[cvsnt] CVSNT not enforcing read-only ACL

Marco Rinaudo marco at NoSpam.rinaudo.com
Sun Jul 3 04:43:48 BST 2005


(CVSNT) 2.5.01 (Travis) Build 1976 (client/server) in a Linux Redhat 9 
server, installed from RPM.
I use pserver as authentication method.

Everything works in a perfect manner except I am not able to enforce 
read-only rights for a user in regard of a specific directory or in regard 
of a specific file. Please note that I wish to do it using CVSNT acl 
internal system, I do not wish to manually change directories and files 
permission at the linux file system level.

Let me show my steps from the creation of a module to the setup of 
corresponding rights.
>From outside the cvsroot I issue the following commands:

---------------------
[root at power root]# mkdir mymodule
[root at power root]# cd mymodule
---------------------

now I copy a random file inside my new directory mymodule:

[root at power mymodule]# cp /etc/redhat-release .

now I am ready to create the new module under my repository:

--------------------------------
[root at power mymodule]#  cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
import -d mymodule vendor_name initial

Output of the previous command:
N mymodule/redhat-release

No conflicts created by this import
-------------------------------

Now the module named mymodule is under my repository

To be really sure let issue an "ls" command:

-----------------------
[root at power mymodule]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
ls
Listing modules on server

CVSROOT
mymodule
-----------------------

Very good, I am proud of myself!
Now let check the rights associated to mymodule:

-----------------------
[root at power mymodule]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
rlsacl mymodule
Directory: mymodule
Owner: MyLogin
----------------------

ok, now it's time to tell the server that my user named myuser has only 
READ-ONLY rights under the module mymodule:

--------------------------------
[root at power mymodule]# cd /tmp
[root at power tmp]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
checkout  mymodule
cvsnt server: Updating mymodule
U mymodule/redhat-release
[root at power test]# cvs -d :MyLogin:MyPassword at MyServer.Com:/cvs chacl -u 
myuser -a read  mymodule
setting ACL for directory mymodule
--------------------------------

now let check that my ACLs are set as I was expecting:

------------------------
[root at power test]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
lsacl mymodule
Directory: mymodule
Owner: MyLogin

user=myuser
        read
[root at power test]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
rlsacl mymodule
Directory: mymodule
Owner: MyLogin

user=myuser
        read
----------------------------------------

I eventually managed to sucessfully set "read" rights for the user named 
myuser under the module named mymodule.
I am now expecting that myuser is not able to WRITE under mymodule, she is 
supposed to be ONLY able to read not to write. Am I wrong?
Of course if I am writing here that's because I have to be wrong somewhere 
because myuser is able to read and write whatever she likes under mymodule. 
She can commit change to redhat-release, she can create new files, she can 
remove files, she can read files, she can create new directories, she can do 
whatever she likes...
The only way I managed to prevent myuser from adding or changing or 
committing new files was when I set the correspnding ACL to "none" ( 
chacl -u myuser -a none), which is too strict, I just want give her the 
right to read a file but not to change it. Again please note I need to 
acheive the expected result using CVSNT ACLs, a linux filesystem workaround 
will not solve my problem.

Just to give you a full overview of my configuration, note that:

MyLogin is inside CVSROOT/admin
and
myuser is inside CVSROOT/writers

If I remove myuser form CVSROOT/writers, myuser is not able to write at all, 
not just under mymodule, nowhere.
On the other hand if I remove myuser  from CVSROOT/writers and I add the 
writing right using the CVSNT ACL ( chacl -u myuser -a read,writer 
mymodule) myuser is not able to write neither.

Please advice.

Marco Rinaudo.








More information about the cvsnt mailing list