Re: Can't do setuid

Tue, 04 Feb 2003 14:48:58 -0800 

On Tue, Feb 04, 2003 at 04:35:47PM -0500, Brian Kowald wrote:
> For my whole repository, I set the file and directory owner to cvs and the
> group to cvsusers. I did this recursively.

Setting the group is good.  Setting the owner doesn't help much;
as you've discovered, it doesn't stay set for very long...


> I set "set group id bit" for the entire repository with    'chmod -R g+s'.
> This is so that new files will have the correct group and owner.

That should only have been done on the directories, NOT on the files.
However, everything should be g+w.  So from a standing start,
it'd be something like:
        chmod -R g+w
        find . -type d -print0 | xargs -0 chmod g+s
(That's with GNU findutils.  Without it, the g+s pipeline is
harder to do both safely and quickly.  This has been discussed
here in the past; see the archives for details).  

Of course, from your current state, your task is to turn *off*
setgid on the files, not to turn it *on* on the directories...


A couple more steps are needed:
  - Add the users to group "cvsgroup" (then have them log in
    again to pick up the change)

  - Make sure that users' umasks do NOT include the 020 bit, i.e.
    that they create files group-writable.  Of course, this has
    possibly-unpleasant ramifications for non-CVS files; the
    CVSUMASK environment variable *might* be of help, depending
    on your setup.


> When
> I go and look at the repository, the owner has changed to the user doing the
> cvs command.

That's as expected.  Once the group stuff that we're talking
about is set up properly, this behaviour shouldn't cause any
problems.  (Indeed, working around this is a lot of the point of
the group stuff in the first place.)


> When I execute a cvs update, I get the error message "Can't do setuid'

I have a few thoughts, but nothing concrete:
  - Do you have setuid or setgid enabled on the CVS executable
    itself?  If so, turn them off.

  - One of the other suggestions might fix it (especially turning
    off setgid on the ,v files).

  - That message doesn't seem to occur in CVS 1.11.5.  Which
    version are you using?  If it's an old one, try upgrading.
    
  - Or are you using another implementation, e.g.  WinCVS, cvsnt,
    etc.?  If so, you might have better luck on the appropriate
    list.

--

|  | /\
|-_|/  >   Eric Siegerman, Toronto, Ont.        [EMAIL PROTECTED]
|  |  /
A distributed system is one on which I cannot get any work done,
because a machine I have never heard of has crashed.
        - Leslie Lamport


_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs

Reply via email to