Setting up ACLs for CVS
Installation
Download the latest pre-patched version of CVSACL from the internet (http://cvsacl.sourceforge.net), then extract it.
Configuration, compilation and installation:
If CVS is properly installed with its CVSACL Patch, the command cvs --version should output:
Configuration
Preparation of the repository
If the repository doesn't exist yet
- Create the repository directory (the directory can be created anywhere, preferably in a location with sufficient space)
- Create a symbolic link to the repository
- Define the $CVSROOT variable and initialize the repository
After this operation, a CVSROOT directory will be created at the root of the repository. This directory, seen as the first module of the repository, contains all the CVS configuration files.
If the repository already exists
- Copy the
aclconfig.defaultfile from the sources to the CVSROOT folder at the root of the repository.
- Rename the file to
aclconfig
Configuration of Lockfiles
Create a .lock directory at the root of the repository (/usr/local/cvsroot) and allow full access to all users:
Edit the config file in /usr/local/cvsroot/CVSROOT/ and modify it as follows:
Configuration of users
CVSACL offers the possibility to manage access rights by group either by using system groups (/etc/group) or by using its own group file. It's preferable to use the latter method as it allows for CVS rights management completely independent from the system. To do this, edit the aclconfig file in /usr/local/cvsroot/CVSROOT and modify it as follows:
Then create the group file in /usr/local/cvsroot/CVSROOT:
The group file must be in the form "group:user1, user2, user3 ..."
Groups are totally independent of system groups and can bear any name.
Users are those from the system. You will need to create them with useradd as well as their home directory.
Configuration of ACLs
First, define "root" as the CVS owner.
This will allow them to perform all CVS tasks and administer access to the repository.
Definition of rights
Syntax of the rights assignment command:
- no access
No possible action on the repository
- read
Read-only. With these rights, only the following actions are possible: annotate, checkout, diff, export, log, rannotate, rdiff, rlog, status.
- write
This permission only allows cvs commit/checkin actions. It does not allow adding/removing a file from/to the repository; other permissions are defined for this.
- tag
This permission authorizes the cvs tag and rtag sub-commands, so it is possible to control Tag and Untag operations. The "t" permission includes the "r" permission because reading is mandatory for tagging. However, "t" does not include writing; it is not possible to commit with just this permission.
- create
The "c" permission authorizes the creation/deletion of files from/to the repository but once again this permission does not include "w"; we can only import or export files. After adding a file, it is necessary to perform a commit which will be accepted because we are adding a file, not modifying it.
- delete
"d" authorizes deletion and does not include "w"
- full access except admin rights
"a" includes all permissions listed above except ACL management rights.
- acl admin
"p" indicates that the user is an owner. They have full control of the repository and can manage ACLs.
Example of ACL
The first line authorizes reading on all directories of the repository for the group "group1"
The second line prohibits access to "module1" for the group "group2"
The third line allows "user1" to modify files in ALL subdirectories and files of "module2" (-R = recursively)