--- Muhammad Shakeel
<address@hidden> wrote:
Thanks a lot for quick and valuable reply. I
implemented the ACL but
did not implemented ACL on file level. Therefore on
file level i had
given a read permission to others (r--r--r--) by
setting CVSUMASK.
Be careful that you're not turning off file execute
bits for scripts.
Therefore the folders also got the read permission
in others field. Is
this only read permission can make any security risk
?
Read perms for other is only a security risk if you
the info within the repository is so confidential that
others on the system should not be able to see it.
It seems without
execute permission on a folder no one can access the
files inside that
folder.
Yes, as I think I stated in my previous email, execute
permissions will be necessary for anyone who needs
access to the repository.
Yes, It is important to refresh the ACL after
checkin, because CVS
changes the file ownership and group information to
the one who checked
in the file.
File ownership doesn't matter, really (except for
being able to change file permissions). The file
permissions are more important.
Also the PreservePermission in
CVSROOT/config file does
seems to be properly implemented.
Don't use it. I've think I've heard it's so bad that
it should be ripped out.
From the last paragraph of ur reply shows files
level ACL is also
required. Should we need to implement ACL for files
too ? Is any
referece script for loginfo ACL is available ?
File-level permissioning is necessary to guarantee
that those that need read permissions get them (of
course, you could grant read permissions to everyone
if you don't think your stuff is that confidential).
It's also important to preserve the execute bit (CVS
does this automatically for normal permissions, but
not for ACLs).
I'll see if I can dig up my script.
Noel
__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
From - Thu May 16 09:36:14 2002
X-UIDL: 3af5815d000035da
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <address@hidden>
Received: from fencepost.gnu.org (fencepost.gnu.org [199.232.76.164])
by isb.
streaming-networks.com (8.11.0/8.11.0) with ESMTP id g4FGqgs08635
for <address@hidden>; Wed, 15 May 2002 21:52:47 +0500
Received: from localhost ([127.0.0.1] helo=fencepost.gnu.org)
by fencepost.gnu.org with esmtp (Exim 3.34 #1 (Debian))
id 1780rs-0007xj-00; Wed, 15 May 2002 11:39:08 -0400
Received: from web21409.mail.yahoo.com ([216.136.232.79])
by fencepost.gnu.org with smtp (Exim 3.34 #1 (Debian))
id 1780rE-0007rM-00
for <address@hidden>; Wed, 15 May 2002 11:38:28 -0400
Message-ID: <address@hidden>
Received: from [65.215.21.55] by web21409.mail.yahoo.com via HTTP; Wed, 15 May 2002 08:38:27 PDT
From:
Noel Yap <address@hidden>
Subject: Re: how to implement user level security in cvs ?
To: Muhammad Shakeel <address@hidden>
Cc: address@hidden
In-Reply-To: <address@hidden-