GNU's not Unix! CVS Accesslist Patch
by Leonardo Eloy
Last version is milestone-one, 0.3.
Last compatible CVS version are 1.11.6 and 1.12.1.
Last update was 27/06/2003.
Introduction
Why to Use it?
Project Planning
Downloading
Compiling and
Installing
Using
ChangeLog
Contact Info
Copyright
License
The CVS Accesslist Patch is a safe way to keep users accessing only the
modules you specify.
It has a simple way to work: a person is only able to perform CVS operations if
he has a copy of the original module in his machine. Let's say that johnny
is trying to checkout the test
module. Johnny hasn't access to that module, so he won't be able to checkout
it.
Thus, Johnny-boy won't be able to perform an update, add, log, remove, etc.
command, because he hasn't a checked-out copy of the module in his machine.
Simple, huh?
In this first version, this patch is only implemented in the checkout command
(because it's my actual need :P) but I do intend to keep going with this project
and implement a better security system with CVS. In the session Project
Planning, I show the feature timeline that I intend to follow...
I did this patch because I needed a better way to distinguish who can access what. The system user/group method is as effective as hard to maintain and to make, so I tried to bypass the problem, reading tons of articles and how-tos, etc.
This example will show if you really need this feature in CVS:
You have a group of Visual Basic programmers, which access only Visual Basic
source.
You have another group of programmers, Java programmers.
You have a group of analysts who need to access some VB sources and some Java
sources.
The following table shows the module distribution in CVS:
| Module | Description |
| vb-src | Visual Basic Sources |
| java-src | Java Sources |
| docs | Documentation |
The users table:
| Username | Function | Modules to Access |
| jtodd | VB Programmer | vb-src |
| hmuller | VB and Java Programmer | vb-src,java-src |
| johnnyboy | Java Programmer | java-src |
| akewl | System Analyst | vb-src,java-src |
| rulrich | The docs guy | docs |
| shead | System Analyst | vb-src,java-src |
Our accesslist file would look like this:
# Accesslist file to the development group:
jtodd,hmuller,akewl,shead vb-src
hmuller,johnnyboy,akewl,shead java-src
ALL docs
PROJECT PLANNING
I designed a set of features that accesslist patch should provide. Register at our e-mail listing so you can be updated with the latest project info.
| Release Name | Description | Planned Features | Date Start | Date End |
| milestone-one | Initial release | - Module locking in checkout operations | 03/06/2003 | 08/06/2003 |
| milestone-two | Bug fix release | - Bug fixes against milestone-one - Accesslist now will have a yes/no option in the config file. - Yes/no option for the modules which aren't listed in the accesslist file to be enabled for checkout or not. |
10/06/2003 | 17/06/2003 |
| new-age-one | Enhancement release (RFEs will be attended) | - The source code will be in the conforms of HACKING
file. - Algorithm improvement - Now users won't be listed in the accesslist file, they will make a group (such as, development, documentation, etc.) and the group will be listed in the file. |
- | - |
| new-age-two | Bug fix, enhancement release | - Bug fixes against new-age-one - Addition of the ability to attribute read-only checkouts - Group of modules will be available |
- | - |
| new-age-three | Bug fix release (some RFEs will be introduced) | - Bug fixes against new-age-one and new-age-two - Full support to user groups and module groups, read-only checkouts |
- | - |
| nova-era-one | Enhancement release (RFEs will be attended) | - Ability to perform operations per-file. E.g.: a file is read-only for that user/group, the other is not, in the same module. | ||
| nova-era-two | Bug fix release | - Full accesslist patch intended features release - Next releases will be maintance only. |
- | - |
DOWNLOADING
Downloads here.
CVS can be found at http://www.cvshome.org.
COMPILING AND INSTALLING
Use these steps to apply the patch correctly (if you have the source code, if not download patched CVS source code):
- Download the last CVS accesslist patch compatible source version (http://www.cvshome.org)
- Download the last accesslist patch version (see Downloading)
# tar -xzvf cvs-1.11.5.tar.gz
# cd cvs-1.11.5
# patch -p1 < cvs-accesslist-patch-0.2.patch
(okay, the patch has been applied!)
# ./configure --enable-client
--enable-server
(here you can add your configure options...)
# make
# make install
That's all!
USING
Okay, now let's take a step-by-step lesson on how to configure CVS to test the patch's features...
Our repository will be located at /cvs, so, create it:
# mkdir /cvs
Add an entry to /etc/inetd.conf:
cvspserver stream tcp nowait root /usr/bin/cvs
/usr/bin/cvs --allow-root=/cvs pserver
Another entry to /etc/services (if there isn't one):
cvspserver 2401/tcp # cvspserver
cvspserver 2401/udp # cvspserver
Restart inetd:
# ps -ef | grep inetd
# kill -HUP <pid>
Now, we need to create our CVSROOT:
# cd /cvs
# cvs -d :local:/cvs init
Our cvs root directory has been created. We need to configure some stuff:
- add two example entries in the passwd file.
- modify our config file to disable system users login in CVS
Go to /cvs/CVSROOT and create the passwd file:
# vi passwd
test1::root
teste2::root
(I do not recommend running CVS server as root)
We need to add an entry to the accessfile:
# cd /cvs/CVSROOT
# vi accessfile
ALL CVSROOT
I know it's controversial, but we'll need it so we can checkout the CVSROOT.
Login into the CVS pserver, but before, set your CVSROOT enviroment variable.
# CVSROOT=:pserver:test1@localhost:/cvs
# export CVSROOT
# cd /tmp
# cvs login (enter as password)
# cvs checkout CVSROOT
# cd CVSROOT
# vi config
Uncomment the first option:
SystemAuth=no
Let's attribute the permissions:
I want to enable to user test2 the ability to edit CVSROOT, test-o and
test-i
modules, test1 may only access test-i module.
Remove the line we've added before: ALL CVSROOT
# vi accesslist
test2 CVSROOT
test1,test2 test-i
test2 test-o
(NOTE 1: You MUST provide the user list separated by commas and
a WHITESPACE after the list, then the module name.)
(NOTE 2: Modules which aren't listed in the accesslist file will be enabled for
checkout, in the next release, this feature will be configured in the config
file.)
Let's commit our changes:
# cvs update
# cvs commit -m "Initial configuration"
Let's suppose you've imported some files to test-o and test-i
modules.
With the accesslist file ok, we can proceed:
(as the user test1):
# CVSROOT=:pserver:test1@localhost:/cvs
# export CVSROOT
# cd /tmp
# cvs checkout test-i
Updating test-i .
(normal CVS checkout operation)
# cvs checkout test-o
cvs server: cannot access module `test-o': Operation not permitted
# cvs checkout CVSROOT
cvs server: cannot access module `CVSROOT': Operation not permitted
CHANGELOG
Last ChangeLog:
RELEASE -- milestone-one --
0.1: 06/03/2006
leloy - leloy@users.sourceforge.net:
- Development started
0.2: 06/04/2006
leloy - leloy@users.sourceforge.net:
- Gave up of CVS procedures and made my very own C-like ops...
- Added a new procedure: accesslist_has_user() which returns 1 if the
user has been found in the current buffered line
- Added support for multiple users in the same module
0.3: 06/06/2006
leloy - leloy@users.sourceforge.net:
- Re-generated patch for compatibility with CVS 1.11.6 and 1.12.1
CONTACT INFO
Drop me a line: leloy@users.sourceforge.net
COPYRIGHT
CVS:
Copyright (c) 1993-1994 Brian Berliner
Copyright (c) 1992 Brian Berliner and Jeff Polk
Copyright (c) 1989-1992, Brian Berliner
All Rights Reserved
This homepage:
Copyright (c) 2003 Leonardo Eloy
All Rights Reserved
I do support GNU.
GNU's not Unix!
LICENSE
CVS and CVS Accesslist Patch are ruled by GNU General Public License.
cvs-acceslist is supported by