From owner-freebsd-questions@FreeBSD.ORG Mon Jan 30 16:37:15 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BB3716A420 for ; Mon, 30 Jan 2006 16:37:15 +0000 (GMT) (envelope-from duane@greenmeadow.ca) Received: from smtpout.eastlink.ca (smtpout.eastlink.ca [24.222.0.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBC8A43D64 for ; Mon, 30 Jan 2006 16:37:07 +0000 (GMT) (envelope-from duane@greenmeadow.ca) Received: from ip02.eastlink.ca ([24.222.10.10]) by mta01.eastlink.ca (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <0ITW00BXZZI9KLM0@mta01.eastlink.ca> for freebsd-questions@freebsd.org; Mon, 30 Jan 2006 12:37:21 -0400 (AST) Received: from blk-224-199-230.eastlink.ca (HELO [192.168.0.101]) ([24.224.199.230]) by ip02.eastlink.ca with ESMTP; Mon, 30 Jan 2006 12:37:04 -0400 Date: Mon, 30 Jan 2006 12:37:00 -0400 From: Duane Whitty In-reply-to: <20060130102425.GA1499@flame.pc> To: freebsd-questions@freebsd.org Message-id: <43DE40AC.5060402@greenmeadow.ca> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7BIT X-BrightmailFiltered: true X-Brightmail-Tracker: AAAAAQAAA+k= References: <1138596771.16135.253057403@webmail.messagingengine.com> <20060130102425.GA1499@flame.pc> User-Agent: Thunderbird 1.5 (Windows/20051201) Subject: Re: CVS Import Permissions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 16:37:15 -0000 Giorgos Keramidas wrote: > On 2006-01-30 15:52, david bryce wrote: > >> Hi All, >> >> I am having some confusion regarding the way CVS works with permissions >> under unix when importing a new project. Currently, when I import a >> project, I get this sort of permissions on the project directory: >> >> drwxr-x--- 2 jim cvs 512 Jan 27 12:31 test_proj >> >> Notice that the group (cvs) is not granted write access. Is this the >> way it's supposed to work? >> > > That depends on what your `umask' currently is. > > >> Do I have to use chmod to grant write access to the group every time I >> do an import? >> > > No. The correct way to fix this is to set CVSUMASK in your shell > environment, and then import the files :) > > Of course, now that the import is done, you can still use a bit of > ``repository hackery'' to set the g+w bit for the checked in sources. > > >> Or is my CVS not configured correctly? >> > > Your cvs is fine. The default umask is 022, which strips off g+w > permissions from all newly created files; including the ones CVS creates > in the repository. > > >> If I don't grant write access to the group on that directory, every >> check in fails with a "could not open lock file >> `/usr/local/cvs/test_proj/,test.txt,': Permission denied". I tried >> setting the LockDir in the config file to a world-writable directory, >> but this doesn't seem to solve the problem when trying to check-in. >> > > The RCS files inside `/usr/local/cvs/test_proj' have no group-write > permission. You can fix this by something like this: > > $ cd $CVSROOT > $ find . -print0 | xargs -0 chmod g+w > > This is the sort of ``repository hackery'' I mentioned above. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > > > Hi everyone, I'm new to taking into consideration the wider security issues of system administration. I apologize for this long post but maybe the answer can save me and others from future pain. What I'm not sure I understand is why would we not want to grant write access to the "cvs" group? According to the instructions I've read that is CVS's basic requirement, i.e. having write access to the repository. When I set up a repository without this write access the import failed for me as well. One assumption I am making is that it is better to have one group with write permission than explicit write permission given to many different users. So here is how I set up my repository, starting as root #cd /usr/local #mkdir cvsrep #chgrp cvs cvsrep #chmod g+w cvsrep #cvs -d /usr/local/cvsrep init #ll drwxrwxr_x 2 root cvs 512 Jan 30 10:25 cvsrep #ll cvsrep drwxrwxr-x 3 root cvs 1024 Jan 30 10:26 CVSROOT duane$ cvs -d /usr/local/cvsrep import -m "blah blah blah" testproj duane start duane$ ll /usr/local/cvsrep drwxrwxr-x 3 root cvs 1024 Jan 30 10:26 CVSROOT drwxrwxr-x 5 duane cvs 512 Jan 30 10:32 testproj john$cvs -d /usr/local/cvsrep co testproj {typical checkout stuff: alls good} john$ll -rw-rw-r-- 1 john john 62 Jan 30 10:40 proj.c john: /usr/home/john/testproj>$ cvs -d /usr/local/cvsrep update {typical update stuff, no conflicts, all's good} john$ ll /usr/local/cvsrep drwxrwxr_x 5 duane cvs 512 Jan 30 10:26 testproj john$ ll /usr/local/cvsrep/testproj ....... ....... . . . -r--r--r-- 1 duane cvs 482 Jan 30 10:55 proj.c,v Now I don't want to make any assumptions about whether this infrastructure is safe or not. That's why I'm asking the question. Everything seems to work but am I leaving myself open to any known security problems? Sorry for the length of this long post. If I should have posted this differently please let me know. Sincere Thanks --Duane Whitty duane@greenmeadow.ca