[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can't do setuid

From: Eric Siegerman
Subject: Re: Can't do setuid
Date: Tue, 4 Feb 2003 17:48:24 -0500
User-agent: Mutt/1.2.5i

On Tue, Feb 04, 2003 at 04:35:47PM -0500, Brian Kowald wrote:
> For my whole repository, I set the file and directory owner to cvs and the
> group to cvsusers. I did this recursively.

Setting the group is good.  Setting the owner doesn't help much;
as you've discovered, it doesn't stay set for very long...

> I set "set group id bit" for the entire repository with    'chmod -R g+s'.
> This is so that new files will have the correct group and owner.

That should only have been done on the directories, NOT on the files.
However, everything should be g+w.  So from a standing start,
it'd be something like:
        chmod -R g+w
        find . -type d -print0 | xargs -0 chmod g+s
(That's with GNU findutils.  Without it, the g+s pipeline is
harder to do both safely and quickly.  This has been discussed
here in the past; see the archives for details).  

Of course, from your current state, your task is to turn *off*
setgid on the files, not to turn it *on* on the directories...

A couple more steps are needed:
  - Add the users to group "cvsgroup" (then have them log in
    again to pick up the change)

  - Make sure that users' umasks do NOT include the 020 bit, i.e.
    that they create files group-writable.  Of course, this has
    possibly-unpleasant ramifications for non-CVS files; the
    CVSUMASK environment variable *might* be of help, depending
    on your setup.

> When
> I go and look at the repository, the owner has changed to the user doing the
> cvs command.

That's as expected.  Once the group stuff that we're talking
about is set up properly, this behaviour shouldn't cause any
problems.  (Indeed, working around this is a lot of the point of
the group stuff in the first place.)

> When I execute a cvs update, I get the error message "Can't do setuid'

I have a few thoughts, but nothing concrete:
  - Do you have setuid or setgid enabled on the CVS executable
    itself?  If so, turn them off.

  - One of the other suggestions might fix it (especially turning
    off setgid on the ,v files).

  - That message doesn't seem to occur in CVS 1.11.5.  Which
    version are you using?  If it's an old one, try upgrading.
  - Or are you using another implementation, e.g.  WinCVS, cvsnt,
    etc.?  If so, you might have better luck on the appropriate


|  | /\
|-_|/  >   Eric Siegerman, Toronto, Ont.        address@hidden
|  |  /
A distributed system is one on which I cannot get any work done,
because a machine I have never heard of has crashed.
        - Leslie Lamport

reply via email to

[Prev in Thread] Current Thread [Next in Thread]