Re: how to implement user level security in cvs ?
On Thu, Apr 18, 2002 at 09:28:38PM +0500, Muhammad Shakeel wrote: > Can i use solaris access control list ? Is cvs works fine when using acl ? Yes. (Think about this logically: cvs is run as the user performing the action. Therefore, it can only affect a file in a given way if the user has permission to do so.) Beware ownership changes of files, though. (And note that you probably don't want to use ACLs on files anyway, you want to use them on directories.) -- gabriel rosenkoetter [EMAIL PROTECTED] msg20079/pgp0.pgp Description: PGP signature
Re: how to implement user level security in cvs ?
The answer is a little trickier than this, actually. I remember having to put something in loginfo so that ACLs would get properly created from the directory (default ACLs aren't appropriate here since you probably don't want the directory's execute and write bits to be inherited by the files). Noel --- gabriel rosenkoetter <[EMAIL PROTECTED]> wrote: > On Thu, Apr 18, 2002 at 09:28:38PM +0500, Muhammad > Shakeel wrote: > > Can i use solaris access control list ? Is cvs > works fine when using acl ? > > Yes. > > (Think about this logically: cvs is run as the user > performing the > action. Therefore, it can only affect a file in a > given way if the > user has permission to do so.) > > Beware ownership changes of files, though. (And note > that you > probably don't want to use ACLs on files anyway, you > want to use > them on directories.) > > -- > gabriel rosenkoetter > [EMAIL PROTECTED] > > ATTACHMENT part 2 application/pgp-signature __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
On Thu, Apr 18, 2002 at 12:58:18PM -0700, Noel Yap wrote: > The answer is a little trickier than this, actually. > > I remember having to put something in loginfo so that > ACLs would get properly created from the directory > (default ACLs aren't appropriate here since you > probably don't want the directory's execute and write > bits to be inherited by the files). My memory, though I didn't really push the ACLs hard, was that I could set ACLs per module by setting them on the directories in $CVSROOT after the module was already created. Hrm. Actually, I think I only ever did all-or-nothing access. Controlling read/write separately is going to require a loginfo dance, come to think of it. -- gabriel rosenkoetter [EMAIL PROTECTED] msg20082/pgp0.pgp Description: PGP signature
Re: how to implement user level security in cvs ?
--- gabriel rosenkoetter <[EMAIL PROTECTED]> wrote: > On Thu, Apr 18, 2002 at 12:58:18PM -0700, Noel Yap > wrote: > > The answer is a little trickier than this, > actually. > > > > I remember having to put something in loginfo so > that > > ACLs would get properly created from the directory > > (default ACLs aren't appropriate here since you > > probably don't want the directory's execute and > write > > bits to be inherited by the files). > > My memory, though I didn't really push the ACLs > hard, was that I > could set ACLs per module by setting them on the > directories in > $CVSROOT after the module was already created. > > Hrm. Actually, I think I only ever did > all-or-nothing access. > Controlling read/write separately is going to > require a loginfo > dance, come to think of it. Yeah. I should've been more specific (I just got up from a nap -- so goes the life of the unemployed :-) We wanted to allow some users to have read only access to the repository and I wanted to turn of read access to the other (just 'cos I'm paranoid). Even if it were all or nothing, ACLs would still need to be set for new subdirectories, IIRC. Noel __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
Muhammad Shakeel writes: > > There is no security for user level permission on a different modules in > a cvs repository. If i had to use the unix permissions for security , > then what are the steps i should follow to permit some groups or users > for check out access only and to some with checkin access only ? The short answer is that a user needs write permission on a directory to modify any of the files in that directory and needs read permission on a directory to access the files without changing them (checkout, status, etc.). Users do need read permission on the files themselves, but do should never have write permission. Users also have to be able to create lock files, so if you're going to have read-only users, you can't keep the lock files inside the repository; you can use LockDir= in CVSROOT/config to put them elsewhere. -Larry Jones Let's pretend I already feel terrible about it, and that you don't need to rub it in any more. -- Calvin ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
On Thu, Apr 18, 2002 at 04:22:30PM -0400, Larry Jones wrote: > The short answer is that a user needs write permission on a directory to > modify any of the files in that directory Say *what*? You mean that specifically to CVS, I hope? (In the real world, the only relevance write permission on a directory have is for creation and deletion of files... but you're saying that CVS actually creates a new file and unlink()s the old one every time...) -- gabriel rosenkoetter [EMAIL PROTECTED] msg20091/pgp0.pgp Description: PGP signature
Re: how to implement user level security in cvs ?
On Thu, Apr 18, 2002 at 01:08:20PM -0700, Noel Yap wrote: > We wanted to allow some users to have read only access > to the repository and I wanted to turn of read access > to the other (just 'cos I'm paranoid). Even if it > were all or nothing, ACLs would still need to be set > for new subdirectories, IIRC. Sure, for subdirectories within a module. I was only working on a module-by-module granularity. CVS won't whack the permissions on the directories straight off $CVSROOT (and no one but I could import modules, as only I had write permission to $CVSROOT). (This was on a CS department's systems while I was a student there in order to give access to my partner(s) for a given coding project in a given class.) -- gabriel rosenkoetter [EMAIL PROTECTED] msg20092/pgp0.pgp Description: PGP signature
Re: how to implement user level security in cvs ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 From: gabriel rosenkoetter <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: Bcc: Subject: Re: how to implement user level security in cvs ? Reply-To: In-Reply-To: <[EMAIL PROTECTED]>; from [EMAIL PROTECTED] on Thu, Apr 18, 2002 at 05:35:25PM -0400 On Thu, Apr 18, 2002 at 05:35:25PM -0400, Larry Jones wrote: > Please do not send MIME and/or HTML encrypted messages to the list. > Plain text only, PLEASE. Um... but that's a totally standards-compliant PGP signature which is, in fact, plain text. (It's a clear text signature, only in a separate MIME part so that MUAs have an easy time recognizing it.) Did you bother to look at that, or just have a knee-jerk response? In any case, I guess I'll just clear-sign this one in the editor and not have mutt do its usually thing. > > Say *what*? You mean that specifically to CVS, I hope? > Yes; that was the context of the discussion. Fair enough. - -- gabriel rosenkoetter [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjy/PqEACgkQ9ehacAz5CRoW/ACgpwinSwgxDICBuJ2z2cMAWRFT BBEAnAsXR8koG3/AIN5tXkfKlSuXVeRd =o0Ix -END PGP SIGNATURE- msg20097/pgp0.pgp Description: PGP signature
Re: how to implement user level security in cvs ?
gabriel rosenkoetter writes: > > Mime-Version: 1.0 > Content-Type: multipart/signed; micalg=pgp-md5; > protocol="application/pgp-signature"; boundary="YC8Ek3FeOE8ywfXk" Please do not send MIME and/or HTML encrypted messages to the list. Plain text only, PLEASE. > On Thu, Apr 18, 2002 at 04:22:30PM -0400, Larry Jones wrote: > > The short answer is that a user needs write permission on a directory to > > modify any of the files in that directory > > Say *what*? You mean that specifically to CVS, I hope? Yes; that was the context of the discussion. > (In the real world, the only relevance write permission on a > directory have is for creation and deletion of files... but you're > saying that CVS actually creates a new file and unlink()s the old > one every time...) Exactly. Modifying an RCS file generally requires changes throughout the file, and there's no way to do that (portably) other than rewriting the file. CVS (and RCS) always write a whole new file rather than overwriting the existing file to prevent an unfortunate system crash from leaving you with a partial file and no way to recover the missing information. -Larry Jones I've got to start listening to those quiet, nagging doubts. -- Calvin ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
gabriel rosenkoetter wrote: > > On Thu, Apr 18, 2002 at 09:28:38PM +0500, Muhammad Shakeel wrote: > > Can i use solaris access control list ? Is cvs works fine when using acl ? > > Yes. > > (Think about this logically: cvs is run as the user performing the > action. Therefore, it can only affect a file in a given way if the > user has permission to do so.) > > Beware ownership changes of files, though. (And note that you > probably don't want to use ACLs on files anyway, you want to use > them on directories.) > Is there a way to restrict when a user can do a commit, but allow anyone to do checkouts. Preferably gracefully through CVS but even through permission manipulation if possible. -shane ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
--- Shane McDaniel <[EMAIL PROTECTED]> wrote: > Is there a way to restrict when a user can do a > commit, but allow anyone > to do checkouts. Preferably gracefully through CVS > but even through > permission manipulation if possible. This is exactly what this thread is about. You can use file system ACLs (man setfacl for more info) coupled with a loginfo script to set repo file permissions to something reasonable. Noel __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
Dear Noel yap, AOA Sorry i am asking a question related to little older thread in mailing list. I implemeted ACL on directory level as was suggested, and do not implemented on files. But what is reason that it is not recomended ? If a user have a permission on folder but not on a file then he cannot checkout the code. Can u please also recall to tell me what is required to do in loginfo file in this case ? Regards, shakeel Noel Yap wrote: [EMAIL PROTECTED]"> The answer is a little trickier than this, actually.I remember having to put something in loginfo so thatACLs would get properly created from the directory(default ACLs aren't appropriate here since youprobably don't want the directory's execute and writebits to be inherited by the files).Noel--- gabriel rosenkoetter <[EMAIL PROTECTED]> wrote: On Thu, Apr 18, 2002 at 09:28:38PM +0500, MuhammadShakeel wrote: Can i use solaris access control list ? Is cvs works fine when using acl ?Yes.(Think about this logically: cvs is run as the userperforming theaction. Therefore, it can only affect a file in agiven way if theuser has permission to do so.)Beware ownership changes of files, though. (And notethat youprobably don't want to use ACLs on files anyway, youwant to usethem on directories.)-- gabriel rosenkoetter[EMAIL PROTECTED] ATTACHMENT part 2 application/pgp-signature __Do You Yahoo!?Yahoo! Tax Center - online filing with TurboTaxhttp://taxes.yahoo.com/___Info-cvs mailing list[EMAIL PROTECTED]http://mail.gnu.org/mailman/listinfo/info-cvs -- Regards, Muhammad Shakeel Streaming Networks (Pvt.) Limited House 8, St. 31, F-7/1 Islamabad - 44000, Pakistan Talk: +92-51-2823585, +92-51-2275589 Fax: +92-51-2820832 Email: [EMAIL PROTECTED] Web: streaming-networks.com
Re: how to implement user level security in cvs ?
Given: 1. CVS recreates (ie copies and removes) the archive file each time there is a checkin. 2. CVS, by default, creates locks within the repo directory. The location of the locks can be configured by setting LockDir within CVSROOT/config. 3. A user can create and remove files within a directory if and only if (iff) that user has write permissions to that directory. 4. A user can use a directory iff that user has execute permissions to that directory. 5. A user can modify a file iff that user has write permissions to that file. Therefore: 1. A user will need repo file and directory read permissions to checkout/checkin a file. 2. A user will need repo directory write permissions to checkin a file. 3. It is safer if a user did not have repo file write permissions. Given: 1. Default ACLs cannot tell the difference between directories and files. 2. Repo directory permissions need to be treated differently from repo file permissions. Therefore: 1. A loginfo script will need to reset file ACLs for each commit. It will also need to set ACLs on new elements. Typically, this setting is a combination of inheritance from the parent directory for ACL users and groups and read permissions, files are never writable, files may need to be executable, and directories are always writable and executable. Noel --- Muhammad Shakeel <[EMAIL PROTECTED]> wrote: > Dear Noel yap, > AOA > > Sorry i am asking a question related to little older > thread in mailing > list. I implemeted ACL on directory level as was > suggested, and do not > implemented on files. But what is reason that it is > not recomended ? If > a user have a permission on folder but not on a > file then he cannot > checkout the code. > > Can u please also recall to tell me what is required > to do in loginfo > file in this case ? > > > Regards, > shakeel > > > Noel Yap wrote: > > >The answer is a little trickier than this, > actually. > > > >I remember having to put something in loginfo so > that > >ACLs would get properly created from the directory > >(default ACLs aren't appropriate here since you > >probably don't want the directory's execute and > write > >bits to be inherited by the files). > > > >Noel > >--- gabriel rosenkoetter <[EMAIL PROTECTED]> wrote: > > > >>On Thu, Apr 18, 2002 at 09:28:38PM +0500, Muhammad > >>Shakeel wrote: > >> > >>> Can i use solaris access control list ? Is cvs > >>> > >>works fine when using acl ? > >> > >>Yes. > >> > >>(Think about this logically: cvs is run as the > user > >>performing the > >>action. Therefore, it can only affect a file in a > >>given way if the > >>user has permission to do so.) > >> > >>Beware ownership changes of files, though. (And > note > >>that you > >>probably don't want to use ACLs on files anyway, > you > >>want to use > >>them on directories.) > >> > >>-- > >>gabriel rosenkoetter > >>[EMAIL PROTECTED] > >> > > > >>ATTACHMENT part 2 application/pgp-signature > >> > > > > > > > >__ > >Do You Yahoo!? > >Yahoo! Tax Center - online filing with TurboTax > >http://taxes.yahoo.com/ > > > >___ > >Info-cvs mailing list > >[EMAIL PROTECTED] > >http://mail.gnu.org/mailman/listinfo/info-cvs > > > > -- > Regards, > > Muhammad Shakeel > Streaming Networks (Pvt.) Limited > House 8, St. 31, F-7/1 > Islamabad - 44000, Pakistan > > Talk: +92-51-2823585, +92-51-2275589 > Fax: +92-51-2820832 > Email: [EMAIL PROTECTED] > Web: streaming-networks.com > > > __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
Dear Noel, Thanks a lot for quick and valuable reply. I implemented the ACL but did not implemented ACL on file level. Therefore on file level i had given a read permission to others (r--r--r--) by setting CVSUMASK. Therefore the folders also got the read permission in others field. Is this only read permission can make any security risk ? It seems without execute permission on a folder no one can access the files inside that folder. Yes, It is important to refresh the ACL after checkin, because CVS changes the file ownership and group information to the one who checked in the file. Also the PreservePermission in CVSROOT/config file does seems to be properly implemented. >From the last paragraph of ur reply shows files level ACL is also required. Should we need to implement ACL for files too ? Is any referece script for loginfo ACL is available ? Regards shakeel Noel Yap wrote: [EMAIL PROTECTED]"> Given:1. CVS recreates (ie copies and removes) the archivefile each time there is a checkin.2. CVS, by default, creates locks within the repodirectory. The location of the locks can beconfigured by setting LockDir within CVSROOT/config.3. A user can create and remove files within adirectory if and only if (iff) that user has writepermissions to that directory.4. A user can use a directory iff that user hasexecute permissions to that directory.5. A user can modify a file iff that user has writepermissions to that file.Therefore:1. A user will need repo file and directory readpermissions to checkout/checkin a file.2. A user will need repo directory write permissionsto checkin a file.3. It is safer if a user did not have repo file writepermissions.Given:1. Default ACLs cannot tell the difference betweendirectories and files.2. Repo directory permissions need to be treateddifferently from repo file permissions.Therefore:1. A loginfo script will need to reset file ACLs foreach commit. It will also need to set ACLs on newelements. Typically, this setting is a combination ofinheritance from the parent directory for ACL usersand groups and read permissions, files are neverwritable, files may need to be executable, anddirectories are always writable and executable.Noel--- Muhammad Shakeel<[EMAIL PROTECTED]> wrote: Dear Noel yap,AOASorry i am asking a question related to little olderthread in mailing list. I implemeted ACL on directory level as wassuggested, and do not implemented on files. But what is reason that it isnot recomended ? If a user have a permission on folder but not on afile then he cannot checkout the code.Can u please also recall to tell me what is requiredto do in loginfo file in this case ?Regards,shakeelNoel Yap wrote: The answer is a little trickier than this, actually. I remember having to put something in loginfo so that ACLs would get properly created from the directory(default ACLs aren't appropriate here since youprobably don't want the directory's execute and write bits to be inherited by the files).Noel--- gabriel rosenkoetter <[EMAIL PROTECTED]> wrote: On Thu, Apr 18, 2002 at 09:28:38PM +0500, MuhammadShakeel wrote: Can i use solaris access control list ? Is cvs works fine when using acl ?Yes.(Think about this logically: cvs is run as the user performing theaction. Therefore, it can only affect a file in agiven way if theuser has permission to do so.)Beware ownership changes of files, though. (And note that youprobably don't want to use ACLs on files anyway, you want to usethem on directories.)-- gabriel rosenkoetter[EMAIL PROTECTED] ATTACHMENT part 2 application/pgp-signature __Do You Yahoo!?Yahoo! Tax Center - online filing with TurboTaxhttp://taxes.yahoo.com/___Info-cvs mailing list[EMAIL PROTECTED]http://mail.gnu.org/mailman/listinfo/info-cvs -- Regards, __Do You Yahoo!?LAUNCH - Your Yahoo! Music Experiencehttp://launch.yahoo.com___Info-cvs mailing list[EMAIL PROTECTED]http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
--- Muhammad Shakeel <[EMAIL PROTECTED]> wrote: > Thanks a lot for quick and valuable reply. I > implemented the ACL but > did not implemented ACL on file level. Therefore on > file level i had > given a read permission to others (r--r--r--) by > setting CVSUMASK. Be careful that you're not turning off file execute bits for scripts. > Therefore the folders also got the read permission > in others field. Is > this only read permission can make any security risk > ? Read perms for other is only a security risk if you the info within the repository is so confidential that others on the system should not be able to see it. > It seems without > execute permission on a folder no one can access the > files inside that > folder. Yes, as I think I stated in my previous email, execute permissions will be necessary for anyone who needs access to the repository. > Yes, It is important to refresh the ACL after > checkin, because CVS > changes the file ownership and group information to > the one who checked > in the file. File ownership doesn't matter, really (except for being able to change file permissions). The file permissions are more important. > Also the PreservePermission in > CVSROOT/config file does > seems to be properly implemented. Don't use it. I've think I've heard it's so bad that it should be ripped out. > From the last paragraph of ur reply shows files > level ACL is also > required. Should we need to implement ACL for files > too ? Is any > referece script for loginfo ACL is available ? File-level permissioning is necessary to guarantee that those that need read permissions get them (of course, you could grant read permissions to everyone if you don't think your stuff is that confidential). It's also important to preserve the execute bit (CVS does this automatically for normal permissions, but not for ACLs). I'll see if I can dig up my script. Noel __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
Dear Noel, Thanks for your reply. I implemented a ACL on a folder in my repository, when some one checkin in this folder, loginfo execute the script and refreshes the whole ACL recursively in that folder. But when a user who is not the owner of the files in repository (Although he has rwx permissions), check in a file the script on its execution gives an error message : not a owner of the file/folder. It means scripts with loginfo execute with the permission of that user who is checking in. To add or modify a ACL, some one should be the owner of the ACL. It means script failded at that point. Instead of above script, If in another script if i try to copy the ACL of a parent folder to the newly created folder in that folder, then how to send its paths of bothe folder from loginfo to the script in the arguments ? Instead of using script to refresh the whole ACL or copy the ACL. I also implement the default ACL at the start to a folder. But Default ACL permission also do not reflect all the ACL in the new folder created within that folder. Please help to proceed. It seems i am stuck again. :-[ Regards, shakeel Noel Yap wrote: [EMAIL PROTECTED]"> --- Muhammad Shakeel<[EMAIL PROTECTED]> wrote: Thanks a lot for quick and valuable reply. Iimplemented the ACL but did not implemented ACL on file level. Therefore onfile level i had given a read permission to others (r--r--r--) bysetting CVSUMASK. Be careful that you're not turning off file executebits for scripts. Therefore the folders also got the read permissionin others field. Is this only read permission can make any security risk? Read perms for other is only a security risk if youthe info within the repository is so confidential thatothers on the system should not be able to see it. It seems without execute permission on a folder no one can access thefiles inside that folder. Yes, as I think I stated in my previous email, executepermissions will be necessary for anyone who needsaccess to the repository. Yes, It is important to refresh the ACL aftercheckin, because CVS changes the file ownership and group information tothe one who checked in the file. File ownership doesn't matter, really (except forbeing able to change file permissions). The filepermissions are more important. Also the PreservePermission inCVSROOT/config file does seems to be properly implemented. Don't use it. I've think I've heard it's so bad thatit should be ripped out. From the last paragraph of ur reply shows fileslevel ACL is also required. Should we need to implement ACL for filestoo ? Is any referece script for loginfo ACL is available ? File-level permissioning is necessary to guaranteethat those that need read permissions get them (ofcourse, you could grant read permissions to everyoneif you don't think your stuff is that confidential). It's also important to preserve the execute bit (CVSdoes this automatically for normal permissions, butnot for ACLs).I'll see if I can dig up my script.Noel__Do You Yahoo!?LAUNCH - Your Yahoo! Music Experiencehttp://launch.yahoo.comFrom - Thu May 16 09:36:14 2002X-UIDL: 3af5815d35daX-Mozilla-Status: X-Mozilla-Status2: Return-Path: <[EMAIL PROTECTED]>Received: from fencepost.gnu.org (fencepost.gnu.org [199.232.76.164]) by isb. streaming-networks.com (8.11.0/8.11.0) with ESMTP id g4FGqgs08635 for <[EMAIL PROTECTED]>; Wed, 15 May 2002 21:52:47 +0500Received: from localhost ([127.0.0.1] helo=fencepost.gnu.org) by fencepost.gnu.org with esmtp (Exim 3.34 #1 (Debian)) id 1780rs-0007xj-00; Wed, 15 May 2002 11:39:08 -0400Received: from web21409.mail.yahoo.com ([216.136.232.79]) by fencepost.gnu.org with smtp (Exim 3.34 #1 (Debian)) id 1780rE-0007rM-00 for <[EMAIL PROTECTED]>; Wed, 15 May 2002 11:38:28 -0400Message-ID: [EMAIL PROTECTED]"><[EMAIL PROTECTED]>Received: from [65.215.21.55] by web21409.mail.yahoo.com via HTTP; Wed, 15 May 2002 08:38:27 PDTFrom: Noel Yap <[EMAIL PROTECTED]>Subject: Re: how to implement user level security in cvs ?To: Muhammad Shakeel <[EMAIL PROTECTED]>Cc: [EMAIL PROTECTED]In-Reply-To: <3CE2857A.5020206@streaming- -
Re: how to implement user level security in cvs ?
--- Muhammad Shakeel <[EMAIL PROTECTED]> wrote: > Thanks for your reply. I implemented a ACL on a > folder in my repository, > when some one checkin in this folder, loginfo > execute the script and > refreshes the whole ACL recursively in that folder. > But when a user > who is not the owner of the files in repository > (Although he has rwx > permissions), check in a file the script on its > execution gives an error > message : > > not a owner of the file/folder. First, reread _carefully_ my prior email. It has a lot of information packed into it. Recursively resetting the ACLs is extremely time consuming and may break something (eg if you have some subdirectory with more ACLs on it). > It means scripts with loginfo execute with the > permission of that user > who is checking in. > To add or modify a ACL, some one should be the > owner of the ACL. > It means script failded at that point. All this is correct. Keep in mind, though, that when a user checks in a file, a brand new archive is created that is owned by that user. The same goes for new directories. This means that users can set permissions on newly checked in files and new directories. > Instead of above script, If in another script if i > try to copy the ACL > of a parent folder to the newly created folder in > that folder, then how > to send its paths of bothe folder from loginfo to > the script in the > arguments ? You should be able to derive the parent directory from the new element's name (ie use dirname). IIRC, it's the new element's name that's passed into loginfo scripts. > Instead of using script to refresh the whole ACL or > copy the ACL. I also > implement the default ACL at the start to a folder. > But > Default ACL permission also do not reflect all the > ACL in the new folder > created within that folder. Again, please reread my prior email. Permissions between directories and files will tend to need to be different (directories need to be executable and writable, files need not be). To reiterate (and put it more strongly), DO NOT USE DEFAULT ACL'S. > Please help to proceed. It seems i am stuck again. Reread and memorize my prior email. I haven't been able to look for my loginfo script. I'll try to do it tonight. Noel __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
Muhammad Shakeel <[EMAIL PROTECTED]> writes: > Thanks for your reply. I implemented a ACL on a folder in my > repository, when some one checkin in this folder, loginfo execute the > script and refreshes the whole ACL recursively in that folder. But > when a user who is not the owner of the files in repository (Although > he has rwx permissions), check in a file the script on its execution > gives an error message : Muhammad, I didn't catch this whole thread, but would like to offer ACL insight. I researched this area and ended up using the ACL script included with the CVS source. When setup correctly, this script turns out suitable for controlling access on a per module, directory, branch, and user basis. Hope this helps. - Nick ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
I might have made an incorrect assumption, but I believe Muhammad is asking about file system ACLs. Muhammad, can you confirm this, please? Noel --- Nick Papadonis <[EMAIL PROTECTED]> wrote: > Muhammad Shakeel > <[EMAIL PROTECTED]> writes: > > Thanks for your reply. I implemented a ACL on a > folder in my > > repository, when some one checkin in this folder, > loginfo execute the > > script and refreshes the whole ACL recursively in > that folder. But > > when a user who is not the owner of the files in > repository (Although > > he has rwx permissions), check in a file the > script on its execution > > gives an error message : > > Muhammad, > > I didn't catch this whole thread, but would like to > offer ACL > insight. I researched this area and ended up using > the ACL script > included with the CVS source. When setup correctly, > this script turns out > suitable for controlling access on a per module, > directory, branch, > and user basis. > > Hope this helps. > > - Nick > > ___ > Info-cvs mailing list > [EMAIL PROTECTED] > http://mail.gnu.org/mailman/listinfo/info-cvs __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
--- Noel Yap <[EMAIL PROTECTED]> wrote: > able to look for my loginfo script. I'll try to do > it > tonight. Here it is. Hope it helps, Noel Enc __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com loginfo.pl Description: loginfo.pl
Re: how to implement user level security in cvs ?
--- Muhammad Shakeel <[EMAIL PROTECTED]> wrote: > Dear Noel, > > loginfo script is not working when i insert a tag. > Of course loginfo > runs it only on check in, add and import case, but > not in case of tag. > Should i run it through taginfo file as well or some > changes in script > are requred ? > > Thanks for ur help. File system ACLs are only good for file system elements. CVS keeps one archive file for each file, not for each branch, so it won't do anything for branches. I think there may be other partial solutions for branches in which commitinfo does the checking (and therefore doesn't afford real security since users can subvert it). Are you asking 'cos you want user level permissioning for branches? Noel __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: how to implement user level security in cvs ?
--- Muhammad Shakeel <[EMAIL PROTECTED]> wrote: > Dear Noel, > > At the moment i am interested only to refresh the > ACL when we tag a > file. Because the loginfo script u sent me does not > refresh the ACL when > i insert a tag on a file or files. CVS actually > removes the ACL > information from that tagged file or files because > it recreates the file > in case of tag as well, like the case when some one > check in a file. So > it was a requirement to run a script through > taginfo administrative file. > > Can u please help in this regard. I guess I've never tagged anything while I was using ACLs so this is news to me. Hopefully, you'll be able to do the same things inside the taginfo script as you're doing inside the loginfo script. This should work if the taginfo script is executed after the file has been created. Now that I think about it, I believe the taginfo script is executed before the file is created (so that you can check tag naming conventions). If this is true, your options are: 1. Hack CVS to add a post-tag trigger. IMHO, CVS's triggers can stand a good redesign so that most (if not all) commands can have pre- and post-triggers. 2. Create a cvs wrapper that'll do what you need. This shouldn't be too difficult. I think all you'd need to do is wrap the cvs server, parse out the affected files, and make ACL changes for each of those files. Sorry I can't supply a ready-made script. Noel __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
RE: how to implement user level security in cvs ?
I would love to see the commands have pre and post triggers. I think it would be useful to a great number of people. Thanks, I just wanted to add my two cents. -Curt Stanton -Original Message- From: Noel Yap [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 18, 2002 8:24 AM To: Muhammad Shakeel; [EMAIL PROTECTED] Subject: Re: how to implement user level security in cvs ? --- Muhammad Shakeel <[EMAIL PROTECTED]> wrote: > Dear Noel, > > At the moment i am interested only to refresh the > ACL when we tag a > file. Because the loginfo script u sent me does not > refresh the ACL when > i insert a tag on a file or files. CVS actually > removes the ACL > information from that tagged file or files because > it recreates the file > in case of tag as well, like the case when some one > check in a file. So > it was a requirement to run a script through > taginfo administrative file. > > Can u please help in this regard. I guess I've never tagged anything while I was using ACLs so this is news to me. Hopefully, you'll be able to do the same things inside the taginfo script as you're doing inside the loginfo script. This should work if the taginfo script is executed after the file has been created. Now that I think about it, I believe the taginfo script is executed before the file is created (so that you can check tag naming conventions). If this is true, your options are: 1. Hack CVS to add a post-tag trigger. IMHO, CVS's triggers can stand a good redesign so that most (if not all) commands can have pre- and post-triggers. 2. Create a cvs wrapper that'll do what you need. This shouldn't be too difficult. I think all you'd need to do is wrap the cvs server, parse out the affected files, and make ACL changes for each of those files. Sorry I can't supply a ready-made script. Noel __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
[Fwd: Re: how to implement user level security in cvs ?]
Hi Nick, Thanks for your reply. I need a loginfo script like the Noel send me in perl. As i implented the ACL on my repository. There for the following reason the unix script was required as Noel explained in his previous mail. Given: 1. Default ACLs cannot tell the difference between directories and files. 2. Repo directory permissions need to be treated differently from repo file permissions. Therefore: 1. A loginfo script will need to reset file ACLs for each commit. It will also need to set ACLs on new elements. Typically, this setting is a combination of inheritance from the parent directory for ACL users and groups and read permissions, files are never writable, files may need to be executable, and directories are always writable and executable. Script is in perl and i need to learn it. I will appreciate if u can help in this regard. Regards, shakeel Nick Papadonis wrote: [EMAIL PROTECTED]"> Muhammad Shakeel <[EMAIL PROTECTED]> writes: Thanks for your reply. I implemented a ACL on a folder in myrepository, when some one checkin in this folder, loginfo execute thescript and refreshes the whole ACL recursively in that folder. Butwhen a user who is not the owner of the files in repository (Althoughhe has rwx permissions), check in a file the script on its executiongives an error message : Muhammad,I didn't catch this whole thread, but would like to offer ACLinsight. I researched this area and ended up using the ACL scriptincluded with the CVS source. When setup correctly, this script turns outsuitable for controlling access on a per module, directory, branch,and user basis.Hope this helps.- Nick -- Regards, Muhammad Shakeel Streaming Networks (Pvt.) Limited House 8, St. 31, F-7/1 Islamabad - 44000, Pakistan Talk: +92-51-2823585, +92-51-2275589 Fax: +92-51-2820832 Email: [EMAIL PROTECTED] Web: streaming-networks.com -- Regards, Muhammad Shakeel Streaming Networks (Pvt.) Limited House 8, St. 31, F-7/1 Islamabad - 44000, Pakistan Talk: +92-51-2823585, +92-51-2275589 Fax: +92-51-2820832 Email: [EMAIL PROTECTED] Web: streaming-networks.com
[Fwd: Re: how to implement user level security in cvs ?]
Dear Noel, AOA Thanks for a reference script. Shell script would be easier for me. The script realized me the that perl should be learned. I arranged a perl 5 book. It will take some time. Regards, shakeel Noel Yap wrote: [EMAIL PROTECTED]"> --- Noel Yap <[EMAIL PROTECTED]> wrote: able to look for my loginfo script. I'll try to doittonight. Here it is.Hope it helps,NoelEnc__Do You Yahoo!?LAUNCH - Your Yahoo! Music Experiencehttp://launch.yahoo.com Part 1.1 Content-Type: text/plain loginfo.pl Content-Description: loginfo.pl Content-Type: application/octet-stream Content-Encoding: base64 -- Regards, Muhammad Shakeel Streaming Networks (Pvt.) Limited House 8, St. 31, F-7/1 Islamabad - 44000, Pakistan Talk: +92-51-2823585, +92-51-2275589 Fax: +92-51-2820832 Email: [EMAIL PROTECTED] Web: streaming-networks.com -- Regards, Muhammad Shakeel Streaming Networks (Pvt.) Limited House 8, St. 31, F-7/1 Islamabad - 44000, Pakistan Talk: +92-51-2823585, +92-51-2275589 Fax: +92-51-2820832 Email: [EMAIL PROTECTED] Web: streaming-networks.com
