|
|
SCCS relies on the capabilities of the UNIX system for most of the protection mechanisms required to prevent unauthorized changes to SCCS files -- that is, changes by non-SCCS commands. Protection features provided directly by SCCS are the release lock flag, the release floor and ceiling flags, and the user list.
Files created by the admin command are given access permission mode 444 (read-only for owner, group, and other). This mode should remain unchanged because it (generally) prevents modification of SCCS files by non-SCCS commands. Directories containing SCCS files should be given mode 755, which allows only the owner of the directory to modify it.
SCCS files should be kept in directories that contain only SCCS files and any temporary files created by SCCS commands. This simplifies their protection and auditing. The contents of directories should be logical groupings -- subsystems of the same large project, for example.
SCCS files should have only one link (name) because commands that modify them do so by creating and modifying a copy of the file. When processing is done, the contents of the old file are automatically replaced by the contents of the copy, whereupon the copy is destroyed. If the old file had additional links, this would break them. Then, rather than process such files, SCCS commands would produce an error message.
When only one person uses SCCS, the real and effective user IDs are the same; and the user ID owns the directories containing SCCS files. Therefore, SCCS may be used directly without any preliminary preparation.
When several users with unique user IDs are assigned SCCS responsibilities (on large development projects, for example), one user -- that is, one user ID -- must be chosen as the owner of the SCCS files. This person will administer the files (use the admin command) and will be SCCS administrator for the project. Because other users do not have the same privileges and permissions as the SCCS administrator, they are not able to execute directly those commands that require write permission in the directory containing the SCCS files. Therefore, a project-dependent program is required to provide an interface to the get, delta, and, if desired, rmdel and cdc commands.
The interface program must be owned by the SCCS administrator and must have the set-user-ID-on-execution bit on (see chmod(1)). This assures that the effective user ID is the user ID of the SCCS administrator. With the privileges of the interface program during command execution, the owner of an SCCS file can modify it at will. Other users whose login names or group IDs are in the user list for that file (but are not the owner) are given the necessary permissions only for the duration of the execution of the interface program. Thus, they may modify SCCS only with delta and, possibly, rmdel and cdc.