfacl -m
g:rA:rwx,g:wA:rwx,g:rB:rwx,g:wB:rwx

Place users into the groups they belong:
foo needs only checkout privileges only on A and AB so foo belongs in rA.
bar needs checking privileges on everything so bar belongs in rA, wA, rB, and
wB.
Everyone else must not belong in any of rA, wA, rB, or wB.

Finally, to top it off, you'll need to maintain these ACLs each time a new
directory is created or a file is checked in by using a loginfo script:
#!/usr/local/bin/perl


#
# This script:
# 0. maintains the ACLs of repository archive files and directories
#
# Notes:
# 0. needs %{sv} specified in loginfo
#
# Contributed by Noel Yap (address@hidden)

# perl settings
$"=""; # set list separator to null

# constants

$STATE_NONE     = 0;
$STATE_MODIFIED = 1;
$STATE_ADDED    = 2;
$STATE_REMOVED  = 3;
$STATE_LOG      = 4;

$CVSROOT = $ENV{"CVSROOT"};
$CVSROOT =~ s/^.*://;

# subroutines
sub setacl
{
    my ($parent, $entry) = @_;

    if(-d "$entry")
    {
        system("getfacl $parent | grep -v '^default:' | setfacl -f - $entry");
    }
    elsif(-x "$entry")
    {
        system("getfacl $parent | grep -v '^default:' | sed -e
's/:r[-w][-x]/:r-x/' | setfacl -f - $entry");
    }
    else
    {
        system("getfacl $parent | grep -v '^default:' | sed -e
's/:r[-w][-x]/:r--/' | setfacl -f - $entry");
    }
}

# main
# parse command line arguments (file list is seen as one arg)
@argv = split(/ /, shift @ARGV);
$directory = shift @argv; # directory relative to $CVSROOT

foreach $v (@argv)
{
    my ($file, $rev) = split /,/, $v;

    if($file eq "-")
    {
        my ($word1, $rev) = split /,/, $argv[1];

        if($word1 eq "New")
        {
            my ($word2, $rev) = split /,/, $argv[2];

            if($word2 eq "directory") # new directory
            {
                ($file = $directory) =~ s/.*\///; # new directory name without
path specification
                $directory =~ s/(.*)\/.*/$1/; # path specification of new
directory relative to module

                &setacl("$CVSROOT/$directory", "$CVSROOT/$directory/$file");
            }
        }
        elsif($word1 eq "Imported")
        {
            my ($word2, $rev) = split /,/, $argv[2];

            if($word2 eq "sources") # import
            {
                my @directories;
                my @files;

                while(<STDIN>)
                {
                    chop;

                    if(/^Status:/)
                    {
                        $state = $STATE_NONE;

                        next;
                    }
                    elsif(/^Release Tags:/)
                    {
                        $state = $STATE_ADDED;

                        next;
                    }
                    elsif(/^Log Message:/)
                    {
                        $state = $STATE_LOG;

                        next;
                    }

                    if($state == $STATE_ADDED)
                    {
                        if(/^N /)
                        {
                            $file = $';

                            push @files, "$file ";
                        }
                    }
                }

                foreach $directory (`echo "@files" | xargs -n1 dirname | uniq`)
                {
                    chop $directory;

                    &setacl("$CVSROOT", "$CVSROOT/$directory");
                }

                foreach $file (@files)
                {
                    chop $file;

                    &setacl("$CVSROOT", "$CVSROOT/$file,v");
                }
            }
        }

        last;
    }
    else # the file has been added, modified, or removed
    {
        if(-f "$CVSROOT/$directory/$file,v")
        {
            &setacl("$CVSROOT/$directory", "$CVSROOT/$directory/$file,v");
        }
        else
        {
            &setacl("$CVSROOT/$directory", "$CVSROOT/$directory/Attic/$file,v");
        }
    }
}

Noel




address@hidden on 2000.12.01 15:21:05

To:   address@hidden
cc:   address@hidden, address@hidden, address@hidden
Subject:  Re: pserver groups




Noel L Yap wrote:

> Yes, I'm running Solaris 2.6.  IIRC, Solars 2.5.1 also had support for them.
> I'd be somewhat surprised if Linux didn't have support for them, yet.

Yep.  Don't know how well it works but I found support as a kernel patch:
http://acl.bestbits.at/ .  Sounds like what I know of Solaris ACLs and what you
describe, but that isn't all that much.

Derek

--
Derek Price                      CVS Solutions Architect ( http://CVSHome.org )
mailto:address@hidden     OpenAvenue ( http://OpenAvenue.com )
--
A polar bear is a rectangular bear after a coordinate transform.








This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.

[Prev in Thread]

Current Thread

[Next in Thread]

pserver groups, brendan . fitzpatrick, 2000/12/01
- Re: pserver groups, Larry Jones, 2000/12/01
- Re: pserver groups, Stephen Rasku, 2000/12/01
- Re: pserver groups, Noel L Yap, 2000/12/01
  - Re: pserver groups, Derek R. Price, 2000/12/01
- Re: pserver groups, Noel L Yap, 2000/12/01
- Re: pserver groups, Derek R. Price, 2000/12/01
- Re: pserver groups, Noel L Yap <=

Prev by Date: question about branching
Next by Date: enforcing log message and tag naming rules
Previous by thread: Re: pserver groups
Next by thread: cvs as a web site repository
Index(es):
- Date
- Thread