ID: 4986 Fixed in:
Issue Date: 2007-06-13 09:48 AEST Owner:  CVS Support
Last Modified:  2007-08-27 08:44 AESTReporter:  Arthur Barrett
Current Est.  0.0 hours % Complete:  0.0  
Status:NEW / Severity:normal

Affected:  2.5.03
Description:  Users require "default" read ACL to access branch

Actions:    
2007-06-13 09:48 AEST by Arthur Barrett - Users require "default" read ACL to access branch when acmode=normal.

Customer reports:
 
I am able to apply acl for a specific user:
cvs chacl –a read,write,create –u <user ID> <dir>

When the user executes:
cvs co <dir>

The files are checked out.

 
If I try to apply acl on a specific branch:
cvs chacl –a read,write,create –u <user ID> -r <branch> <dir>

When the client (command line cvs) executes:
cvs co –r <branch> <dir>

the following is the result:
cvs checkout: in directory .:
cvs checkout: cannot open CVS/Entries for reading: No such file or directory




Explanation:
There are three types of ACL in CVSNT:
* default
* Trunk
* Branch 

Under certain circumstances a user can be granted permission on a 
module/branch combination, but not be able to "see" that the module exists in 
order to check it out.

This is the equivalent "problem" on windows to the "traverse" right.  
The "traverse" right gives the user the ability to "find" the directory/path 
to which they have access.

Setting an ACL on the "root" using the user/branch combination does NOT help.
cvs rchacl -a read -u svetlanab -r rel-7-1patches .

Workaround:

The workaround is to create a default ACL, a branch ACL and a Trunk ACL, eg:
cvs rlsacl .
Directory: <root>
Owner: <not set>

user=svetlanab,branch=HEAD
        none()

user=svetlanab,branch=rel-7-1patches
        read

user=super_user
        read
        write
        create
        tag
        control

user=svetlanab
        read()

<default>




Do this by:

cvs rchacl -a read,write,create -u svetlanab -r rel-7-1patches source
setting ACL for directory source

cvs rchacl -n -a read -u svetlanab .
setting ACL for directory .

cvs rchacl -n -a none -u svetlanab -r HEAD .
setting ACL for directory .

(repeat above step for any other branches the user should NOT have access to).


RESOLUTION:

We are currently investigating this issue for a more permanent solution. 
Changes to the ACL code require considerable evaluation by our development and 
security teams to ensure that no unwanted side effects are created - therefore 
we are not scheduling any changes for this problem in the 2.5.03 or 2..504 
releases.

Meanwhile this documentation will be added to the 2.5.04 release of the eBook.


     Query page