This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

My resolution of File Permission Problems on Windows XP, cygwin 1.3.22


Hello again,

I dug into the permissions problem a little further and I determined that
there are two options for solving the problem short of adding cvs users as
Administrators on the cvs repository machine.

Option 1: Grant the user right "Restore files and directories" to the cvs
group

Option 2: Change the file permissions on all RCS files in the repository so
that the cvs group has "Full Control" (having "Delete" permission on the
file and/or having "Delete Subfolders and Files" permission on the parent
folder are not sufficient).

Options 2 is undesirable because it violates the cvs practice of making all
RCS file read-only for everyone and I see no reason to change that.

Options 1 is attractive because the server side part of cvs works as
expected and granting the restore permission is probably not as much of a
security hole as adding all cvs group members as members of the
Administrators group.

Having considered this issue more carefully, I don't think the permissions
problem I am seeing is really a "bug" in Cygwin or in the Cygwin cvs
distribution.  This is an example of a case where Windows file and directory
permissions simply do not map cleanly to Unix-style permissions.  I don't
think there is a good way to change Cygwin or Cygwin cvs to "fix" this since
Windows only permits cvs commit operations for non-owners of an RCS file
when the user has "Full Control" of the file.  Certainly it would not be
appropriate for Cygwin to somehow give all users permission to restore files
either.

I would recommed that anyone who wants to serve a cvs respository on a
Windows XP (and possibly Windows 2000) machine follow the recommendations in
the Fogel and Bar "Open Source Development with CVS" book (see
http://cvsbook.red-bean.com/) and also grant the cvs group the "Restore
files and directories" user permission.  This permission can be granted from
Control Panel | Administrative Tools | Local Security Policy, select the
Local Policies.User Rights and Assignment and double click "Restore files
and directories".  Now add the cvs group to the default of Administrators
and Backup Operators.

-Mark

----- Original Message -----
From: "Mark Priest" <mpriest@erols.com>
To: <cygwin@cygwin.com>
Sent: Friday, July 04, 2003 4:30 PM
Subject: Re: new Info on File Permission Problems on Windows XP, cygwin
1.3.22


> Larry,
>
> Yes, the permissions problem only occurs for members of the cvs group that
> are not also in the Administrators group.  Users that are members of the
cvs
> group, but not the Administrators group, can only commit files when they
are
> the current owner of the RCS file in the repository.  Members of cvs that
> are in the Administrators group can commit files regardless of whether
they
> currently own the RCS file.
>
> I should mention that it does not matter whether the /etc/group file
> indicates that the cvs user is in the Administrator group or not.  It
works
> as long as the /etc/group file shows that the user is in the cvs group.
The
> only thing that seems to matter is whether or not the user is a member of
> the Administrator group as far as Windows is concerned.
>
> Interestingly, if I try to use the cp, mv, or rm commands to overwrite or
> delete the RCS file manually in a Cygwin (or DOS) command window I cannot
do
> it unless I own that file even if I am in the Administrator group.  I
> thought this is what cvs is doing for a commit operation so I am not sure
> why I can't do it on the command line myself as the same user.
>
> Thanks,
> Mark
>
> ----- Original Message -----
> From: "Larry Hall" <cygwin-lh@cygwin.com>
> To: "Mark Priest" <mpriest@erols.com>
> Cc: <cygwin@cygwin.com>
> Sent: Friday, July 04, 2003 12:33 PM
> Subject: Re: new Info on File Permission Problems on Windows XP, cygwin
> 1.3.22
>
>
> > Hi Mark,
> >
> > OK, I'll take your word for it.  I had a quick look at the User's Guide
> > for the sections discussing 'ntsec' and didn't see anything obviously
> > referring to a 'patch', with the possible exception of the discussion of
> > 'setuid'.  But that doesn't mean that the document doesn't use this
> > terminology in reference to the 'ntsec' functionality.  My main reason
> > for asking was that 'patch' indicates to me something that is at least
> > a recent change, which 'ntsec' is not.  I wanted to make sure I
understood
> > that you were talking about this long-standing functionality and not
> > something new/different.
> >
> > I agree that you shouldn't need to set the group to 'Administrators' to
> > get this working.  It may well indicate that there is a bug somewhere in
> > cvs or in cygwin's permissions code.  I suppose you could try running
with
> > your CYGWIN environment variable set to 'nontsec' as a rough cut.  BTW,
> > 'ntsec' is the default setting for a while now, so it's not necessary
> > that you set it in your CYGWIN environment variable.
> >
> > Just curious, are any of the users in the 'cvs' group also in the
> > 'Administrators' group?  If so, are your permissions problems only
> > evident between the 'have' and 'have-not' users?
> >
> > Larry
> >
> >
> > Mark Priest wrote:
> >
> > > Larry,
> > >
> > > I am referring to the ntsec setting for the CYGWIN environment
variable.
> It
> > > is described as the ntsec patch in the user document so I thought that
> was
> > > the name people were familiar with.
> > >
> > > Thanks,
> > > Mark
> > >
> > > ----- Original Message -----
> > > From: "Larry Hall" <cygwin-lh@cygwin.com>
> > > To: "Mark Priest" <mpriest@erols.com>
> > > Cc: <cygwin@cygwin.com>
> > > Sent: Thursday, July 03, 2003 5:31 PM
> > > Subject: Re: new Info on File Permission Problems on Windows XP,
cygwin
> > > 1.3.22
> > >
> > >
> > >
> > >>Just curious.  What "ntsec patch" are you referring to?
> > >>
> > >>Larry
> > >>
> > >>Mark Priest wrote:
> > >>
> > >>
> > >>>Hello,
> > >>>
> > >>>I was able to fix the problem with file permissions by adding the cvs
> > >
> > > users
> > >
> > >>>into the Administrators group.  This should not be necessary from my
> > >>>understanding of Cygwin and the ntsec patch.  This is a bit of a
> > >
> > > security
> > >
> > >>>hole since these users have no reason to be Administrators on my
> Windows
> > >
> > > XP
> > >
> > >>>Professional server.  I think that the permission problem I am
> > >
> > > experiencing
> > >
> > >>>in the cvs repository is some kind of bug in the ntsec patch.
> > >>>
> > >>>----- Original Message -----
> > >>>From: "Mark Priest" <mpriest@erols.com>
> > >>>To: <cygwin@cygwin.com>
> > >>>Sent: Thursday, July 03, 2003 3:33 AM
> > >>>Subject: File Permission Problems on Windows XP, cygwin 1.3.22
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>>Hello,
> > >>>>
> > >>>>I am serving a cvs repository from a Windows XP Professional machine
> > >
> > > under
> > >
> > >>>>Cygwin 1.3.22 and I believe that I am having a file permissions
> problem
> > >
> > > in
> > >
> > >>>>the cvs repository.  My repository is located at /cvs and all cvs
> users
> > >>>>belong to the "cvs" group as their primary group.  All directories
in
> > >
> > > the
> > >
> > >>>>repository have rwx permissions for this group as well as for the
> owner.
> > >>>>Therefore, I should be able to replace the ,v files with a new
version
> > >
> > > as
> > >
> > >>>>part of a commit for any users in the cvs group.  However, only the
> > >
> > > owner
> > >
> > >>>of
> > >>>
> > >>>
> > >>>>each ,v file (i.e. the developer that added or last modified the
file)
> > >
> > > can
> > >
> > >>>>successfully commit.  The CYGWIN environment variable is set to
> 'ntsec'.
> > >>>>
> > >>>>When I commit files from a user that is not the owner of the file
the
> > >>>
> > >>>commit
> > >>>
> > >>>
> > >>>>fails as follows:
> > >>>>
> > >>>>cvs -t commit -m "try commit" readme.txt (in directory C:\dev\bar)
> > >>>>cvs commit: notice: main loop with
> CVSROOT=:ext:markp@192.168.2.105:/cvs
> > >>>>-> Starting server: plink.exe 192.168.2.105 -i
> > >>>>C:\keys\mpriest_private.PPK -l markp cvs server
> > >>>>-> Sending file `readme.txt' to server
> > >>>>S-> write_lock(/cvs/bar)
> > >>>>S-> checkout (/cvs/bar/readme.txt,v, 1.1.1.1, , (function))
> > >>>>S-> Parse_Info (/cvs/CVSROOT/commitinfo, bar, ALL)
> > >>>>Checking in readme.txt;
> > >>>>/cvs/bar/readme.txt,v  <--  readme.txt
> > >>>>S-> Parse_Info (/cvs/CVSROOT/verifymsg, bar, not ALL)
> > >>>>S-> checkout (/cvs/bar/readme.txt,v, 1.1, -ko, /tmp/cvs003472)
> > >>>>new revision: 1.2; previous revision: 1.1
> > >>>>S-> rename(/cvs/bar/,readme.txt,,/cvs/bar/readme.txt,v)
> > >>>>cvs [server aborted]: cannot rename file /cvs/bar/,readme.txt, to
> > >>>>/cvs/bar/readme.txt,v: Permission denied
> > >>>>S-> unlink_file(/cvs/bar/,readme.txt,)
> > >>>>S-> Lock_Cleanup()
> > >>>>
> > >>>>I have seen this error message discussed on the cvs mailing list
> > >
> > > archives
> > >
> > >>>>but those discussion were only relevant for cases where people
hosted
> > >
> > > the
> > >
> > >>>>repository on a network share.  My /cvs repository is in a local
hard
> > >
> > > disk
> > >
> > >>>>directory.
> > >>>>
> > >>>>When I try to emulate a file move as this same user, markp, directly
> in
> > >>>
> > >>>the
> > >>>
> > >>>
> > >>>>repository at the cygwin command prompt I experience the same
> permission
> > >>>>error as follows:
> > >>>>
> > >>>>markp@markonius /cvs/bar
> > >>>>$ id
> > >>>>uid=1019(markp) gid=1015(cvs) groups=513(None),545(Users),1015(cvs)
> > >>>>
> > >>>>markp@markonius /cvs/bar
> > >>>>$ pwd
> > >>>>/cvs/bar
> > >>>>
> > >>>>markp@markonius /cvs/bar
> > >>>>$ ls -alF
> > >>>>total 3
> > >>>>drwxrwxr-x+   2 cvs      cvs             0 Jul  3 02:48 ./
> > >>>>drwxrwxr-x+   7 cvs      cvs             0 Jun 30 17:16 ../
> > >>>>-r--r--r--    1 markp    cvs           542 Jun 30 17:27 bar.c,v
> > >>>>-r--r--r--    1 markp    cvs           406 Jun 30 17:16 bar.h,v
> > >>>>-r--r--r--    1 cvsuser  cvs           423 Jun 30 17:33 readme.txt,v
> > >>>>
> > >>>>markp@markonius /cvs/bar
> > >>>>$ cp readme.txt,v tmp
> > >>>>
> > >>>>markp@markonius /cvs/bar
> > >>>>$ ls -alF
> > >>>>total 4
> > >>>>drwxrwxr-x+   2 cvs      cvs             0 Jul  3 02:50 ./
> > >>>>drwxrwxr-x+   7 cvs      cvs             0 Jun 30 17:16 ../
> > >>>>-r--r--r--    1 markp    cvs           542 Jun 30 17:27 bar.c,v
> > >>>>-r--r--r--    1 markp    cvs           406 Jun 30 17:16 bar.h,v
> > >>>>-r--r--r--    1 cvsuser  cvs           423 Jun 30 17:33 readme.txt,v
> > >>>>-r--r--r--    1 markp    cvs           423 Jul  3 02:50 tmp
> > >>>>
> > >>>>markp@markonius /cvs/bar
> > >>>>$ mv tmp readme.txt,v
> > >>>>mv: cannot move `tmp' to `readme.txt,v': Permission denied
> > >>>>
> > >>>>markp@markonius /cvs/bar
> > >>>>$ echo $CYGWIN
> > >>>>ntsec
> > >>>>
> > >>>>markp@markonius /cvs/bar
> > >>>>
> > >>>>
> > >>>>When I perform this same operation as the file owner the attempt
> > >
> > > succeeds
> > >
> > >>>>(and so does a regular CVS commit operation) as follows:
> > >>>>
> > >>>>cvsuser@markonius /cvs/bar
> > >>>>$ id
> > >>>>uid=1016(cvsuser) gid=1015(cvs)
groups=513(None),545(Users),1015(cvs)
> > >>>>
> > >>>>cvsuser@markonius /cvs/bar
> > >>>>$ echo $CYGWIN
> > >>>>ntsec
> > >>>>
> > >>>>cvsuser@markonius /cvs/bar
> > >>>>$ pwd
> > >>>>/cvs/bar
> > >>>>
> > >>>>cvsuser@markonius /cvs/bar
> > >>>>$ ls -alF
> > >>>>total 3
> > >>>>drwxrwxr-x+   2 cvs      cvs             0 Jul  3 02:53 ./
> > >>>>drwxrwxr-x+   7 cvs      cvs             0 Jun 30 17:16 ../
> > >>>>-r--r--r--    1 markp    cvs           542 Jun 30 17:27 bar.c,v
> > >>>>-r--r--r--    1 markp    cvs           406 Jun 30 17:16 bar.h,v
> > >>>>-r--r--r--    1 cvsuser  cvs           423 Jun 30 17:33 readme.txt,v
> > >>>>
> > >>>>cvsuser@markonius /cvs/bar
> > >>>>$ cp readme.txt,v tmp
> > >>>>
> > >>>>cvsuser@markonius /cvs/bar
> > >>>>$ ls -alF
> > >>>>total 4
> > >>>>drwxrwxr-x+   2 cvs      cvs             0 Jul  3 02:53 ./
> > >>>>drwxrwxr-x+   7 cvs      cvs             0 Jun 30 17:16 ../
> > >>>>-r--r--r--    1 markp    cvs           542 Jun 30 17:27 bar.c,v
> > >>>>-r--r--r--    1 markp    cvs           406 Jun 30 17:16 bar.h,v
> > >>>>-r--r--r--    1 cvsuser  cvs           423 Jun 30 17:33 readme.txt,v
> > >>>>-r--r--r--    1 cvsuser  cvs           423 Jul  3 02:53 tmp
> > >>>>
> > >>>>cvsuser@markonius /cvs/bar
> > >>>>$ mv tmp readme.txt,v
> > >>>>
> > >>>>cvsuser@markonius /cvs/bar
> > >>>>$ ls -alF
> > >>>>total 3
> > >>>>drwxrwxr-x+   2 cvs      cvs             0 Jul  3 02:53 ./
> > >>>>drwxrwxr-x+   7 cvs      cvs             0 Jun 30 17:16 ../
> > >>>>-r--r--r--    1 markp    cvs           542 Jun 30 17:27 bar.c,v
> > >>>>-r--r--r--    1 markp    cvs           406 Jun 30 17:16 bar.h,v
> > >>>>-r--r--r--    1 cvsuser  cvs           423 Jul  3 02:53 readme.txt,v
> > >>>>
> > >>>>I have attached the results of cygcheck to this email and I have the
> > >>>
> > >>>CYGWIN
> > >>>
> > >>>
> > >>>>environment variable set to 'ntsec'.
> > >>>>
> > >>>>Please help me understand what is wrong with my repository file
> > >>>
> > >>>permissions.
> > >>>
> > >>>
> > >>>>Thanks,
> > >>>>Mark
> > >>
> > >>
> > >>--
> > >>Larry Hall                              http://www.rfk.com
> > >>RFK Partners, Inc.                      (508) 893-9779 - RFK Office
> > >>838 Washington Street                   (508) 893-9889 - FAX
> > >>Holliston, MA 01746
> > >>
> >
> >
>
>
>
> --
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
> Problem reports:       http://cygwin.com/problems.html
> Documentation:         http://cygwin.com/docs.html
> FAQ:                   http://cygwin.com/faq/
>



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]