cvs的权限设置问题(翻译)
原文地址:http://cvsacl.sourceforge.net/index.html
CVS Access Control List Extension Patch
CVSACL is a patch for CVS. It adds two new subcommands (acl & racl) to cvs for access control list management. It provides advanced ACL definitions per modules, directories, and files on branch/tag for remote cvs repository connections. Execution of all CVS subcommands can be controlled with eight different permissions.
译文:CVSACL 是 CVS 的一个补丁。 它为了控制管理目录把二个新的子指令 (acl 和 racl) 加进 cvs 。为远端的 cvs 仓库上每一模块、目录和文件的分支/标签提供了高级的 ACL 定义。此所有 CVS 子指令能实现八个不同的权限许可控制。
ACL definitions works for only remote connections, local users can access and modify repository, if unix file system permissions allow. If you want all users to make remote connections to repository, and not allow local users to access repository, you have to set CVSServerRunAsUser keyword in aclconfig file (explained below). Still local users can use acl and racl subcommands to set permissions on directories or files if they have acl admin rights (p) on related directories or files.
译文:在 unix 文件系统许可的情况下,ACL 的定义工作通过远程连接,系统的本地用户能读取并修改仓库。如果你想要所有的用户通过远程连接仓库,而不让本地的用户存取库, 就必须在 aclconfig 文件中设定 CVSServerRunAsUser 关键字 (见下文说明)。如果在相关的目录或文件上有 acl 管理权利 (p) ,仍然当地的使用者能使用 acl 和 racl 子指令在目录或者文件上设定许可。
So, in order to control all access to repository with this ACL extension, you should use CVSServerRunAsUser keyword and force all users to make remote connections. CVS repository administrator or project managers have to use acl and racl subcommands to manage permissions. But there is no gui client supporting these subcommands, so you have to use cvs client itself either locally or remotely.
译文:因此, 为了让 ACL 扩展项控制所有的仓库, 就应该使用 CVSServerRunAsUser 关键字而且强迫所有的用户通过远程连接使用。 CVS 仓库管理者或项目经理必须使用 acl 和 racl 子指令处理权限许可。 但是没有 图形客户端支持这些子指令,因此,必须通过系统本地或远程使用 cvs 客户端程序。
Download current version 1.2.5 (June 10, 2006)
sourceforge.net project page
cvsacl-announce mailing list
cvsacl-users mailing list
How to install
Permission types
ACL config keywords
Command line usage information
Command line usage samples
Installation
- copy the file acl.c under src directory of CVS source distribution.
cp acl.c /path/to/cvs-1.11.x/src/ - copy the patch file cvsacl-patch-1.2.x under CVS source distribution directory.
cp cvsacl-patch-1.2.x /path/to/cvs-1.11.x/ - cd to CVS source directory.
cd /path/to/cvs-1.11.x/ - apply the patch.
patch -p0 < cvsacl-patch-1.2.x - if you are initializing the repository after applying patch, related config files will be created with init command.
如果你正在应用补丁之后设定仓库的初始值,相关的 config 文件将会通过init 指令产生。
cvs -d /path/to/repository init - if you already have a repository, you have to add the aclconfig file to your $CVSROOT/CVSROOT/. aclconfig.default is the default configuration file, you can rename it to aclconfig, and use it . (如果已经有一个仓库, 你必须把 aclconfig 文件加入你的 $CVSROOT/CVSROOT/目录下,aclconfig.default 是默认的配置文件, 你可以对其 重新命名为aclconfig ,而使用它。)
- modify aclconfig file, if you need to change some options.
- as the last step, you have to define yourself as acl administrator.(最后一个步骤,必须把自己定义为 acl 管理者。格式如下:)注意,这一步必须要有的。在赋给其他成员权限之前,必先做这一步。
cvs -d /path/to/repository racl yourname:p -r ALL -d ALL
this command gives p (acl admin) rights to user (yourname), on all repository and tags/branches.
Permission Types(权限命令许可样式)
- no access(没有任何权限,不被许可)
Command line character: n
If a user given n permission, it is not allowed for any action on repository. - read (只读权限)
Command line character: r
r permission gives only read access on repository. With r permission you are allowed to run cvs subcommands: annotate, checkout, diff, export, log, rannotate, rdiff, rlog, status. - write (写入权限)
Command line character: w
w permission allows only cvs commit/checkin action. With w permission, you are not allowed to add/remove any file to/from repository, other permissions should be defines for that. - tag (打标签权限)
Command line character: t
t permission allows cvs tag and rtag subcommands to run, so you may control tagging and untagging operations. t permission includes r permission, since without reading you can not tag/untag a file. However t permission does not include write permission, you can not commit a file with only t permission. - create (创建目录、文件的权限)
Command line character: c
c permission allows cvs add and import subcommands to run. To add or import a file/directory to repository, you have to given a c permission. Again, c permission does not include write permission, thus you may only add or import files, but you can not modify any existing file. After issuing add subcommand, you have to commit the file to complete adding. This commit subcommand is allowed because you are adding file and not modifying existing one. - delete (删除文件、目录的权限)
Command line character: d
d permission allows cvs remove command to run. To remove a file/directory from repository, d permission have to set. It does not include write permission, so you can not modify contents of an existing file on repository. - full access except admin rights (除修改自身许可之外的所有权限)
Command line character: a
a permission gives all access (above permissions) to repository, but it can not modify permissions. Only acl admins may modify the acl definitions. (对仓库拥有所有权限的许可(权限以上),但没有修改权限的权限。只有管理员可以修改acl的定义) - acl admin (管理权限)
Command line character: p
p permission means that user is an acl admin, so it is allowed to make anything on repository.
ACL Config Keywords (ACL配置关键词)
The administrative file aclconfig contains miscellaneous settings which affect the behaviour of ACL extension. Currently defined keywords are:(管理的文件 aclconfig 包含各种影响 ACL扩展行为的设定。 目前定义的关键词是: )
UseCVSACL=value
Use ACL definitions if set to yes. If you do not want to use ACLs for some repositories in a patched CVS server, set this keyword to no. The default is no.(使用 ACL的 定义,如果设定为yes。 如果你不想在一个打过CVSACL补丁的CVS 服务器为一些仓库使用 ACLs 作为控制, 则请将这一个关键字设定为no。默认值是no)
UseCVSACLDefaultPermissions=value
Value can be any combination of valid permission types (w,r,t,c,d,t,a,p). if there is no defined ACL and default permission in access file, or no access file at all, this permissions are used. The default is p (admin rights), if aclconfig file is created with cvs init. (UseCVSACLDefaultPermissions的值可是有效许可类型的任何组合 (w、r 、t、c 、d 、t 、a、p)。如果没在访问许文件中定义 ACL 或许可默认值, 或根本访问许可文件,这一关键字许可将被启用。 若aclconfig 文件在 cvs初始时产生,默认值是 p(管理权)。)
UseCVSGroups=value
CVS does not have a CVSROOT/passwd file. However it can be created manually (format should be same as /etc/group). If value set to yes, CVS checks for groups in file $CVSROOT/CVSROOT/group .The default value is no. (CVS 没有一个 CVSROOT/passwd [注:感觉这里的passwo应为group]文件, 然而它可以手动创建(格式应该是类同于/etc/group)。 如果其值为yes,CVS 将在文件 $CVSROOT/CVSROOT/group检查权限。其默认值是no)
UseSystemGroups=value
Group memberships for users are checked in file /etc/group, if value is set to yes. The default value is no. (如果UseSystemGroups的值设为yes,则系统将使用/etc/group文件作为检查核对用户组。)
CVSACLFileLocation=value
Originally access file is put under CVSROOT/CVSROOT, if you want a different location, set value to a valid path. The default value is $CVSROOT/CVSROOT/access. (如果你要使用一个不同的ACL文件存放地,请设置本项的值为一个有效的路径。其默认的路径为$CVSROOT/CVSROOT/access。)
CVSGroupsFileLocation=value
IF UseCVSGroups is set to yes, CVS looks for a group file under $CVSROOT/CVSROOT. To use a different location for group file set value to a valid path to group. The default value is $CVSROOT/CVSROOT/group. (如果UseCVSGroups被设为yes,则CVS系统将在$CVSROOT/CVSROOT目录下查找用户组文件。如果你要使用一个不同的ACL文件存放地,请设置本项的值为一个有效的路径。其默认的路径为$CVSROOT/CVSROOT/group。)
UseSeparateACLFileForEachDir=value
If value is set to yes, a separate ACL file (access) is created for each directory in repository. If you have a really big repository (directories>10,000 and files>100,000), performance may drop due to a big acl file, access. Setting the value to yes, may increase performance. Normally, you will not need this. The default value is no.
(如果本项的值为yes,则在库中的每一个目录下都将创建一个ACL(权限许可)文件。如果你有确实很大的库(目录数大于10,000 且文件数>100,000),),因为一个单一的大的acl文件,其性能则可能下降。设本项值为yes,可能增强性能。通常情况下,我们不需要这样做。本项的默认值为no。
CVSServerRunAsUser=value
Set CVSServerRunAsUser keyword to a valid system user.(将 CVSServerRunAsUser 关键字设定为一个有效的系统使用者。)
Keyword is effective only in PServer connections. When a user make a remote pserver connection to CVS, after successfull authentication cvs process switch to run as that user, or defined system user in $CVSROOT/CVSROOT/passwd. So, you also have to set unix file permissions accordingly.
A better solution:
Add a user and group such as both cvsadm.
Set CVSServerRunAsUser keyword to cvsadm.
Change unix file system permissions for your repository,
make cvsadm user and group owner, and read,write,execute permissions and setgid.
(chown cvsadm -R /path/to/your/repository)
(chgrp cvsadm -R /path/to/your/repository)
(chmod 2770 -R /path/to/your/repository)
Add yourself to cvsadm group (since you are ACL administrator).
Therefore, only users making remote connections will have access to repository if you give rights. Local users can not access to repository via a cvs client or directly.
Command Line Usage Information (命令行的使用信息)
acl command is used on checked out files or directories. racl command is used on repository without a working copy. Usage information can be obtained with standard cvs --help command.(acl 命令是用来检出文件和目录。racl命令是用来存放一个工作拷贝。使用信息可以参看CVS标准的帮助命令。)[ 注,这句关于acl与racl的分别,偶也不清楚是啥子意思!]
Output of cvs --help acl and cvs --help racl:
NOTICE: There is no more -d -f options for directory and files, acl/racl subcommands runs like other cvs subcommands.(不再为目录及文件使用-d -f选项,acl/racl 子命令的使用方式类同于其他的CVS子命令。)
You may directly set permissions for a user or group or add/remove permissions with + and - signs to/from existing permissions.(我们可以直接为用户或用户组设置权限。如通过+、-标记从已有权限中添加、删除权限项。)
If you do not give the branch/tag information, default value of HEAD (main branch) will be used. You have to give branch/tag name with -r option. You may type ALL for branch/tag field.(如果 我们不提供分支、tag信息,则主分支HEAD将被启用。必须使用-r 选项提供branch/tag 的名称。我们可以查出全部的branch/tag 名称。)
While checking for permissions, it goes thorough the list below. So the highest significant permission is the first item in list. (当检查权限时, 可以使用以下列表项。并且位置越在上的,其权限值越被优先使用。)
- permissions assigned to username for specific directory or file.
(分配用户特定的目录或文件权限) - permissions assigned to group name for specific directory or file.
(权限分配给组名称为特定的目录或文件) - permissions as defaults for specific directory or file.
(权限默认为特定的目录或文件) - permissions as repository defaults.
(权限默认库) - permissions in aclconfig file.
(权限aclconfig档案)
Examples
/cvs/
|
|
+--projectA/
| |
| +---CVSROOT/
| |
| +---lib/
| | |
| | +---gnulib/
| | |
| | +---zlib/
| |
| +---src/
| | |
| | +---main.c
| | |
| | +---server.c
| | |
| | +---client.c
| |
| +---gui/
|
+--projectB/
We have above directory structure for a cvs repository, and no defined permissions.(我们有上述目录结构的cvs库,并且没有明确的权限。)
Setting main default permissions:(设定主要的默认权限:)
$ cvs -d /cvs/projectA racl cvsadmin:p -r ALL ALL
$ cvs -d /cvs/projectA racl ALL:r -r ALL ALL
User cvsadmin will be an acl admin, and all other users will have only read rights on all branches/tags in projectA repository. This is the default acl definition and it overwrites default permissions in $CVSROOT/CVSROOT/aclconfig file.(将用户cvsadmin设为acl的管理员,以及将所有其他用户对库中所有的分支/标签有权利的查看(只读)的权利。这是acl默认的定义,和改写 CVSROOT/CVSROOT/aclconfig 文件中的默认权限。)
$ cvs -d /cvs/projectA racl ALL:r -r ALL ALL
$ cvs -d /cvs/projectA racl ALL:n -r ALL gui
After executing these two commands, all users will have read access on all directories and files except gui directory. Everyone will be denied to access to gui directory becase no access, n, permissions is set.(执行以上两项指令后,所有用户都将有读取除gui目录之外所有目录和文件的权限。n权限被设定后,所有用户都会因为没有权限而被拒绝进入gui目录,)
Setting permissions directly on a file or directory:(直接对文件或目录设定权限:)
$ cvs -d /cvs/projectA racl userX:wcd lib
$ cvs -d /cvs/projectA racl group1:w lib
First command will set write, create, and delete permissions for userX on directory lib with branch HEAD (since no branch/tag information given, branch defaults to HEAD). Second command will set only write permission for group1 on directory lib with branch HEAD. (第一个命令设定userX 在lib目录的分支上拥有写入、新建、删除的权限(因为没有标签/分支信息,则其默认为是head) )。第二个命令是在lib目录的主分支为用户组group1 设定写入的权限。)Members of group1 will have only commit rights on lib directory, branch HEAD, they can not add or remove any file, just modify existing files.(用户组group1 的成员在lib的主分支上仅有提交权限。即,不能够添加、删除任何文件,只能修改已经存在的文件。)
If userX is also a member of group1, userX will have write, create, and delete permissions because it is specifically given these permissions.(如果 userX 也是一个用户组group1 的成员,则 userX 将拥有写入、创建、删除的权限。因为它已经由以上两条命令明确地赋予这些权限。)
$ cvs -d /cvs/projectA racl userY:wcd -r develStream lib
$ cvs -d /cvs/projectA racl userY:r -r integStream lib
These commands will give wcd permissions to userY on lib directory with tag develstream, and r permissions on lib directory with tag integStream.(第一条命令是在lib目录的develstream标签上为用户userY设定写入、创建、删除的权限。第二命令则是为用户userY在lib目录的integStream的标签上设定只读权限。)
$ cvs -d /cvs/projectA racl userZ:wcd src
$ cvs -d /cvs/projectA racl userZ:r src/main.c
First command will give wcd permissions to userZ on src directory, but only read permission on file main.c in src directory.(第一命令将对src目录的写入、创建、删除权限赋予给了用户userz,但接下来的第二命令运行后,则只允许用户userz对src目录中的main.c文件只有读取的权限。)
Using + and - signs to set permissions on a file or directory:(用+和-标志设定文件或目录的权限:)
$ cvs -d /cvs/projectA racl userZ:+t src
$ cvs -d /cvs/projectA racl userZ:-cd src
$ cvs -d /cvs/projectA racl userZ:-wt src
Before the first command, userZ has wcd permissions on src directory, after issuing command it will have wcdt permissions. Tag permission will be added. UserZ has wcdt permissions, and we execute the second command to remove create and delete permissions. So userZ has wt permissions. In the last command we also remove wt permissions, finally userZ has no defined permissions left, and it will use the default permissions if set.(在第一个指令执行之前,用户userZ 在src 目录上有 wcd 的权限,而在它执行之后userZ 在src上将会有 wcdt 权限, userZ 增加了打标签的权限。在UserZ 有 wcdt 权限后,我们运行第二个命令则去其所拥有的创建及删除的权限。 此时 userZ 则仅有 wt 权限。 在最后一个命令中,我们也去掉用户userZ 的 wt 权限,最后用户userZ 没有任何权限, 但如果有默认的权限设定,它将会使用默认的权限。)
Listing permissions on a file or directory:(列出文件或目录的权限)
$ cvs -d /cvs/projectA racl -l src
$ cvs -d /cvs/projectA racl -l src [怀疑这条命令有错,其与上一条命令相同,根据下文的意思其可能为 $ cvs -f /cvs/projectA racl -l src ]
$ cvs -d /cvs/projectA racl -l src/main.c
First command will list the permissions for src directory.(第一个命令是列出src目录的权限。)
Example output:(示例输出:)
d src HEAD | userX:wcd group1:r | defaults:r
userX and group1 has assigned permissions, all other users will have default permissions, which is only read.(用户userX 及用户组group1 拥有特别设定的权限,其他用户仅有系统默认的读取权限。)
Second command will list the permissions for files in src directory.(第二条命令是列出src目录中各文件的访问权限。)
Example output:(示例输出:)
f src/main.c HEAD | userX:wcd group1:r | defaults:r
f src/server.c HEAD | userX:wcd group1:r | defaults:r
f src/client.c HEAD | userX:wcd group1:r | defaults:r
Third command will list the permissions for main.c file in src directory.(第三条命令是列出src目录中 main.c文件的访问权限。)
Example output:(示例输出:)
f src/main.c HEAD | userX:wcd group1:r | defaults:r
http://cvsacl.sourceforge.net
sbaris@users.sourceforge.net
断断续续,经过近十天的时间,终于翻译完了。由于水平有限,且是第一次翻译文档,不足之处,还请各位指正。本次翻译采取了原文与译文对照的方式,译文在原文后用“()”标出,希望能方便大家阅读。
Usage: cvs racl [user||group:permissions] [-Rl] [-r tag] [directories...] [files...]
-R Process directories recursively.
-r rev Existing revision/tag.
-l List defined ACLs.
Usage: cvs acl [user||group:permissions] [-Rl] [-r tag] [directories...] [files...]
-R Process directories recursively.
-r rev Existing revision/tag.
-l List defined ACLs.
扫一扫
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
