CVS Import Permissions

Duane Whitty duane at
Mon Jan 30 08:37:15 PST 2006

Giorgos Keramidas wrote:
> On 2006-01-30 15:52, david bryce <davidbryce at> wrote:
>> Hi All,
>> I am having some confusion regarding the way CVS works with permissions
>> under unix when importing a new project. Currently, when I import a
>> project, I get this sort of permissions on the project directory:
>> drwxr-x---  2 jim   cvs   512 Jan 27 12:31 test_proj
>> Notice that the group (cvs) is not granted write access. Is this the
>> way it's supposed to work?
> That depends on what your `umask' currently is.
>> Do I have to use chmod to grant write access to the group every time I
>> do an import?
> No.  The correct way to fix this is to set CVSUMASK in your shell
> environment, and then import the files :)
> Of course, now that the import is done, you can still use a bit of
> ``repository hackery'' to set the g+w bit for the checked in sources.
>> Or is my CVS not configured correctly?
> Your cvs is fine.  The default umask is 022, which strips off g+w
> permissions from all newly created files; including the ones CVS creates
> in the repository.
>> If I don't grant write access to the group on that directory, every
>> check in fails with a "could not open lock file
>> `/usr/local/cvs/test_proj/,test.txt,': Permission denied". I tried
>> setting the LockDir in the config file to a world-writable directory,
>> but this doesn't seem to solve the problem when trying to check-in.
> The RCS files inside `/usr/local/cvs/test_proj' have no group-write
> permission.  You can fix this by something like this:
>     $ cd $CVSROOT
>     $ find . -print0 | xargs -0 chmod g+w
> This is the sort of ``repository hackery'' I mentioned above.
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"
Hi everyone,

I'm new to taking into consideration the wider security issues of system 
administration.  I apologize for this long post but maybe the answer can 
save me and others from future pain. 

What I'm not sure I understand is why would we not want to grant write 
access to the "cvs" group?  According to the instructions I've read that 
is CVS's basic requirement, i.e. having write access to the repository.  
When I set up a repository without this write access the import failed 
for me as well.

One assumption I am making is that it is better to have one group with 
write permission than explicit write permission given to many different 

So here is how I set up my repository, starting as root
#cd /usr/local
#mkdir cvsrep
#chgrp cvs cvsrep
#chmod g+w cvsrep
#cvs -d /usr/local/cvsrep init

drwxrwxr_x   2 root cvs   512    Jan 30 10:25 cvsrep

#ll cvsrep
drwxrwxr-x   3 root cvs   1024  Jan 30 10:26 CVSROOT

duane$ cvs -d /usr/local/cvsrep import -m "blah blah blah" testproj 
duane start

duane$ ll /usr/local/cvsrep
drwxrwxr-x   3     root     cvs   1024  Jan 30 10:26 CVSROOT
drwxrwxr-x   5    duane   cvs     512  Jan 30 10:32 testproj

john$cvs -d /usr/local/cvsrep co testproj
  {typical checkout stuff: alls good}

-rw-rw-r--   1   john   john   62   Jan 30 10:40 proj.c

john: /usr/home/john/testproj>$ cvs -d /usr/local/cvsrep update
{typical update stuff, no conflicts, all's good}

john$ ll /usr/local/cvsrep
drwxrwxr_x   5 duane cvs   512  Jan 30 10:26 testproj

john$ ll /usr/local/cvsrep/testproj
-r--r--r--   1   duane   cvs   482   Jan 30 10:55   proj.c,v

Now I don't want to make any assumptions about whether this 
infrastructure is safe or not.  That's why I'm asking the question.  
Everything seems to work but am I leaving myself open to any known 
security problems?

Sorry for the length of this long post.  If I should have posted this 
differently please let me know.

Sincere Thanks

--Duane Whitty

duane at

More information about the freebsd-questions mailing list