[cvsnt] Re: Rule of Owner (Tony Hoyle)

[capaverde at 3ia.com.br]

Reading the code snipet that validates the owner user for a
module, I saw the following in function verify_owner(), file
perms.cpp, line 278:

return verify_valid_name(n->GetValue());

Analizing verify_valid_name() function and reading the debug
output produced by CVS with -ttt option, I undestood that only
the names of group user belongs to are added to the list valid_groups.
So if the owner was a group, the ownership should be determined
correctly. Insted, if a user was ther owner, verify_owner would
always return FALSE, even if the logged user was the real owner.
I recompiled CVS with a slight addition to this line:

return verify_valid_name(n->GetValue()) || (!usercmp(CVS_Username,
n->GetValue()));

I tested and CVS started to behave correctly as stated in your reply,
ie, the owner has control access to their module.
If my fix is correct, could you put it in the next releases of CVSNT?

Capaverde

> capaverde at 3ia.com.br wrote:
>> What is the rule of module's owner?
>> Until 2.0.51d, Owner user used to have the right to change the module's
>> permission, no matter he/she was explicitly allowed or denied to do it.
>> I'm evaluating 2.5.1.1927 and found that the only right that owner 
>> have is to
>> change the owner. The owner can only control module's ACL if he/she have the
>> control right, just like any other user. So, as long as I could see, the
>> usefulness of module ownership is limited to administrative 
>> information, and no
>> security purposes as it used to be. Am I right?
>
> The owner has control access always (owners may be groups also).  It's
> not particularly useful though as it's probably easier to give control
> access to particular users/groups, especially when using inheritable
> permissions.
>
> Tony