[cvsnt] chacl operation is weird...

dzielke at aep.com dzielke at aep.com
Wed May 4 15:47:23 BST 2005 

I am really struggling with this access control stuff.  It doesn't seem to 
be working.  We are using pserver access, and the config file has 
SystemAuth=yes.  The server is running 2.0.58b on a Linux box.  Access is 
via the Linux command line as well, at least for these examples.

When I run the cvs chacl command for the directory it appears to set the 
permission correctly:

$ cvs chacl -u testgroup -a read,write,tag .
setting ACL for directory .

the Fileattr.xml file then has this entry:

<directory>
    <acl user="<feff>testgroup">
      <read />
      <tag />
      <write />
    </acl>
  </directory>

First of all, I get that weird control character in front of the user 
name, which in this case is a group defined in the CVSROOT/group file. 
It's defined as:

testgroup: lhall dzielke 

Then I set the ACL for the files:

$ cvs chacl -u testgroup -a read,write *
setting ACL for file cederqvist-1.11.19.pdf
setting ACL for file desktop.ini
setting ACL for file OSDevWithCVS_3E.pdf
setting ACL for file SecurID Remote Access.doc
setting ACL for file TortoiseCVSmenu.jpg
cvs chacl: warning: directory CVS specified in argument
cvs chacl: but CVS uses CVS for its own purposes; skipping CVS directory

And I get the same weird control character in front of the first file 
named in the fileattr.xml.  Doesn't seem to hurt anything, BUT... Only the 
first file gets the proper attributes of read, write.  The others only get 
read... 

<file name="<feff>cederqvist-1.11.19.pdf">
    <acl user="testgroup">
      <read />
      <write />
    </acl>
  </file>
  <file name="desktop.ini">
    <acl user="testgroup">
      <read />
    </acl>
  </file>
etc.......

So I add a line to desktop.ini and try to check in the file, using a user 
that is in the group "testgroup" that I created.  It works, I can check in 
the file.  So far so good.

But when I try checking in the file as a user that is not on the test 
group (dzielke2), it still works.  Shouldn't it deny the user not in the 
group that specifically has write access to the file?  This is how the 
example is set up in the cvsnt manual... (see page 26!)

Subsequent runs of the cvs chacl command to specifically forbid access to 
my second userid (dzielke2) do nothing to the fileattr.xml file.  Well, it 
did re-order the entries but it did not alter them in any other way.

Guidance and suggestions are welcome... but I have been RTFM (and the 
archives) and I'm still not able to get it to work.  ;-)  The ONLY thing I 
can think of is that it's our version of CVS (being several releases out 
of date) just isn't properly supporting ACL.

Tony, Glenn, whomever... once I get this working, I officially volunteer 
to update the documentation to show how it works! :-)

Thanks,
Don Zielke
American Electric Power
Direct (614) 583-6337
Audinet 8-220-6337
Email dzielke (at) aep.com
---
KForce Professional Staffing
501 W. Schrock Road Suite 207
Westerville, OH 43081

More information about the cvsnt mailing list