CVS Import Permissions
Duane Whitty
duane at greenmeadow.ca
Mon Jan 30 08:37:15 PST 2006
Giorgos Keramidas wrote:
> On 2006-01-30 15:52, david bryce <davidbryce at fastmail.fm> wrote:
>
>> Hi All,
>>
>> I am having some confusion regarding the way CVS works with permissions
>> under unix when importing a new project. Currently, when I import a
>> project, I get this sort of permissions on the project directory:
>>
>> drwxr-x--- 2 jim cvs 512 Jan 27 12:31 test_proj
>>
>> Notice that the group (cvs) is not granted write access. Is this the
>> way it's supposed to work?
>>
>
> That depends on what your `umask' currently is.
>
>
>> Do I have to use chmod to grant write access to the group every time I
>> do an import?
>>
>
> No. The correct way to fix this is to set CVSUMASK in your shell
> environment, and then import the files :)
>
> Of course, now that the import is done, you can still use a bit of
> ``repository hackery'' to set the g+w bit for the checked in sources.
>
>
>> Or is my CVS not configured correctly?
>>
>
> Your cvs is fine. The default umask is 022, which strips off g+w
> permissions from all newly created files; including the ones CVS creates
> in the repository.
>
>
>> If I don't grant write access to the group on that directory, every
>> check in fails with a "could not open lock file
>> `/usr/local/cvs/test_proj/,test.txt,': Permission denied". I tried
>> setting the LockDir in the config file to a world-writable directory,
>> but this doesn't seem to solve the problem when trying to check-in.
>>
>
> The RCS files inside `/usr/local/cvs/test_proj' have no group-write
> permission. You can fix this by something like this:
>
> $ cd $CVSROOT
> $ find . -print0 | xargs -0 chmod g+w
>
> This is the sort of ``repository hackery'' I mentioned above.
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
>
>
>
>
Hi everyone,
I'm new to taking into consideration the wider security issues of system
administration. I apologize for this long post but maybe the answer can
save me and others from future pain.
What I'm not sure I understand is why would we not want to grant write
access to the "cvs" group? According to the instructions I've read that
is CVS's basic requirement, i.e. having write access to the repository.
When I set up a repository without this write access the import failed
for me as well.
One assumption I am making is that it is better to have one group with
write permission than explicit write permission given to many different
users.
So here is how I set up my repository, starting as root
#cd /usr/local
#mkdir cvsrep
#chgrp cvs cvsrep
#chmod g+w cvsrep
#cvs -d /usr/local/cvsrep init
#ll
drwxrwxr_x 2 root cvs 512 Jan 30 10:25 cvsrep
#ll cvsrep
drwxrwxr-x 3 root cvs 1024 Jan 30 10:26 CVSROOT
duane$ cvs -d /usr/local/cvsrep import -m "blah blah blah" testproj
duane start
duane$ ll /usr/local/cvsrep
drwxrwxr-x 3 root cvs 1024 Jan 30 10:26 CVSROOT
drwxrwxr-x 5 duane cvs 512 Jan 30 10:32 testproj
john$cvs -d /usr/local/cvsrep co testproj
{typical checkout stuff: alls good}
john$ll
-rw-rw-r-- 1 john john 62 Jan 30 10:40 proj.c
john: /usr/home/john/testproj>$ cvs -d /usr/local/cvsrep update
{typical update stuff, no conflicts, all's good}
john$ ll /usr/local/cvsrep
drwxrwxr_x 5 duane cvs 512 Jan 30 10:26 testproj
john$ ll /usr/local/cvsrep/testproj
.......
.......
.
.
.
-r--r--r-- 1 duane cvs 482 Jan 30 10:55 proj.c,v
Now I don't want to make any assumptions about whether this
infrastructure is safe or not. That's why I'm asking the question.
Everything seems to work but am I leaving myself open to any known
security problems?
Sorry for the length of this long post. If I should have posted this
differently please let me know.
Sincere Thanks
--Duane Whitty
duane at greenmeadow.ca
More information about the freebsd-questions
mailing list