[cvsnt] Setting ACL: users aren't inheriting groups permissions

Cryer, Phil C. (STL) - cont PCCryer at express-scripts.com
Tue Dec 5 21:26:01 GMT 2006 

 Now that I have the ability and configuration to setup permissions
based on groups, I've added users to the group file, and to the passwd
file, but they don't seem to inherit the permissions the group should be
giving them.  Here's my setup, and checkout, checkin:



CVSROOT/admin
Cvs

CVSROOT/passwd
cvs:lSUlhBY1/MVQ2:cvs
pcryer:90SkAnPj9ICDw:cvs

CVSROOT/group
group1: cvs pcryer
group2: cvs
group3: lockedout

CVSROOT/checkoutlist
# The "checkoutlist" file is used to support additional version
controlled
# administrative files in $CVSROOT/CVSROOT, such as template files.
group



Now the ACL listing:



cvs lsacl
Directory: CVSROOT
Owner: cvs

user=admin
        all

user=cvs
        all

<default>
        read
Directory: module1
Owner: cvs

user=group1
        read
        write
        create
        tag
        control

<default>
        read
Directory: module2
Owner: cvs

user=group2
        read
        write
        create
        tag
        control

<default>
        read



So to me it looks like my normal user 'pcryer' should be able to read
(checkout) both module1 and module2, but he shouldn't be able to write
to (checkin) to module2 since module2 is user group2, and pcryer isn't
listed in CVSROOT/group as being in group2.  But after I do the
following:

 cvs -d :pserver:pcryer at localhost:/usr/local/development login
 cvs -d :pserver:pcryer at localhost:/usr/local/development co module1
 cvs -d :pserver:pcryer at localhost:/usr/local/development co module2

 echo foo>> module1/README.txt
 echo foo>> module2/LIC.txt



I can checkin both module1 and module2:



cvs -d :pserver:pcryer at localhost:/usr/local/development commit module1
Checking in module1/README.txt;
/usr/local/development/module1/README.txt,v  <--  README.txt
new revision: 1.5; previous revision: 1.4
done

cvs -d :pserver:pcryer at localhost:/usr/local/development commit module1
Checking in module2/LIC.txt;
/usr/local/development/module2/LIC.txt,v  <--  LIC.txt
new revision: 1.5; previous revision: 1.4
Done



Are the group permissions not being pulled in and matched to the user?
That's what it feels like, but I have group filled out, and group listed
in checkoutlist so it should be getting referenced...in a previous email
I was told:

> 5- Add the group file to the file CVSROOT/checkoutlist (see examples
in there).

But there were no examples, Google revealed file names on newlines,
that's why I formated checkoutlist as I did.

Ideas?

P


******* Confidentiality Notice *******
This email, its electronic document attachments, and the contents of its website linkages may contain confidential health information.  This information is intended solely for use by the individual or entity to whom it is addressed.  If you have received this information in error, please notify the sender immediately and arrange for the prompt destruction of the material and any accompanying attachments.

More information about the cvsnt mailing list