[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why can't root check in files?

From: luke
Subject: Why can't root check in files?
Date: Wed, 10 Oct 2001 12:16:01 +1000 (EST)

I came upon this error last night:

address@hidden profile.d]# cvs commit
cvs [commit aborted]: cannot commit files as 'root'

Can someone explain this to me, please?  It's a major problem for me.
I had a look through the FAQ and the cvs document, but could find no
mention of it.

Some context:

I have now completed my script which runs over /etc on a Unix system
and adds all the config files into a cvs repository.  The repository is
stored under root's account, and the file permissions on the repository
files are set to match those of the live files, for security reasons:
so that ordinary users can't bypass normal file security by looking at
the /etc repository.

The actual file owner and permission "metadata" is also stored in
separate metadata files, also checked into the repository.

So I believe this scheme is secure.  Also, all works well as far as
running cvs diff to see what's changed (it can be quite interesting!).
And obviously cvs add works fine (care must be taken security-wise
afterwards, of course).  But cvs won't let root commit files after the
initial commit used to add them.

Can someone explain the reasoning behind this?  If there is a worry
that scripts added by other users could breach security - that's no
worry either, since it's using a private repository that only root has
access to.

In short, this feature is preventing me from using cvs to fully manage
Unix system configurations, and I'd like to know if I'm overlooking



reply via email to

[Prev in Thread] Current Thread [Next in Thread]