[cvsnt] CVSNT client resets ACLs?
Borbarad at gmxpro.net
Tue Jan 27 23:37:50 GMT 2009
thanks for your reply.
> I suppose security and audit compliance means nothing to your
> orgnaisation, let alone productivity...
I suppose, I'd be the wrong person to ask for this.
Also, it's not "my" organization, so I have no real leverage in changing it.
> Specifically by not using CVSNT server you are missing out on: user
> defined change sets, merge tracking, auto merges (mergepoint), real ACLs
> (including branches), failsafe audit, commit identifiers (some people
> call this atomicity), secure repositories (aliases, mode, dynamic
> protocol disabling etc, chroot jail etc).
I'll suggest it, but as I mentioned it is not up to me.
> The 'x' bit is the mode not the ACL.
I am aware of this. When mentioning ACL I am talking about the NT notion of an ACL, not whatever CVSNT has implemented as ACLs.
> CVS server stores the 'mode' of the checked out file in the 'mode' of
> the RCS file (ie: to have build.sh as executable then build.sh,v needs
> to be executable) - which some sysadmins see as a security risk - hence
> why CVSNT Server stores the executable bit in the RCS file itself as an
An even better reason to urge people in the company to upgrade to CVSNT. Let's see whether these arguments help.
> Every CVS client (CVS, CVSNT etc) sends the 'mode' of the file to the
> server with each commit - however on windows there is no 'execute bit'
> (executable files are defined based on the extension or the environment
> variable PATHEXT) - so on windows the 'execute' bit is always removed on
Wouldn't that mean that checking it out again causes the script to become non-executable after checking it out anew? Due to this mapping between NT ACLs and the file mode on the CVS server/RCS file?
> With CVSNT client you could try experimenting with "set CYGWIN=ntsec" or
> "set CVSNT=ntsec" to see if some combination of ntsec, ntea, nontsec,
> nontea works better.
Thanks, will try that.
> The 'mode' of the file is not an ACL by any definition, please do not
> confuse terms...
I am aware of that, but apparently some kind of mapping between NT ACLs and the file mode *is* going on. And in that sense I definitely meant ACLs ;)
Thanks again for the swift and detailed reply,
PS: Re-sent through the list, because I replied to Arthur only accidentally.
More information about the cvsnt