Setting permissions for files and directories

CVSNT has its own access control mechanism that is aware of branches and other CVSNT features. There are currently 5 access that can be set, and 3 ways of matching the access entry.

The access permissions are as follows:

read

User is able to read the file, or for a directory access files within that directory

write

User is able to commit a new revision to the file or directory

create

User is able to add new files to the directory.

tag

User is able to tag the file or files within the directory.

control

User is able to modify the access controls for the file or directory. This right is granted automatically to the file owner and to repository administrators.

Each access entry has 3 attributes which define which situations it applies to.

Username (-u)

Defines that this access entry applies to a single user or group. Where this is specified it is the most significant attribute.

Branch (-r)

Defines that this access entry applies to a single branch or tag. Where this is specified it is the second most significant attribute.

Merge (-j)

Defines that this access entry applies when a merge is attempted from the specified branch.

There are also 3 optional attributes that may be specified for each access entry.

Message (-m)

Define a custom message displayed to the user when an action fails due to this entry.

Priority (-p)

Normally CVSNT prioritises access entries using a 'best fit' match, with ambguities solved as described above. In exceptional cases it may be necessary to override this behaviour. Specifying a priority over 100 is guaranteed to be higher than the caculated priorities, and will ensure that this ACL entry overrides all others.

Inheritance (-n)

Normally directory access control entries automatically inherit, which means setting an access control entry on the root of a module affects all directories below it, unless overriden by an entry further down the tree. This option supresses that behaviour.

Access permissions are modified using the cvs chacl command. For example:

cvs chacl -a read,write,create -u theuser dir1 dir2 dir3

Those permissions will be inherited by a sub-diretory, so to stop commits on a sub-directory you would need to explicitly deny it. For example:

cvs chacl -a nowrite,nocreate -u theuser dir1/dir4

will grant the user named theuser read and write access to the three specified directories.

To view the current permissions the cvsnt lsacl command can be used. It will show the owner and all the users that have permissions in the given directories.

If the user name is not specified, those permissions will be given to all users of the directory, if not overriden by other entries. This is an easy way to give everyone read access to a directory, for instance.

For a user to have access to a directory, they must have at least read access to all the directories above it. If a user has a 'no access' ACL on a parent directory they cannot be granted access to directories below it.

The owner or a directory can be reassigned using the cvsnt chown command.

See also the section called “chacl--Change access control lists”, the section called “lsacl--Show file/directory permissions” and the section called “chown--Change directory owner”.