savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] Re: commit_notify

From: Jaime E . Villate
Subject: [Savannah-hackers] Re: commit_notify
Date: Fri, 20 Apr 2001 14:06:48 +0100
User-agent: Mutt/1.2.5i 
On Fri, Apr 20, 2001 at 11:30:42AM +0200, address@hidden wrote:
>       This looks like a good and easy method. What happens if for some
> reason the maintainer uses -T frob instead of -T myproject ? There should
> be a way to check that otherwise we will face inconsistencies. 

You're right; I will think of some test to prevent that. Ideally, in the
admin page for a project the administrators should be able to check some box
if they want cvs notifications being mailed somewhere; and the scripts that
controls that page should put the name of the project in the -T option; but of
course I should change log_accum anyway.

>  > In the first case cvsweb
>  > points to a wrapper that will give it some root privileges; in the second 
> case
>  > cvsweb is run directly off /usr/lib/cgi-bin/ and the userid of the httpd
>  > server is not allowed to access /cvs/gnudocs
> 
>       The idea was that
> http://savannah.gnu.org/cgi-bin/cvsweb/gnudocs/ is never used.
...
>      I sincerly hop cvsweb does *not* give root
> privilege. Anonymous browsing of the CVS tree must honor the
> permissions restrictions. In particular the emacs CVS tree and the
> private Savannah projects (with is_public flag set to No) must not
> be visible thru webcvs.

OK, it is now clear to me that the current set up is wrong. At this
very moment, webcvs lets anyone browse the cvs repository of private projects;
see for yourselves:
  http://subversions.gnu.org/cgi-bin/cvsweb/emacs/

Even though /cvs/emacs has been modified to forbid public access! viewcvs is
correctly configured; that is, it enters through savannah.gnu.org and not
through subversions.gnu.org. Unless somebody sees a problem with it, I will
eliminate the link from subversions.gnu.org/cgi-bin to cvsweb to maintain the
privacy of the projects which need it.

On the other hand, you seem to confirm what I suspected: gnudocs should have
public access. Is that true? if that's the case then we should fix its
permissions: at this moment it is not accessible by users out of the "gnudocs"
group (that's why I haven't update savannah.texi; I didn't know if I'd be
DTRT if I simply added myself to the gnudocs group).

Jaime
reply via email to
[Prev in Thread] Current Thread [Next in Thread]