Bug related to ACLs in cvsweb

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug related to ACLs in cvsweb

Johan Myreen
Hi.

Due to a Perl misfeature, cvsweb.cgi does not work correctly if Access
Control Lists (ACLs) are in use. The script includes the pragma

use filetest qw(access);

This pragma changes how Perl does permission checks on files and
directories; instead of using stat(), permissions are checked using
access(). The problem is that the script uses the cached value of a
stat() call to check permissions, using the special filehandle _.

When the filetest 'access' pragma is in use, the -r $file, -w $file and
-x $file tests do not set the cache (because no call to stat() is made).
What's worse, when the stat cache is set, e.g. as a result of -d $file,
it contains the wrong value for a -r _ test. The stat cache contains the
traditional rwx mode bits, and does not reflect any additional
permissions granted by the ACL. See: http://perldoc.perl.org/filetest.html

ACLs are very useful when used with cvsweb. You can grant the 'www-data'
user read permission to the repository files without opening them up to
all users on the server (with chmod o+r). Of course, you could add user
'www-data' to the 'cvs' group, but that would mean 'www-data' would have
write permission to the repository.

Patch attached.

Keywords: cvsweb acl bug filetest access

Johan Myréen
[hidden email]


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-cvsweb
To unsubscribe, send any mail to "[hidden email]"

cvsweb.diff (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Bug related to ACLs in cvsweb

Eitan Adler-4
On 25 May 2013 15:46, Johan Myreen <[hidden email]> wrote:
> Hi.
>
> Due to a Perl misfeature, cvsweb.cgi does not work correctly if Access
> Control Lists (ACLs) are in use. The script includes the pragma
...


Hey,

Thank you for your bug report.

However, cvsweb was last released in 2005 and it is basically
unmaintained.  I would suggest you use viewvc instead.


--
Eitan Adler
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-cvsweb
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Bug related to ACLs in cvsweb

Johan Myreen
On 05/26/13 23:04, Eitan Adler wrote:
> On 25 May 2013 15:46, Johan Myreen <[hidden email]> wrote:

>> Due to a Perl misfeature, cvsweb.cgi does not work correctly if Access

> Thank you for your bug report.
>
> However, cvsweb was last released in 2005 and it is basically
> unmaintained.

Yes, I know cvsweb has not been touched in eight years. But it is still
included in the major Linux distros (and FreeBSD too, I guess). So, for
the benefit of anybody who might stumble into the same problem, I
decided to publish my findings and the fix in a place where they can be
found by someone who is looking for a solution. That's also why I
included the keywords at the end of the message.

I now see that apparently search engines are not welcome to index the
mailing list archives, so my effort was somewhat in vain.

 > I would suggest you use viewvc instead.

Thanks for the tip, but our team will be migrating our repository from
CVS to Git as soon as possible. This could take a while, but we can live
with the current version of cvsweb in the meantime.

Johan Myréen

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-cvsweb
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Bug related to ACLs in cvsweb

Eitan Adler-4
On 28 May 2013 15:43, Johan Myreen <[hidden email]> wrote:
> Yes, I know cvsweb has not been touched in eight years. But it is still
> included in the major Linux distros (and FreeBSD too, I guess). So, for the
> benefit of anybody who might stumble into the same problem, I decided to
> publish my findings and the fix in a place where they can be found by
> someone who is looking for a solution. That's also why I included the
> keywords at the end of the message.

Makes sense - thanks for the info.

> I now see that apparently search engines are not welcome to index the
> mailing list archives, so my effort was somewhat in vain.

Other archives are indexed.   I'm not sure why ours isn't.

>> I would suggest you use viewvc instead.
>
> Thanks for the tip, but our team will be migrating our repository from CVS
> to Git as soon as possible. This could take a while, but we can live with
> the current version of cvsweb in the meantime.

Ack.

--
Eitan Adler
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-cvsweb
To unsubscribe, send any mail to "[hidden email]"