[Xorg] New committer process?

Alan Cox alan at lxorguk.ukuu.org.uk
Tue Jun 15 05:45:37 PDT 2004


On Llu, 2004-06-14 at 23:03, Keith Packard wrote:
> Our current CVS setup has people running cvs over ssh through separate 
> accounts on freedesktop.org.  That means the repository itself is writable 
> by all cvs users.  While cvs may respect acls, I'm not sure how to set 
> things up to prevent people from just editing the repository directly.

Linux supports file system acls nowdays (and in 2.6 SELinux roles)

> Is there some setgid/setuid (yuck) mechanism I'm unaware of?  Or should I 
> be using some other repository access mechanism?

With file system acls you could probably do it without any such changes.
Without that you'd need to do something like

	groupadd cvs
	chown root.cvs /cvs
	chmod 770 /cvs

and make cvs itself setgid cvs. That wouldn't be perfect but the failure
case is where we were anyway.

Most of the value of CVS acls is accident avoidance and policy
enforcement anyway, stopping a change being made that is against policy
but the user didnt know about etc. Just as I know my own root password I
run as a non root user to avoid
nasty messes of my own making.

The elegant solutions involve SELinux and having a "login" and a "cvs"
role which have different right sets. I'm simply not competent enough in
SELinux to help with such a proposal however.

Alan





More information about the xorg mailing list