[Could use some tweaks to the documentation (to simplify and avoid 
for example, cryptic abbreviations like "root-priv" and discussion of
non-CVS components like "Secure Shell" and cron).

The basic idea is right.

Keeping the #ifdef may seem odd, but actually it makes sense (think of
it as HAVE_GETEUID, perhaps should change the comment and/or the name
accordingly).  If the #ifdef is set to not check for root, and
CVSROOT/config is set to check, that should be an error.

-kingdon]

Date: Tue, 19 Jan 1999 06:38:46 +0500 (YEKT)
From: Vitaly Fedrushkov <willy@snowyowl.csu.ac.ru>
To: bug-cvs@gnu.org
Subject: BADROOT moved to runtime

Good $daytime,

Included below is a silly patch that adds a new option to CVSROOT/config
to replace CVS_BADROOT from src/options.h.

I'm using CVS to monitor/backup/sync runtime configurations of several
hosts.  After I found myself recompiling cvs half dozen times, I wrote
this -- in hope it will eventually get into next distribution :).

Tested under Linux (RedHat 5.2).  Should work everywhere -- there's
simply nothing to break.

Should this be committed, someone please look at texinfo page.  Sorry
I'm not a native speaker and sometimes my English is poor.

Just my $0.02.

  Regards,
  Willy.

--
"No easy hope or lies        | Vitaly "Willy the Pooh" Fedrushkov
 Shall bring us to our goal, | Information Technology Division
 But iron sacrifice          | Chelyabinsk State University
 Of Body, Will and Soul."    | mailto:willy@csu.ac.ru  +7 3512 156770
                   R.Kipling | http://www.csu.ac.ru/~willy  VVF1-RIPE

---

[I've unpacked this from the attachment but otherwise have not changed
it.  -kingdon]

diff -ur cvs-1.10.2/ChangeLog cvs/ChangeLog
--- cvs-1.10.2/ChangeLog	Fri Sep 18 20:35:27 1998
+++ cvs/ChangeLog	Tue Jan 19 04:23:59 1999
@@ -1,3 +1,7 @@
+1999-01-19  Vitaly V Fedrushkov  <willy@snowyowl.csu.ac.ru>
+
+	* NEWS: Note about AllowRoot added.
+
 1998-09-09  Jim Kingdon  <kingdon@harvey.cyclic.com>
 
 	* configure.in (AC_OUTPUT): Remove tools/pcl-cvs/Makefile.
diff -ur cvs-1.10.2/NEWS cvs/NEWS
--- cvs-1.10.2/NEWS	Fri Sep 18 20:35:28 1998
+++ cvs/NEWS	Tue Jan 19 04:22:41 1999
@@ -1,5 +1,8 @@
 Changes since 1.10:
 
+* Added new CVSROOT/config parameter: AllowRoot.  Allows UID 0 to
+make 'cvs commit'.  Replaces compile-time CVS_BADROOT define.
+
 * It is now possible to put the CVS lock files in a directory
 set by the new LockDir option in CVSROOT/config.  The default
 continues to be to put the lock files in the repository itself.
diff -ur cvs-1.10.2/doc/ChangeLog cvs/doc/ChangeLog
--- cvs-1.10.2/doc/ChangeLog	Fri Sep 18 20:35:36 1998
+++ cvs/doc/ChangeLog	Tue Jan 19 04:10:19 1999
@@ -1,3 +1,7 @@
+1999-01-19  Vitaly V Fedrushkov  <willy@snowyowl.csu.ac.ru>
+
+	* cvs.texinfo (config): AllowRoot option added.
+
 1998-09-16  Jim Kingdon  <kingdon@harvey.cyclic.com>
 
 	* cvs.texinfo: RFC2346 is out; update comment.
diff -ur cvs-1.10.2/doc/cvs.texinfo cvs/doc/cvs.texinfo
--- cvs-1.10.2/doc/cvs.texinfo	Fri Sep 18 20:35:42 1998
+++ cvs/doc/cvs.texinfo	Tue Jan 19 04:09:47 1999
@@ -12105,6 +12105,29 @@
 CVS users will put the locks one place, and others will
 put them another place, and therefore the repository
 could become corrupted.
+
+@cindex AllowRoot, in CVSROOT/config
+@item AllowRoot=@var{value}
+
+When committing a permanent change, CVS and RCS make a
+log entry of who committed the change.  If you are
+committing the change logged in as "root" (not under
+"su" or other root-priv giving program), CVS/RCS cannot
+determine who is actually making the change.
+
+As such, the default value is @samp{no}, meaning that
+CVS disallows changes to be committed by users logged
+in as "root".
+
+However, when "root" access is controlled with
+techniques like Secure Shell, you have no "su" option.
+Also, if you're using CVS for unattended configuration
+management tasks, you may want to do @samp{cvs commit}
+from cron job.  In such cases you can enable "root" to
+make commit on a per-repository basis, setting
+AllowRoot option to @samp{yes}.
+
+This option is ignored on non-unix systems.
 @end table
 
 @c ---------------------------------------------------------------------
diff -ur cvs-1.10.2/src/ChangeLog cvs/src/ChangeLog
--- cvs-1.10.2/src/ChangeLog	Fri Sep 18 20:46:27 1998
+++ cvs/src/ChangeLog	Tue Jan 19 04:19:15 1999
@@ -1,3 +1,11 @@
+1999-01-19  Vitaly V Fedrushkov  <willy@snowyowl.csu.ac.ru>
+
+	* options.h.in (CVS_BADROOT): Now runtime configurable
+	* mkmodules.c (config_contents): AllowRoot parameter added
+	* parseinfo.c (parse_config): AllowRoot parameter added
+	* commit.c (commit): Runtime commit-as-root checking
+	* cvs.h: allow_root global flag added
+
 1998-09-18  Jim Kingdon  <kingdon@pennington.cyclic.com>
 
 	* Version 1.10.2.
diff -ur cvs-1.10.2/src/commit.c cvs/src/commit.c
--- cvs-1.10.2/src/commit.c	Fri Sep 18 20:35:53 1998
+++ cvs/src/commit.c	Tue Jan 19 02:51:21 1999
@@ -69,6 +69,7 @@
     List *cilist;			/* list with commit_info structs */
 };
 
+int allow_root = 0;
 static int force_ci = 0;
 static int got_message;
 static int run_module_prog = 1;
@@ -339,7 +340,7 @@
     /* FIXME: Shouldn't this check be much more closely related to the
        readonly user stuff (CVSROOT/readers, &c).  That is, why should
        root be able to "cvs init", "cvs import", &c, but not "cvs ci"?  */
-    if (geteuid () == (uid_t) 0)
+    if ((!allow_root) && (geteuid () == (uid_t) 0))
     {
 	struct passwd *pw;
 
diff -ur cvs-1.10.2/src/cvs.h cvs/src/cvs.h
--- cvs-1.10.2/src/cvs.h	Fri Sep 18 20:35:54 1998
+++ cvs/src/cvs.h	Tue Jan 19 01:58:37 1999
@@ -396,6 +396,7 @@
 extern int logoff;		/* Don't write history entry */
 
 extern int top_level_admin;
+extern int allow_root;		/* Allow UID 0 to commit? */
 
 #ifdef CLIENT_SUPPORT
 extern List *dirs_sent_to_server; /* used to decide which "Argument
diff -ur cvs-1.10.2/src/mkmodules.c cvs/src/mkmodules.c
--- cvs-1.10.2/src/mkmodules.c	Mon Aug 24 21:40:22 1998
+++ cvs/src/mkmodules.c	Tue Jan 19 04:05:14 1999
@@ -288,6 +288,10 @@
     "# level of the new working directory when using the `cvs checkout'\n",
     "# command.\n",
     "#TopLevelAdmin=no\n",
+    "\n",
+    "# Set `AllowRoot' to `yes' to enable commit command for user \"root\".\n",
+    "# This may make ChangeLogs effectively anonymous.\n",
+    "#AllowRoot=no\n",
     NULL
 };
 
diff -ur cvs-1.10.2/src/options.h.in cvs/src/options.h.in
--- cvs-1.10.2/src/options.h.in	Tue Mar 17 02:54:30 1998
+++ cvs/src/options.h.in	Tue Jan 19 02:51:33 1999
@@ -133,8 +133,12 @@
  * CVS/RCS cannot determine who is actually making the change.
  *
  * As such, by default, CVS disallows changes to be committed by users
- * logged in as "root".  You can disable this option by commenting out
- * the lines below.
+ * logged in as "root".
+ * 
+ * This functionality is now controlled with AllowRoot per-repository
+ * option in CVSROOT/config.  As the whole issue doesn't exist on
+ * non-unix systems, this condition retains here in src/config.h and
+ * should be left as is.
  */
 #ifndef CVS_BADROOT
 #define	CVS_BADROOT
diff -ur cvs-1.10.2/src/parseinfo.c cvs/src/parseinfo.c
--- cvs-1.10.2/src/parseinfo.c	Fri Sep 18 20:35:57 1998
+++ cvs/src/parseinfo.c	Tue Jan 19 02:45:30 1999
@@ -367,6 +367,20 @@
 	       opendir it or something, but I don't see any particular
 	       reason to do that now rather than waiting until lock.c.  */
 	}
+	else if (strcmp (line, "AllowRoot") == 0)
+	{
+	    /* This option means nothing on non-unix systems, but is
+	       kept here for consistency. */
+	    if (strcmp (p, "no") == 0)
+		allow_root = 0;
+	    else if (strcmp (p, "yes") == 0)
+		allow_root = 1;
+	    else
+	    {
+		error (0, 0, "unrecognized value '%s' for AllowRoot", p);
+		goto error_return;
+	    }
+	}
 	else
 	{
 	    /* We may be dealing with a keyword which was added in a