Restricting use of 'cvs rtag' 'cvs tag' commands [2nd try]
[I sent this msg 10 days ago noone responded. So, I'm trying again.] Hello, We are currently using an ancient version of CVS (1.11.1p1) on a rather old Linux server (Red Hat 6). I intend to upgrade to CVS 1.11.19 eventually upgrade the Linux OS. In the course of our CVS upgrade discussion we started discussing how to increase security with regards to CVS access. I am aware of the cvsacls script that provides fairly fine-grained permissions to do check-ins but is there also a way of restricting who is allowed to do certain cvs commands? In particular, we would like to restrict who can create/delete tags branch tags. Is it possible to restrict 'cvs tag' 'cvs rtag' on a user or group level? Thanks, -Dave ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
RE: Restricting use of 'cvs rtag' 'cvs tag' commands [2nd try]
David Leskovac wrote: [...] Is it possible to restrict 'cvs tag' 'cvs rtag' on a user or group level? taginfo should help: https://www.cvshome.org/docs/manual/cvs-1.11.19/cvs_18.html#SEC177 You should be able to get the login name from $USER, $LOGNAME, or some such means. -- Jim Hyslop Senior Software Designer Leitch Technology International Inc. ( http://www.leitch.com ) Columnist, C/C++ Users Journal ( http://www.cuj.com/experts ) ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
Re: Restricting use of 'cvs rtag' 'cvs tag' commands [2nd try]
Install cvs in a different place than the version you are using. Make a script named cvs in the current location of cvs. That script should check the cvs commands vs. valid users. If everything is OK, then it should invoke the new cvs in the new place with the arguments passed to it. This won't protect you from truly malicious developers who invoke cvs directly from the new location, but you probably have already fired those people from your project. :-) Fred David Leskovac wrote: [I sent this msg 10 days ago noone responded. So, I'm trying again.] Hello, We are currently using an ancient version of CVS (1.11.1p1) on a rather old Linux server (Red Hat 6). I intend to upgrade to CVS 1.11.19 eventually upgrade the Linux OS. In the course of our CVS upgrade discussion we started discussing how to increase security with regards to CVS access. I am aware of the cvsacls script that provides fairly fine-grained permissions to do check-ins but is there also a way of restricting who is allowed to do certain cvs commands? In particular, we would like to restrict who can create/delete tags branch tags. Is it possible to restrict 'cvs tag' 'cvs rtag' on a user or group level? Thanks, -Dave ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs -- Frederic W. Brehm, Sarnoff Corporation, http://www.sarnoff.com/ ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
RE: Restricting use of 'cvs rtag' 'cvs tag' commands [2nd try]
Ok, I'll take a stab at it... How about using the built-in Unix/Linux rwx perms for user/group/others in the $CVSROOT/CVSROOT directory? Set the dir to belong to a certain group and set the permissions of the $CVSROOT/CVSROOT/logtags file so only the owner and users belonging to that group have x permissions. -chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of David Leskovac Sent: Wednesday, February 23, 2005 3:07 PM To: info-cvs@gnu.org Subject: Restricting use of 'cvs rtag' 'cvs tag' commands [2nd try] [I sent this msg 10 days ago noone responded. So, I'm trying again.] Hello, We are currently using an ancient version of CVS (1.11.1p1) on a rather old Linux server (Red Hat 6). I intend to upgrade to CVS 1.11.19 eventually upgrade the Linux OS. In the course of our CVS upgrade discussion we started discussing how to increase security with regards to CVS access. I am aware of the cvsacls script that provides fairly fine-grained permissions to do check-ins but is there also a way of restricting who is allowed to do certain cvs commands? In particular, we would like to restrict who can create/delete tags branch tags. Is it possible to restrict 'cvs tag' 'cvs rtag' on a user or group level? Thanks, -Dave ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
RE: Restricting use of 'cvs rtag' 'cvs tag' commands [2nd try]
Install cvs in a different place than the version you are using. Make a script named cvs in the current location of cvs. That script should check the cvs commands vs. valid users. If everything is OK, then it should invoke the new cvs in the new place with the arguments passed to it. This is an interesting idea. This won't protect you from truly malicious developers who invoke cvs directly from the new location, but you probably have already fired those people from your project. :-) None of the developers are malicious. The problem came up because on 3 separate occasions, a developer who is not very familiar with CVS somehow deleted 3 active branches. As to firing developers, that's out of my realm. I am just a lowly release engineer. :-) One person suggested an open source product called Sinis. http://sinis.sourceforge.net/ This product intrigues me. Has anyone on this list used Sinis? -Dave ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
RE: Restricting use of 'cvs rtag' 'cvs tag' commands [2nd try]
Dave,
restricting who is allowed to do certain cvs commands? In
particular, we would like to restrict who can create/delete
tags branch tags. Is it possible to restrict 'cvs tag'
'cvs rtag' on a user or group level?
If you can switch to CVSNT (free, GPL, just like CVS) for Linux,
Windows, Unix etc then you can use the CVS ACL's.
Use the command cvs chacl -H for more information, eg:
cvs chacl -R -a notag -u developers
Access settings which can be controlled are:
[no]{read|write|create|tag|control|all|none}
You can get CVSNT from:
http://www.cvsnt.com/
Regards,
Arthur Barrett
___
Info-cvs mailing list
Info-cvs@gnu.org
http://lists.gnu.org/mailman/listinfo/info-cvs
Re: Restricting use of 'cvs rtag' 'cvs tag' commands [2nd try]
David Leskovac writes: None of the developers are malicious. The problem came up because on 3 separate occasions, a developer who is not very familiar with CVS somehow deleted 3 active branches. That's much less likely with current releases of CVS since it now refuses to disturb existing branch tags unless you use a special option (-B) to force it to. -Larry Jones I wonder if I can grow fangs when my baby teeth fall out. -- Calvin ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
