www.thornleyware.com

Providing customized source code control with CVS

CVS and Access Control

CVS controls access to the source code it controls through directory permissions. If a user has full permissions to use a directory, then that user can check in and out from that directory. If a user cannot change a directory, that user can neither read nor write the files, unless a separate lock directory is used.

In Unix, the normal means to control permissions is by assigning them to users, groups, and the universe. One user can belong to many groups. (Many Unix variants have finer access control, called Access Control Lists or ACLs, and these can be used to fine-tune permissions.)

To implement this, you would create one Unix group for each separate project that you might wish to restrict, and make every user who should have access a member of the corresponding group. Then you make sure that the directories in that project belong to the group, and that there is no universal write access to the directories. (If you are supporting read-only users, you must provide universal read access: you cannot have a small group of read-write users, a larger group of read-only users, and people who can neither read nor write.)

Specifically, you should set the CVSROOT directory so that it can only be accessed by your CVS administrators. It is convenient to name this group "cvsadmin", since the cvsadmin group is also the only group allowed to use the more dangerous "cvs admin" subcommands.

This is a process for securing CVSROOT, with annotations to show where the process will differ for other directories:

  1. Become root by typing su - and entering the root password.
  2. Examine the /etc/groups file. It will have entries of the form <group name>:<password>:<group number>:<users in group>
  3. Add a group named "cvsadmin". This can be done by manually editing the /etc/group file, or with a system command like groupadd cvsadmin.
  4. Add the necessary users to the "cvsadmin" group. This can easily be done by editing /etc/group, and putting their login IDs after the last colon:
    cvsadmin:x:61:david,dht
    is on my Linux system. Do not use spaces in that line.
  5. Go to the repository directory with cd <repository directory>.
  6. Change the group of CVSROOT with chgrp cvsadmin CVSROOT.
  7. Allow all permissions for the group with chmod ug+rwx CVSROOT.
  8. Remove all universal permissions with chmod o-rwx CVSROOT.
  9. For read-only directories only, not CVSROOT: chmod o+r <directory name>.
  10. Set the "gid" bit with chmod g+s CVSROOT. (On Linux, this means that all subdirectories automatically get the same group permission. It is not necessary for CVSROOT.)
There are shortcuts in the use of chmod that I could have used above, but the combination of "u, g, o" for "user, group, other" and "r, w, x" for "read, write, execute" with "+" and "-" to add and delete permissions is simple and easily usable by people without experience using "chmod".

As the group membership changes, people will have to be added to or deleted from the /etc/group line.

All contents of these pages Copyright 2002 by David H. Thornley.
Permission granted for verbatim copying and use within an organization.

Contact: webmaster@thornleyware.com