[cvsnt] RE: chacl problem configuring access to individual files

Arthur Barrett arthur.barrett at march-hare.com
Thu Apr 27 08:11:11 BST 2006


Ted,

As a general rule of thumb - permissions should be applied to directories not individual files.  The CVSNT acl system was designed primarily for application to directories.

In our professional support we're noticing a lot of "education" is required about the interrelationship between source code file organisation and configuration management.  The next edition of the eBook will have a chapter on just that.  Very very very briefly - code that shares common attibutes (security requirements, "sharing" etc) should always exist in their own directory.  In that way permissions can be easily controlled (and inherited) and also allows for easy re-definition of modules via modules2.

Technically acl's on files work - but the results can often be surprising.

Whether your scenario constitutes a bug or not would require some debate on the newsgroup - anyone else commenting?  

Regards,


Arthur Barrett


-----Original Message-----
From:	cvsnt-bounces at cvsnt.org on behalf of Hayes, Ted (London)
Sent:	Wed 4/26/2006 9:08 PM
To:	cvsnt at cvsnt.org
Cc:	
Subject:	[cvsnt] chacl problem configuring access to individual files

Hi

I am running CVSNT 2.5.03 build 2151 on Solaris 9 with accounts set up
for pserver access, and all pserver accesses run under a single Unix
user account that owns the whole repository.  The repository PServer
file is set up with AclMode=normal and SystemAuth=no and I am a
repository administrator (I am using this configuration rather than ssh
since as a humble grunt programmer although I can sudo to the repository
owner account, I am not allowed to know the incantations for
administering Unix accounts).

My understanding is that with this AclMode setting, by default no-one
will have access to anything.  This seems to be the case.  What I am
trying to do is give non-administrative users (or a group via
CVSROOT/group) read access to a particular directory tree, but write
access to only a subset of files within it.

I have tried to do this with something like

cvsnt rchacl -a read -u testuser project-root-dir
cvsnt rchacl -a read,write -u testuser project-root-dir/subdir/testfile

I have inspected the fileattr.xml in the repository project-root-dir/CVS
and project-root-dir/subdir/CVS and these appear as I would expect - But
when testuser tries to commit a change to testfile the server returns

cvsnt server: User 'testuser' cannot write to
/repository/project-root-dir/subdir

so (guessing) the lack of directory write permission appears to be
overriding my file write permission.  Currently to get the show on the
road I have had to grant the user non-inheritable write to the entire
directory, but this is less than ideal.. Can anyone tell me if I am
getting something wrong here, or is this a known problem etc?

Thanks in advance for any help

regards
Ted Hayes
--------------------------------------------------------

If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail.     http://www.ml.com/email_terms/
--------------------------------------------------------
_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt






More information about the cvsnt mailing list