|
From: | Michaelis, Daniel |
Subject: | Silly question about CVS and permissions |
Date: | Mon, 18 Apr 2005 13:16:41 -0400 |
Folks, I'm COMPLETELY new to CVS, and am assisting the CVS
administrator configure the tool on a Linux server. I've got a cursory
understanding of the CVSROOT directory structure; my question is one of
permissions. I realize that this has probably been addressed in the past, but
reading through the archives, I've not found, or not understood the
resolution here. My understanding is that I ought to set up an account for a ${CVSADMIN}
user, and create a ${CVS} group. In the ${CVSROOT}/CVSROOT directory, all
files should be owned by ${CVSADMIN}, and have very restricted permissions. My
question comes from the remainder of the tree. If I've got users User1,
User2, and User3, all using this repository, I want to make sure that none of
these users either accidentally or maliciously destroy or damage the entire CVS
tree. My understanding is that User1, User2, and User3 must all belong to the
${CVS} group in order for things to work properly. If the permission scheme
for the ${CVSROOT} directories looks as follows: config-files (${CVSADMIN}:750)
(640) /
----file2 (User2:700) / / CVSROOT (${CVSADMIN}:700) bin (${CVSADMIN}:770)
----- file1 (User1:700) / / / / ${CVSROOT} (${CVSADMIN}:755) ----- ProjectDir1 (${CVSADMIN}:
770) \ \ ProjectDir2 (${CVSADMIN}: 770) there doesn't seem to be anything that prevents User1
from going into the ProjectDir1/bin directory and removing file2 (which is
owned by User2). The directory permissions don't allow User1 to MOFIDY
file2, but they do allow him to REMOVE file2, if he uses the force option on
the rm command. Alternatively, if I set file permissions for the directories
to be 700 rather than 770, then neither User1 nor User2 can work with CVS. I've kludged a solution, which is to set the setuid
flag on the cvs executable, but I've seen a number of posts that indicate
that isn't a wise move, and I've now got some problems with the
update and status command from remote machines, saying that the directories don't
exist (interestingly enough, I can check in and update files, but I can't
do the same with directories). The exact error is: cvs server: ignoring ${PROJECTDIR1}
(CVS/Repository missing) where ${PROJECTDIR1} is the name of the directory that I'm
trying to update. Given the background presented here:
Any or all recommendations/solutions would be appreciated. Thanks. Dan Michaelis Database Administrator/Developer eOriginal 410.625.5187 (phone) 410.659.9799 (fax) |
[Prev in Thread] | Current Thread | [Next in Thread] |