<div id="File-permissions"></div>
<div class="header">
<p>
Next: [[cvs: File Permission issues specific to Windows#File Permission issues specific to Windows|Windows permissions]], Previous: [[cvs: Where files are stored within the repository#Where files are stored within the repository|Repository files]], Up: [[cvs: How data is stored in the repository#How data is stored in the repository|Repository storage]] &nbsp; |[[cvs: Index#SEC_Contents|Contents]]||[[cvs: Index#Index|Index]]|</p>
</div>

----

<div id="File-permissions-1"></div>
==== File permissions ====
<div id="index-Security_002c-file-permissions-in-repository"></div>
<div id="index-File-permissions_002c-general"></div>
<div id="index-Permissions_002c-general"></div>
<div id="index-Group"></div>
<div id="index-Read_002donly-files_002c-in-repository"></div>
All &lsquo;<code>,v</code>&rsquo; files are created read-only, and you
should not change the permission of those files.  The
directories inside the repository should be writable by
the persons that have permission to modify the files in
each directory.  This normally means that you must
create a UNIX group (see group(5)) consisting of the
persons that are to edit the files in a project, and
set up the repository so that it is that group that
owns the directory.
(On some systems, you also need to set the set-group-ID-on-execution bit
on the repository directories (see chmod(1)) so that newly-created files
and directories get the group-ID of the parent directory rather than
that of the current process.)


This means that you can only control access to files on
a per-directory basis.

Note that users must also have write access to check
out files, because <small>CVS</small> needs to create lock files
(see [[cvs: Several developers simultaneously attempting to run CVS#Several developers simultaneously attempting to run CVS|Concurrency]]).  You can use LockDir in CVSROOT/config
to put the lock files somewhere other than in the repository
if you want to allow read-only access to some directories
(see [[cvs: The CVSROOT%47config configuration file#The CVSROOT/config configuration file|config]]).

Also note that users must have write access to the
&lsquo;<tt>CVSROOT/val-tags</tt>&rsquo; file.  <small>CVS</small> uses it to keep
track of what tags are valid tag names (it is sometimes
updated when tags are used, as well as when they are
created).

Each <small>RCS</small> file will be owned by the user who last
checked it in.  This has little significance; what
really matters is who owns the directories.

<div id="index-CVSUMASK_002c-environment-variable"></div>
<div id="index-Umask_002c-for-repository-files"></div>
<small>CVS</small> tries to set up reasonable file permissions
for new directories that are added inside the tree, but
you must fix the permissions manually when a new
directory should have different permissions than its
parent directory.  If you set the <code>CVSUMASK</code>
environment variable that will control the file
permissions which <small>CVS</small> uses in creating directories
and/or files in the repository.  <code>CVSUMASK</code> does
not affect the file permissions in the working
directory; such files have the permissions which are
typical for newly created files, except that sometimes
<small>CVS</small> creates them read-only (see the sections on
watches, [[cvs: Telling CVS to watch certain files#Telling CVS to watch certain files|Setting a watch]]; -r, [[cvs: Global options#Global options|Global options]]; or <code>CVSREAD</code>, [[cvs: All environment variables which affect CVS#All environment variables which affect CVS|Environment variables]]).

Note that using the client/server <small>CVS</small>
(see [[cvs: Remote repositories#Remote repositories|Remote repositories]]), there is no good way to
set <code>CVSUMASK</code>; the setting on the client machine
has no effect.  If you are connecting with <code>rsh</code>, you
can set <code>CVSUMASK</code> in &lsquo;<tt>.bashrc</tt>&rsquo; or &lsquo;<tt>.cshrc</tt>&rsquo;, as
described in the documentation for your operating
system.  This behavior might change in future versions
of <small>CVS</small>; do not rely on the setting of
<code>CVSUMASK</code> on the client having no effect.

Using pserver, you will generally need stricter
permissions on the <small>CVSROOT</small> directory and
directories above it in the tree; see [[cvs: Security considerations with password authentication#Security considerations with password authentication|Password authentication security]].

<div id="index-Setuid"></div>
<div id="index-Setgid"></div>
<div id="index-Security_002c-setuid"></div>
<div id="index-Installed-images-_0028VMS_0029"></div>
Some operating systems have features which allow a
particular program to run with the ability to perform
operations which the caller of the program could not.
For example, the set user ID (setuid) or set group ID
(setgid) features of unix or the installed image
feature of VMS.  <small>CVS</small> was not written to use such
features and therefore attempting to install <small>CVS</small> in
this fashion will provide protection against only
accidental lapses; anyone who is trying to circumvent
the measure will be able to do so, and depending on how
you have set it up may gain access to more than just
<small>CVS</small>.  You may wish to instead consider pserver.  It
shares some of the same attributes, in terms of
possibly providing a false sense of security or opening
security holes wider than the ones you are trying to
fix, so read the documentation on pserver security
carefully if you are considering this option
([[cvs: Security considerations with password authentication#Security considerations with password authentication|Password authentication security]]).


----

<div class="header">
<p>
Next: [[cvs: File Permission issues specific to Windows#File Permission issues specific to Windows|Windows permissions]], Previous: [[cvs: Where files are stored within the repository#Where files are stored within the repository|Repository files]], Up: [[cvs: How data is stored in the repository#How data is stored in the repository|Repository storage]] &nbsp; |[[cvs: Index#SEC_Contents|Contents]]||[[cvs: Index#Index|Index]]|</p>
</div>
This document was generated on <i>a sunny day</i> using [http://www.nongnu.org/texi2html/ <i>texi2html</i>].
