CVS permissions are (mostly) handled through permissions on the directories in CVS (I think the manual covers this). If you only have two groups (one that can modify stuff in CVSROOT and one that can't), this is pretty straight forward -- just change CVSROOT's (and the corresponding directory in LockDir) group to the one that's allowed to make modifications in it. Also be sure to setgid the directories. If you want more than one group to have permissions within a directory, use file system ACLs (man setfacl). One caveat with this is that permission inheritance (ie default permissions) are a bit messy -- don't use them. Instead, create a loginfo script that'll setfacl stuff that's checked in. The stuff you gotta watch out for in this script are: 0. Directories and files must be readable by those needing checkout privileges. 1. Directories must be writable by those needing commit privileges. 2. Directories must be executable by those needing checkout privileges. 3. Files must keep their execute bit set properly (ie the way it was before the commit). Now that we've covered some basics, we'll have to go over a little detail. CVSROOT is a special case in that it contains one or two files that everyone needs write access to. Since I've never had to deal with permissions on these files, I don't know how they fit into the model I describe above. IMHO, these files do not belong directly under CVSROOT; they should be moved to a directory underneath CVSROOT. Noel [EMAIL PROTECTED] on 2000.09.07 05:44:41 To: [EMAIL PROTECTED] cc: (bcc: Noel L Yap) Subject: Securing CVSROOT write access with LockDir
Hi. We're currently using CVS 1.10 on GNU/Linux platform, with ssh as CVS_RSH connection method. Our repository contains a rwxrwsr-x CVSROOT directory, in order to let everybody create lock files (every developper belongs to the group owning CVSROOT). This is problematic since we don't want everybody to be able to commit changes into CVSROOT , which is possible with the current right of CVSROOT : even if we write-protect individual files in CVSROOT, there are nevertheless changed (deleted/re-created ?) after a user has commited them. We plan to use the LockDir option of CVSROOT/config to have locks created in a different directory than CVSROOT. Then we can write-protect CVSROOT and make it, for instance rwxr-xr-x, which prevents anybody but the owner to commit any modifications to it. I have several questions though : - is this a good way to secure the CVS system (ssh handles privileges, then individual repository directories use unix groups for protection, and CVSROOT can only be modified by the admin) ? - which files have to remain writable inside CVSROOT (thinking to history, val-tags) ? - what exact compatibility problems exist between V1.9/V1.10 of CVS about this LockDir option (the documentation is not very clear as if it is a problem with CVS clients versions, or migrating the repository to a downgraded server version, etc.) ? Btw, I have been poorly lucky when looking for information about securing the repository, and found very few details about this way of protecting CVSROOT. I think that it may be because many people use CVS with pserver, but anyway, I suggest that maintainers of CVS documentation / sites add a detailed section on this security problem / solution, if it is the right one ;)... Thanx in advance for your help. -- Olivier BERGER IDEALX S.A.S. D�veloppeur senior 15-17, av. de S�gur 01.44.42.00.00 F-75007 PARIS 06.81.27.86.79 http://IDEALX.com/
