[cvsnt] CVSNT not enforcing read-only ACL
Marco Rinaudo
marco at NoSpam.rinaudo.com
Sun Jul 3 04:43:48 BST 2005
(CVSNT) 2.5.01 (Travis) Build 1976 (client/server) in a Linux Redhat 9
server, installed from RPM.
I use pserver as authentication method.
Everything works in a perfect manner except I am not able to enforce
read-only rights for a user in regard of a specific directory or in regard
of a specific file. Please note that I wish to do it using CVSNT acl
internal system, I do not wish to manually change directories and files
permission at the linux file system level.
Let me show my steps from the creation of a module to the setup of
corresponding rights.
>From outside the cvsroot I issue the following commands:
---------------------
[root at power root]# mkdir mymodule
[root at power root]# cd mymodule
---------------------
now I copy a random file inside my new directory mymodule:
[root at power mymodule]# cp /etc/redhat-release .
now I am ready to create the new module under my repository:
--------------------------------
[root at power mymodule]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs
import -d mymodule vendor_name initial
Output of the previous command:
N mymodule/redhat-release
No conflicts created by this import
-------------------------------
Now the module named mymodule is under my repository
To be really sure let issue an "ls" command:
-----------------------
[root at power mymodule]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs
ls
Listing modules on server
CVSROOT
mymodule
-----------------------
Very good, I am proud of myself!
Now let check the rights associated to mymodule:
-----------------------
[root at power mymodule]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs
rlsacl mymodule
Directory: mymodule
Owner: MyLogin
----------------------
ok, now it's time to tell the server that my user named myuser has only
READ-ONLY rights under the module mymodule:
--------------------------------
[root at power mymodule]# cd /tmp
[root at power tmp]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs
checkout mymodule
cvsnt server: Updating mymodule
U mymodule/redhat-release
[root at power test]# cvs -d :MyLogin:MyPassword at MyServer.Com:/cvs chacl -u
myuser -a read mymodule
setting ACL for directory mymodule
--------------------------------
now let check that my ACLs are set as I was expecting:
------------------------
[root at power test]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs
lsacl mymodule
Directory: mymodule
Owner: MyLogin
user=myuser
read
[root at power test]# cvs -d :pserver:MyLogin:MyPassword at MyServer.Com:/cvs
rlsacl mymodule
Directory: mymodule
Owner: MyLogin
user=myuser
read
----------------------------------------
I eventually managed to sucessfully set "read" rights for the user named
myuser under the module named mymodule.
I am now expecting that myuser is not able to WRITE under mymodule, she is
supposed to be ONLY able to read not to write. Am I wrong?
Of course if I am writing here that's because I have to be wrong somewhere
because myuser is able to read and write whatever she likes under mymodule.
She can commit change to redhat-release, she can create new files, she can
remove files, she can read files, she can create new directories, she can do
whatever she likes...
The only way I managed to prevent myuser from adding or changing or
committing new files was when I set the correspnding ACL to "none" (
chacl -u myuser -a none), which is too strict, I just want give her the
right to read a file but not to change it. Again please note I need to
acheive the expected result using CVSNT ACLs, a linux filesystem workaround
will not solve my problem.
Just to give you a full overview of my configuration, note that:
MyLogin is inside CVSROOT/admin
and
myuser is inside CVSROOT/writers
If I remove myuser form CVSROOT/writers, myuser is not able to write at all,
not just under mymodule, nowhere.
On the other hand if I remove myuser from CVSROOT/writers and I add the
writing right using the CVSNT ACL ( chacl -u myuser -a read,writer
mymodule) myuser is not able to write neither.
Please advice.
Marco Rinaudo.
More information about the cvsnt
mailing list