1 2CVS Access Control List Extension Patch 3 4http://cvsacl.sourceforge.net/ 5sbaris@users.sourceforge.net 6 7CVSACL is a patch for CVS. It adds two new subcommands 8(acl & racl) to cvs for access control list management. It 9provides advanced ACL definitions per modules, directories, 10and files on branch/tag for remote cvs repository connections. 11Execution of all CVS subcommands can be controlled with eight 12different permissions. 13ACL definitions works for only remote connections, local users 14can access and modify repository, if unix file system permissions 15allow. If you want all users to make remote connections to 16repository, and not allow local users to access repository, you 17have to set CVSServerRunAsUser keyword in aclconfig file 18(explained below). 19Still local users can use acl and racl subcommands to set 20permissions on directories or files if they have acl admin rights (p) 21on related directories or files. 22So, in order to control all access to repository with this ACL 23extension, you should use CVSServerRunAsUser keyword and force all 24users to make remote connections. CVS repository administrator or 25project managers have to use acl and racl subcommands to manage 26permissions. But there is no gui client supporting these subcommands, 27so you have to use cvs client itself either locally or remotely. 28 29 30 31 32Permission Types 33 34- no access 35 Command line character: n 36 If a user given n permission, it is not allowed for any action on repository. 37- read 38 Command line character: r 39 r permission gives only read access on repository. 40 With r permission you are allowed to run cvs subcommands: annotate, 41 checkout, diff, export, log, rannotate, rdiff, rlog, status. 42- write 43 Command line character: w 44 w permission allows only cvs commit/checkin action. 45 With w permission, you are not allowed to add/remove any file to/from 46 repository, other permissions should be defines for that. 47- tag 48 Command line character: t 49 t permission allows cvs tag and rtag subcommands to run, so you may 50 control tagging and untagging operations. t permission includes r 51 permission, since without reading you can not tag/untag a file. 52 However t permission does not include write permission, you can not 53 commit a file with only t permission. 54- create 55 Command line character: c 56 c permission allows cvs add and import subcommands to run. To add or 57 import a file/directory to repository, you have to given a c 58 permission. Again, c permission does not include write permission, 59 thus you may only add or import files, but you can not modify any 60 existing file. After issuing add subcommand, you have to commit the file 61 to complete adding. This commit subcommand is allowed because you are 62 adding file and not modifying existing one. 63- delete 64 Command line character: d 65 d permission allows cvs remove command to run. To remove a file/directory 66 from repository, d permission have to set. It does not include write 67 permission, so you can not modify contents of an existing file on repository. 68- full access except admin rights 69 Command line character: a 70 a permission gives all access (above permissions) to repository, but it 71 can not modify permissions. Only acl admins may modify the acl definitions. 72- acl admin 73 Command line character: p 74 p permission means that user is an acl admin, so it is allowed to make anything on repository. 75 76 77ACL Config Keywords 78The administrative file aclconfig contains miscellaneous settings which 79affect the behaviour of ACL extension. Currently defined keywords are: 80 81UseCVSACL=value 82Use ACL definitions if set to yes. If you do not want to use ACLs for 83some repositories in a patched CVS server, set this keyword to no. The default is no. 84 85UseCVSACLDefaultPermissions=value 86Value can be any combination of valid permission types (w,r,t,c,d,t,a,p). 87if there is no defined ACL and default permission in access file, or no 88access file at all, this permissions are used. The default is p (admin rights), 89if aclconfig file is created with cvs init. 90 91UseCVSGroups=value 92CVS does not have a CVSROOT/passwd file. However it can be created manually 93(format should be same as /etc/group). If value set to yes, CVS checks for 94groups in file $CVSROOT/CVSROOT/group The default value is no. 95 96UseSystemGroups=value 97Group memberships for users are checked in file /etc/group, if value is set 98to yes. The default value is no. 99 100CVSACLFileLocation=value 101Originally access file is put under CVSROOT/CVSROOT, if you want a different 102location, set value to a valid path. The default value is $CVSROOT/CVSROOT/access. 103 104CVSGroupsFileLocation=value 105IF UseCVSGroups is set to yes, CVS looks for a group file under $CVSROOT/CVSROOT. 106To use a different location for group file set value to a valid path to group. 107The default value is $CVSROOT/CVSROOT/group. 108 109UseSeparateACLFileForEachDir=value 110If value is set to yes, a separate ACL file (access) is created for each 111directory in repository. If you have a really big repository 112(directories>10,000 and files>100,000), performance may drop due to a big 113acl file, access. Setting the value to yes, may increase performance. Normally, 114you will not need this. The default value is no. 115 116StopAtFirstPermissionDenied=value 117If StopAtFirstPermissionDenied is set to yes 118operation will stop at first permission denied message. 119e.g. when you send commit command for a directory, if you dont 120have write permission for just one file under the directory, 121by default you will have a warning and commit will continue 122on the other files. If you set this keyword to 'no', then 123commit operation will be stopped when inaccassable file found. 124Default is no. 125 126CVSServerRunAsUser=value 127Set CVSServerRunAsUser keyword to a valid system user. 128When a user make a remote connection to CVS, after successfull authentication 129cvs process switch to run as that user, or defined system user in 130$CVSROOT/CVSROOT/passwd. So, you also have to set unix file permissions accordingly. 131A better solution: 132Add a user and group such as both cvsadm. 133Set CVSServerRunAsUser keyword to cvsadm. 134Change unix file system permissions for your repository, 135make cvsadm user and group owner, and read,write,execute permissions and setgid. 136(chown cvsadm -R /path/to/your/repository) 137(chgrp cvsadm -R /path/to/your/repository) 138(chmod 2770 -R /path/to/your/repository) 139Add yourself to cvsadm group (since you are ACL administrator). 140Therefore, only users making remote connections will have access to repository 141if you give rights. Local users can not access to repository via a cvs client or directly. 142 143 144Command Line Usage Information 145acl command is used on checked out files or directories. racl command is 146used on repository without a working copy. Usage information can be obtained 147with standard cvs --help command. 148Output of cvs --help acl and cvs --help racl: 149 150Usage: cvs racl [user||group:permissions] [-Rl] [-r tag] 151 -R Process directories recursively. 152 -r rev Existing revision/tag. 153 -l List defined ACLs. 154 155Usage: cvs acl [user||group:permissions] [-Rl] [-r tag] 156 -R Process directories recursively. 157 -r rev Existing revision/tag. 158 -l List defined ACLs. 159 160NOTICE: there is no more -d -f options for directory and file, acl/racl 161subcommands works just like other cvs subcommands. 162 163You may directly set permissions for a user or group or add/remove 164permissions with + and - signs to/from existing permissions. 165If you do not give the branch/tag information, default value of HEAD 166(main branch) will be used. You have to give branch/tag name with -r option. 167You may type ALL for branch/tag field. 168 169While checking for permissions, it goes thorough the list below. So the highest 170significant permission is the first item in list. 171 172- permissions assigned to username for specific directory or file. 173- permissions assigned to group name for specific directory or file. 174- permissions as defaults for specific directory or file. 175- permissions assigned to parent folders (inherits from the first parent 176 which permissions are assigned). 177- permissions as repository defaults. 178- permissions in aclconfig file. 179 180 181 182 183Examples 184 /cvs/ 185 | 186 | 187 +--projectA/ 188 | | 189 | +---CVSROOT/ 190 | | 191 | +---lib/ 192 | | | 193 | | +---gnulib/ 194 | | | 195 | | +---zlib/ 196 | | 197 | +---src/ 198 | | | 199 | | +---main.c 200 | | | 201 | | +---server.c 202 | | | 203 | | +---client.c 204 | | 205 | +---gui/ 206 | 207 +--projectB/ 208We have above directory structure for a cvs repository, and no defined permissions. 209 210Setting main default permissions: 211 212$ cvs -d /cvs/projectA racl cvsadmin:p -r ALL ALL 213$ cvs -d /cvs/projectA racl ALL:r -r ALL ALL 214User cvsadmin will be an acl admin, and all other users will have only read 215rights on all branches/tags in projectA repository. This is the default acl 216definition and it overwrites default permissions in $CVSROOT/CVSROOT/aclconfig file. 217 218$ cvs -d /cvs/projectA racl ALL:r -r ALL ALL 219$ cvs -d /cvs/projectA racl ALL:n -r ALL gui 220After executing these two commands, all users will have read access on all 221directories and files except gui directory. Everyone will be denied to access to gui 222directory becase no access, n, permissions is set. 223 224Setting permissions directly on a file or directory: 225 226$ cvs -d /cvs/projectA racl userX:wcd lib 227$ cvs -d /cvs/projectA racl group1:w lib 228First command will set write, create, and delete permissions for userX on directory 229lib with branch HEAD (since no branch/tag information given, branch defaults to HEAD). 230Second command will set only write permission for group1 on directory lib with branch HEAD. 231Members of group1 will have only commit rights on lib directory, branch HEAD, they can 232not add or remove any file, just modify existing files. 233If userX is also a member of group1, userX will have write, create, and delete permissions 234because it is specifically given these permissions. 235 236$ cvs -d /cvs/projectA racl userY:wcd -r develStream lib 237$ cvs -d /cvs/projectA racl userY:r -r integStream lib 238These commands will give wcd permissions to userY on lib directory with tag develstream, 239and r permissions on lib directory with tag integStream. 240 241$ cvs -d /cvs/projectA racl userZ:wcd src 242$ cvs -d /cvs/projectA racl userZ:r src/main.c 243First command will give wcd permissions to userZ on src directory, but only read 244permission on file main.c in src directory. 245 246Using + and - signs to set permissions on a file or directory: 247 248$ cvs -d /cvs/projectA racl userZ:+t src 249$ cvs -d /cvs/projectA racl userZ:-cd src 250$ cvs -d /cvs/projectA racl userZ:-wt src 251Before the first command, userZ has wcd permissions on src directory, after issuing 252command it will have wcdt permissions. Tag permission will be added. UserZ has wcdt 253permissions, and we execute the second command to remove create and delete permissions. 254So userZ has wt permissions. In the last command we also remove wt permissions, finally 255userZ has no defined permissions left, and it will use the default permissions if set. 256 257Listing permissions on a file or directory: 258 259$ cvs -d /cvs/projectA racl -l src 260$ cvs -d /cvs/projectA racl -l src 261$ cvs -d /cvs/projectA racl -l src/main.c 262 263First command will list the permissions for src directory. 264Example output: 265d src HEAD | userX:wcd group1:r | defaults:r 266userX and group1 has assigned permissions, all other users will have default 267permissions, which is only read. 268 269Second command will list the permissions for files in src directory. 270Example output: 271f src/main.c HEAD | userX:wcd group1:r | defaults:r 272f src/server.c HEAD | userX:wcd group1:r | defaults:r 273f src/client.c HEAD | userX:wcd group1:r | defaults:r 274 275Third command will list the permissions for main.c file in src directory. 276Example output: 277f src/main.c HEAD | userX:wcd group1:r | defaults:r 278 279 280