URL:
<https://savannah.nongnu.org/support/?110993>
Summary: Cvs.pm: bad cvs permission setup
Group: Savannah Administration
Submitter: jing
Submitted: Tue 26 Dec 2023 10:00:52 PM JST
Category: Savane
Priority: 5 - Normal
Severity: 5 - Blocker
Status: None
Assigned to: None
Originator Email:
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Tue 26 Dec 2023 10:00:52 PM JST By: Jing Luo <jing>
Hi,
Cvs.pm has one line in sub setup_cvs_permissions:
# Seal CVSROOT dir; 2775 on the top dir allows group members
# with local access to rename CVSROOT and replace it with
# their own.
system ('chmod', '-R', 'a-w', "$dir_cvs/CVSROOT/");
This will cause the CVSROOT to be read only, effectively cancelling all
previous permission setup. The symptom includes cvs history not writable when
committing:
> cvs commit: warning: cannot open history file `$dir_cvs/CVSROOT/history' for
write: Permission denied
The comment mentions "2775 on the top dir allows group members with local
access to rename CVSROOT and replace it with their own", which is not true,
because we already have this in sub make_cvs_directory:
# Make the CVSROOT ro for anybody; doing otherwise is a major security
hole:
# ancient versions of pserver, if ran as root, can be set to give root
# access using the CVSROOT/passwd file; you also basically give local
# access if you allow people to modify the hooks.
system ('chown', '-R', 'root:root', "$dir_cvs/CVSROOT");
system ('chmod', '755', "$dir_cvs/CVSROOT");
So, the solution would be either delete the line "system ('chmod', '-R',
'a-w', "$dir_cvs/CVSROOT/");" completely, or remove "-R" option.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/support/?110993>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
