[cvsnt] CVSNT not enforcing read-only ACL

Mike Wake mike.wake at thales-tts.com
Mon Jul 4 10:04:56 BST 2005


Give

cvs -d :MyLogin:MyPassword at MyServer.Com:/cvs chacl -u
myuser -a read,nowrite,nocreate,notag,nocontrol,  mymodule

a try.

Cheers
Mikew



Marco Rinaudo wrote:
> (CVSNT) 2.5.01 (Travis) Build 1976 (client/server) in a Linux Redhat 9 
> server, installed from RPM.
> I use pserver as authentication method.
> 
> Everything works in a perfect manner except I am not able to enforce 
> read-only rights for a user in regard of a specific directory or in regard 
> of a specific file. Please note that I wish to do it using CVSNT acl 
> internal system, I do not wish to manually change directories and files 
> permission at the linux file system level.
> 
> Let me show my steps from the creation of a module to the setup of 
> corresponding rights.
>>From outside the cvsroot I issue the following commands:
> 
> ---------------------
> [root at power root]# mkdir mymodule
> [root at power root]# cd mymodule
> ---------------------
> 
> now I copy a random file inside my new directory mymodule:
> 
> [root at power mymodule]# cp /etc/redhat-release .
> 
> now I am ready to create the new module under my repository:
> 
> --------------------------------
> [root at power mymodule]#  cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
> import -d mymodule vendor_name initial
> 
> Output of the previous command:
> N mymodule/redhat-release
> 
> No conflicts created by this import
> -------------------------------
> 
> Now the module named mymodule is under my repository
> 
> To be really sure let issue an "ls" command:
> 
> -----------------------
> [root at power mymodule]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
> ls
> Listing modules on server
> 
> CVSROOT
> mymodule
> -----------------------
> 
> Very good, I am proud of myself!
> Now let check the rights associated to mymodule:
> 
> -----------------------
> [root at power mymodule]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
> rlsacl mymodule
> Directory: mymodule
> Owner: MyLogin
> ----------------------
> 
> ok, now it's time to tell the server that my user named myuser has only 
> READ-ONLY rights under the module mymodule:
> 
> --------------------------------
> [root at power mymodule]# cd /tmp
> [root at power tmp]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
> checkout  mymodule
> cvsnt server: Updating mymodule
> U mymodule/redhat-release
> [root at power test]# cvs -d :MyLogin:MyPassword at MyServer.Com:/cvs chacl -u 
> myuser -a read  mymodule
> setting ACL for directory mymodule
> --------------------------------
> 
> now let check that my ACLs are set as I was expecting:
> 
> ------------------------
> [root at power test]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
> lsacl mymodule
> Directory: mymodule
> Owner: MyLogin
> 
> user=myuser
>         read
> [root at power test]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs 
> rlsacl mymodule
> Directory: mymodule
> Owner: MyLogin
> 
> user=myuser
>         read
> ----------------------------------------
> 
> I eventually managed to sucessfully set "read" rights for the user named 
> myuser under the module named mymodule.
> I am now expecting that myuser is not able to WRITE under mymodule, she is 
> supposed to be ONLY able to read not to write. Am I wrong?
> Of course if I am writing here that's because I have to be wrong somewhere 
> because myuser is able to read and write whatever she likes under mymodule. 
> She can commit change to redhat-release, she can create new files, she can 
> remove files, she can read files, she can create new directories, she can do 
> whatever she likes...
> The only way I managed to prevent myuser from adding or changing or 
> committing new files was when I set the correspnding ACL to "none" ( 
> chacl -u myuser -a none), which is too strict, I just want give her the 
> right to read a file but not to change it. Again please note I need to 
> acheive the expected result using CVSNT ACLs, a linux filesystem workaround 
> will not solve my problem.
> 
> Just to give you a full overview of my configuration, note that:
> 
> MyLogin is inside CVSROOT/admin
> and
> myuser is inside CVSROOT/writers
> 
> If I remove myuser form CVSROOT/writers, myuser is not able to write at all, 
> not just under mymodule, nowhere.
> On the other hand if I remove myuser  from CVSROOT/writers and I add the 
> writing right using the CVSNT ACL ( chacl -u myuser -a read,writer 
> mymodule) myuser is not able to write neither.
> 
> Please advice.
> 
> Marco Rinaudo.
> 
> 
> 
> 
> 
> _______________________________________________
> cvsnt mailing list
> cvsnt at cvsnt.org
> http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt



More information about the cvsnt mailing list