[cvsnt] read/write/traverse permissions

Gerhard Fiedler lists at connectionbrazil.com
Sat May 29 10:00:36 BST 2004


Hello all,

after I got my repository working again going back to a previous version
and had a look at the permissions in that process, I'd like to get to the
ground of the permission system.

Basically, my problem is that I'd like to give users read/write or
read/only access to directories within the directory tree without them
seeing what's up the tree.

I have done that mostly with Win2k file system permissions (see below for a
description of the setup), but the problem with that is that the users see
what's in the directories that they traverse. For example a user has access
to Client/Dir but not Client/Private, that's what they see upon checking
out Client:

cvs server: cannot open E:/repositories/projects/Client/Private/.perms:
Permission denied
cvs server: cannot open directory E:/repositories/projects/Client/Private:
No such file or directory
cvs server: skipping directory Client/Private

If I use the cvs chacl command, it looks better, but is also visible:

cvs server: User 'restricted' cannot access /projects/Client/Private

My questions are:

- Is there a way to configure the permissions (Win2k and/or cvs) so that
the user can traverse a directory, but doesn't even know about the files
and directories he is not allowed to access?

- Is it safe to abandon the Win2k access restrictions and exclusively rely
on the cvs chacl permissions? The log output looks rather messy when using
the Win2k permissions on a directory basis. To do it right, one would have
to grant read access to only the .perms file (possibly also the .owner
file) in a directory, which gets pretty messy to configure.

Thanks for any tips,
Gerhard


-------------------------------------------------------------
Here is a quick run down on the permissions I have set on the server
(Win2k):
- RepositoryRoot: Full Control for admins, service and system only
(inherited throughout the repository)
- RepositoryRoot/CVSROOT: added Read for all other users
- RepositoryRoot/CVSROOT/history and val-tags: added Modify for all other
users
- traversal access to a module (that is if I want a user to have access to
a sub-module): add Read access for that user
- read-only access to a module: add Read and List Folder Contents access
for that user
- normal read-write access to a module: add Full Control for that user
- the temp directory is outside the repository root, and Everyone has Full
Control
- in the CVSROOT/config file I have a line with LockServer=localhost:2402
and also one with LockDir=... (also with Everyone having Full Control to
the lock dir). Do I need the LockDir entry at all, using LockServer?




More information about the cvsnt mailing list