CVS access control

[Matthew Versluys]

To meet the needs of a large repository with numerous users, I've been playing
with adding directory level access control to CVS.  (The repository is hosted on
a server which does not have native ACL support in the file system and I don't
want to give the casual administrator shell access to the server anyhow).

It works as follows;

A client starts CVS on the server and just after the server checks to see if the
command being issued is allowed by checking CVSROOT/readers and
CVSROOT/writers, it then looks for the file CVSROOT/access/%username%.  The
access file contains a simple rule chain for determining access to directories.
In the guts of CVS (recurse.c) where it does all the heavy lifting, it checks
each directory that is entered to see if the user has the necessary access.  If
the user does not have access then it's as if the directory doesn't exist.

The access files have the following format:
<"READ"|"WRITE"> <DIRECTORY REGEXP>

A typical file could look like this:
READ ^Readable
WRITE ^Writable
READ ^Read/Access/But/Not/Below/Here$
WRITE ^Write/Access/But/Not/Below/Here$

When the file is loaded it is parsed in READ or WRITE context based on the
command being issued (much like the tests against CVSROOT/readers and
CVSROOT/writers).  If the command requires READ access then the rules which
grant READ or WRITE access are considered.  If the command requires WRITE access
then the rules which grant READ access are ignored.  If the access file exists
for a user then all directories in the repository which don't match any of the
rules are considered as NO ACCESS.

Anyhow, the reason I'm posting is to get your feedback on such a scheme.

Matt.