[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: set group id not taking effect?
From: |
Paul Edwards |
Subject: |
Re: set group id not taking effect? |
Date: |
Thu, 14 Aug 2003 09:06:58 GMT |
"Mark D. Baushke" <mdb@cvshome.org> wrote in message
news:mailman.386.1060793876.29551.bug-cvs@gnu.org...
> Paul Edwards <kerravon@nosppaam.w3.to> writes:
>
> > My repository is under a particular unix group, say groupa.
> >
> > I have a user who is not in groupa.
> >
> > No problem, I just did a chmod g+s cvs
That was on the executable.
> > and asked them to try again.
> >
> > Nope, it fails because $CVSROOT/CVSROOT is not writable.
> > Indeed, it is not world writable, but I expected the setgid to take
> > care of that.
>
> The $CVSROOT/CVSROOT directory is group "cvs"
No, it was groupa.
> and had g+rwxs permissions
It so happens that the directory has "s", but that is not important.
I don't care what group new files are created under, I know they
were just trying to do a "cvs diff", so nothing important.
> and your OS honors g+s directory permissions
Yes.
> and the OS allows g+s
> executables to be honored from the mounted directory?
I think so, but I've since lost my ability to test, because the
admins corrected the user's group overnight, so I'm back to
the old status.
> > Sun Solaris.
> > CVS 1.11.6
>
> Yes, solaris UFS directories may use g+rwxs permissions. Although I
> believe it is possible for NFS to disable that support. I would hope
> your repository is not NFS mounted.
Both the executable and the directory are on NFS mounts. We
have 4 machines, and it is more important to be able to compile
fast than do checkouts fast, so the box we have for compiles
accesses the other stuff over the NFS mount.
> > the executable is in a directory that is allowed to have setuid,
>
> Good.
>
> > although I just realised I didn't specifically check if setgid was
> > allowed or not. Certainly the bit was set, but I didn't think of
> > checking /etc/mnttab until just now. Any ideas?
I didn't find any sign of a "nosgid", which I presume is the
syntax for switching off set group id, given that nosuid was
the syntax for switching off set user id. I should have done
a simple test yesterday, it never occurred to me that it was
potentially having no effect whatsoever.
> If you want to have cvs run setgid as group cvs, you may want to
> consider adding a '#define SETXID_SUPPORT 1' to your config.h file so
> that things like running $EDITOR do not give your users a shell with the
> egid of the cvs group. However, that can wait until you have things
> working in the first place.
Now there's a trap for young players! Thanks.
> In the past, I have used a set-gid cvs executable with no problems. I
> believe it should still work with cvs 1.11.6, but I have not actually
> tried it.
Ok, I'll wait until CVS needs to be officially set up before trying again.
BFN. Paul.