[cvsnt] ACLs again...
Gerhard Fiedler
lists at connectionbrazil.com
Fri Jan 13 13:09:31 GMT 2006
Hello,
I still have trouble understanding the ACL logic. IIRC, it was said (by The
Source :) that they are recursive, and that lsacl shows what is set in a
given module.
I understand that to mean that if a user/group has certain rights (as shown
by the lsacl command) in a module, they continue to have those same rights
in all modules below -- unless other specific ACL settings appear in those
modules below (again as shown by the command lsacl).
Yet, it doesn't seem to work that way.
I have a module General with the following ACLs. The (for my example)
interesting part is group2. The user I ran the tests with is a member of
group2, but not of group1.
p:\general>cvs lsacl
Directory: .
Owner: gfiedler
user=group1
read
user=group2
read
write
create
tag
user=gfiedler
all
<default>
none
A user belonging to group2 can read from and write to this module.
Below General, there is a module Graphics with these ACLs:
p:\general\graphics>cvs lsacl
Directory: .
Owner: gfiedler
user=group1
read
user=gfiedler
read
write
create
tag
user=testdev
read
<default>
none
It used to have an entry for group2 (equal to the ACLs for General listed
above), but thinking that this was redundant, I removed it (with chacl -d),
with the result as shown by the lsacl output above. But now group2 doesn't
have any access to General/Graphics. If I add explicit ACLs for group2 back
to the Graphics module, their users get access again.
This is version
p:\>cvs ver
Client: Concurrent Versions System (CVSNT) 2.5.03 (Scorpio) Build 2151
(client/server)
Server: Concurrent Versions System (CVSNT) 2.5.03 (Scorpio) Build 2151
(client/server)
My question is: Is there a defined procedure to use the lsacl command to
derive the actual permissions of a user/group in a given module? If not, is
there any way to determine the actual permissions in a given module?
The answer I remembered (that it is recursive) doesn't seem to work. If it
were, the absence of any specific ACLs for group2 in General/Graphics/
should indicate that the ACLs from General/ are still in place. Yet they
aren't.
I'm also confused about what exactly lsacl shows: the ACLs effectively in
use for a given module or the ACLs explicitly set in that module -- or
something else? The answer I previously received (the ACLs explicitly set
in a given module) seems not to match the information that ACLs are
recursive, or it doesn't show all the relevant information.
Can someone please help me to definitively understand the relationship
between the ACLs that are being used by cvsnt and the output of lsacl?
Thanks,
Gerhard
More information about the cvsnt
mailing list