[cvsnt] CVS and groups

Thu Jun 19 12:34:22 BST 2003

Our users can be in multiple groups. We want to have a
CVS repository for a group protected using group access.
This is not too hard on a single machine. The user does
newgrp before accessing the repository. My problem is
to make this available in a server based solution.

   Q1. How does Sourceforge do it?

It looks like a nice job for CVSNT. At least on NTFS the
user can access all files that he can access via any
group. And indeed this works great using :sspi: access.
Unfortunately we want to access from unix also. To make
gserver work I need to have "impersonation" working.
Unfortunately I don't have the required privilege for
my SYSTEM account. [If you do it without that privilege
you have the effect that you can import a module but then
you can't check it out!]

So I thought I'd try running the server on linux and
using gserver everywhere. But the user can only access
repositories based on his default group membership.

So I switched to ssh access. We have kerberized ssh so
that will work nicely. On my server the 'sg' command sets
the group for a single command. So I want to do

	sg repository-group cvs server

The only way I could figure out to do that was to have
a script on the server for each repository with the
name cvs-GROUPNAME.sh with the line 'sg GROUPNAME cvs $@'
and set the CVS_SERVER environment variable on the client
before running cvs. 

   Q2. Anybody got a better idea?

How do I set that in wincvs?

If the repository directory has the setgid bit set then
it can only be used by users in the group of the directory.
So it seemed to me that cvs running in server mode
should in that case try to change group to the group
of the directory. However it is not easy to do. As far
as I could work out the only way would be to effectively
copy the code from newgrp.c into cvs to be run just before
changing euid and egid.

Bob Smart

P.S. Has anyone tried vesta (www.vestasys.org)?