[Techtalk] cvs permissions

Conor Daly conor.daly at oceanfree.net
Mon May 17 23:08:35 EST 2004 

Firstly, apologies for being in 'take' mode most of the time lately.  I'm
finding it hard to make time to contribute just now...  Anyway, as a
further example of 'take':

I'm trying to figure out a security model for a CVS server within our
small (~10) developer group.  Up to now we've been working on a model of
'everyone has the dba password' which covers database owner, data handling
applications and source code storage.  It's not satisfactory and I've been
charged with the task of coming up with a better model. 

There are a few things that come to mind immediately like creating an
extra set of users and starting to use groups.  My preliminary model looks
like:

User		Task				Access
dba		routine database operations	database + dirs
dba-admin	database admin ops		database + dirs + apps
dba-devel	database development		dirs + apps + cvs
app		data handling ops		dirs
app-devel	application development		dirs + apps + cvs
app-doc		database and apps documentation	dirs + cvs

Actually, these are more likely to be groups than users (apart from 'dba'
who is everything presently).  I may create 'apps' as a user and use some
kind of 'sudo' operation to allow it to run dba permissions where
required.  Of course, I'll still have to persuade the sysadmin not to have
five 'root' windows open permanently on his desktop!

Anyway, apart from general comments on the model, my primary question is
how to duplicate such permissions in the cvs server setup.  Poking around
in 'Essential CVS' (well, you've gotta use the real docs don't you?), I
see I can use $CVSROOT/CVSROOT/writers to limit write access and can use
'chmod g+s $CVSROOT' to force a common gid for files and dirs but I don't
think that will allow me sufficient distinction between developers' access
to sources and documentors' access to docs.  I want to allow access
something like:

User		type		read only		read write
me		devel / doc				source + doc
ben		devel		doc			source
laurel		devel / doc				source + doc
dean		user		source + doc
ciara		doc		source			doc

It appears to me that I can only put 'me' and 'laurel' in
$CVSROOT/CVSROOT/writers since it grants universal write permissions  (no,
it grants write permissions to dirs owned by me / laurel).  Making me, ben
and laurel members of group 'app-devel' and me, laurel and ciara members
of group 'app-doc' looks promising but how do I guarantee that the module
I commit will have the proper gid?  If $CVSROOT is gid 'app-devel' and
SGID, all commits will have gid 'app-devel' applied to them, even if they
are committed by group 'app-doc'.  

I can get around that by making parallel repositories for 'devel' and
'doc' but that isn't elegant or extensible.  Is there something I'm
missing?  A different authentication method?

Looking at the subversion docs, the svnserver application doesn't allow
any better permissions model though there may be something in the
apache/mod_dav-svn combo.

I have a bit of a dilemma regarding whether to cvs or subvert.  I've been
using cvs (but only in its most basic modes) for over a year now but
nobody else uses it at all.  I'm planning to impose one or the other on
them soonish.  Our operations server (only one, no standby, either hot or
cold), running Solaris has cvs already installed and runs a (somewhat
fragile) netscape http server.  I have the cvs server partially configured
and can set up users fairly quickly.  CVS uses the ordinary filesystem for
its repository.

Subversion will require installation of a) subversion, b) apache,
c) Berkley DB.  Subversion keeps its repository in a berkley DB rather
than directly on the filesystem.  This is a bit of a concern in a "how
will I get at the sources if subversion dies?" sense although, on the plus
side, it'll stop users meddling directly with the repository files.  

Is it a case of 'cvs is ready to go so use it' or 'take the pain of the
subversion install since the users are all starting out'?  I've gotta get
the admin to install it all too!

Anyway, thanks for listening...

Conor
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
 10:29pm  up 207 days, 14:37,  0 users,  load average: 0.24, 0.05, 0.02
Hobbiton.cod.ie
 10:18pm  up 56 days,  1:45,  1 user,  load average: 0.03, 0.02, 0.00

More information about the Techtalk mailing list