Mark, Thanks for the help. I changed the top level dir that contains the code base to 2770 and still get the same error:
cvs upd cvs [update aborted]: unrecognized auth response from lcs002: cvs pserver: cannot open /home/code/.CVS/CVSROOT/config: Permission denied The OS is Linux running cvs 1.11.10. I run cvspserver as dir owner "code". Any other suggestions? Chris -----Original Message----- From: Mark D. Baushke [mailto:[EMAIL PROTECTED] Sent: Thu 11-Dec-03 11:10 To: Chris Croswhite Cc: [EMAIL PROTECTED] Subject: Re: CVS dir permissions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Croswhite <[EMAIL PROTECTED]> writes: > I have been digging into the manual for security and directory > permissions. So far I have not found what I am looking to implement > and that is to cut off others outside specific groups from seeing the > cvs repository. Currently I must maintain 755 on all the dirs inorder > for cvs to work. If I change to 750, even someone with the same group > membership, cvs will not run properly. Are you using client/server with :ext: or :pserver: or are you using :local: as the access method? I suggest you may want to run 770 and depending on your OS, you may want to use the group sticky-bit to force newly created files and directories to be in the same group as the parent directory. Everyone in the group for those directories will be able to commit to the repository. > I need to know how to implement simple dir permissions to cut off the > outside world e.g. 750. Any help is greatly appreciated. I don't see how 750 will ever work for you unless you are using :pserver: and then you could use 700 as the access. If you need to use :ext: access, then there is another way to approach this... CVSROOT=/path1/cvsroot /path1 is user root and group 'software' and has 750 permissions (u=rwx,g=rx,o=) /path1/cvsroot is user root and group 'cvs' and has 770 permissions (u=rwx,g=rwx,o=) /usr/bin/cvs is user bin and group 'cvs' and has 1555 permissions (u=rx,g=rxs,o=) Now, only users in group software are able to see inside the /path1 directory to get to /path1/cvsroot and even folks that are able to get inside are unable to do anything to the directory structure outside of the cvs command. Of course, this is not perfect security as anyone able to commit into the CVSROOT module could do things and it might be possible to use the EDITOR to grant themselves extra permissions... and you will also need to be careful about the scripts that are run from commitinfo, verifymsg, loginfo and taginfo (perl scripts will need to be taintperl clean). You may be able to control this depending on the access you allow to the cvs server machine and by keeping the cvs executable free of set-gid characteristics on any machine other than the server. Good luck, -- Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/2MEK3x41pRYZE/gRAiO/AJ9leX6lPpiNXH3bgd9QQqMRxf/kLACfaPby l8731Q0sddzkVVA6Tqzw2Ik= =AICM -----END PGP SIGNATURE----- _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
