bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: set group id not taking effect?

From: Mark D. Baushke
Subject: Re: set group id not taking effect?
Date: Thu, 14 Aug 2003 03:45:01 -0700 
Paul Edwards <kerravon@nosppaam.w3.to> writes:

> It so happens that the directory has "s", but that is not important.
> I don't care what group new files are created under, I know they
> were just trying to do a "cvs diff", so nothing important.

Of course, 'cvs -n diff' would not need to get any locks... and you
could alternatively do things with the LockDir directive in the
CVSROOT/config file.
 
> > and your OS honors g+s directory permissions
> 
> Yes.
> 
> > and the OS allows g+s
> > executables to be honored from the mounted directory?
> 
> I think so, but I've since lost my ability to test, because the
> admins corrected the user's group overnight, so I'm back to
> the old status.

okay.

> > > Sun Solaris.
> > > CVS 1.11.6
> >
> > Yes, solaris UFS directories may use g+rwxs permissions. Although I
> > believe it is possible for NFS to disable that support. I would hope
> > your repository is not NFS mounted.
> 
> Both the executable and the directory are on NFS mounts.  We
> have 4 machines, and it is more important to be able to compile
> fast than do checkouts fast, so the box we have for compiles
> accesses the other stuff over the NFS mount.

Note: It is a bad idea to have the repository NFS mounted... it is
better to use a client/server protocol with the server having local disk
for the repository.

For an NFS mounted filesystem, you want to look for the attributes:

        grpid
        suid or nosuid

with Solaris, I believe there are no knobs for sgid versus nosgid
attributes.
 
> > > the executable is in a directory that is allowed to have setuid,
> >
> > Good.
> >
> > > although I just realised I didn't specifically check if setgid was
> > > allowed or not.  Certainly the bit was set, but I didn't think of
> > > checking /etc/mnttab until just now.  Any ideas?
> 
> I didn't find any sign of a "nosgid", which I presume is the
> syntax for switching off set group id, given that nosuid was
> the syntax for switching off set user id.  I should have done
> a simple test yesterday, it never occurred to me that it was
> potentially having no effect whatsoever.

Okay.

> > If you want to have cvs run setgid as group cvs, you may want to
> > consider adding a '#define SETXID_SUPPORT 1' to your config.h file so
> > that things like running $EDITOR do not give your users a shell with the
> > egid of the cvs group. However, that can wait until you have things
> > working in the first place.
> 
> Now there's a trap for young players!  Thanks.

Be careful, that code path is not as well tested as other parts of the
system.

> > In the past, I have used a set-gid cvs executable with no problems. I
> > believe it should still work with cvs 1.11.6, but I have not actually
> > tried it.
> 
> Ok, I'll wait until CVS needs to be officially set up before trying again.

        Good luck,
        -- Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]