[Cvsnt] general questions.

Bo Berglund bo.berglund at telia.com
Fri Sep 28 20:18:19 BST 2001 

>
>with 1.10.8 do you still get nt domain integration for accounts (in
>pserver mode)?

Not that I know of, you either use :ntserver: from NT class clients
using the named pipe or you use :pserver: as original CVS from any
client machine type.
In the first case CVS-NT works in the context of the user and all file
system permissions are applied, in the other it works in the service
account context (normaly SYSTEM) which has access to everything.

Version 1.11.1.x has changed this, I gather, but I don't use it myself
so I cannot comment...
>

>this is where i start to get confused, especially with the impersonation
>stuff.  i don't care about ntserver, i have unix and 95/98 clients that
>needs access and if i understand correctly ntserver will not work at all
>in that model.

If you don't have NT only clients then forget about :ntserver: you
have to use :ext: with ssh or :pserver: with whatever limitations that
gives.

>
>so i need pserver with domain integration (since that's the whole reason
>we want to move to cvsnt).  however any domain user that is created has
>full access to all the repositories unless you can implement file systems
>permissions.  right?

Given that 1.11.1.x can impersonate a valid domain user even if
invoked using :pserver: (as I said I have not tested), then of course
the file system permissions will come into play here.
In NT (but only if you use the NTFS file system!) you can make the
access permission granularity really fine. You have to be careful
here.

A domain user belongs to the Everybody group per default and also per
default the Everybody group will have full control on a disk directory
on a domain connected PC. But this is only initially, first create a
directory d:\CVSREPO and then set the permissions for the directory to
only include SYSTEM and a group "CVSUsers". Now this directory cannot
be accessed by anyone not belonging to these two entities, including
domain admins (unless they are part of the CVSUsers group.
Any directory you create below this will inherit the security
properties from its parent so you are almost done here.


>now i thought that with pserver and ntserver impersonation turned on, i
>got a system where file system permissions could be implemented to control
>access.

With 1.11.1.x I guess that would be true.

>
>if this doesn't work how do you control access to your repositories?

Only through the passwd file and onece accepted all users have the
same rights.

>
>> To be able to use pserver securely you must implemnt some form of SSH
>> systemm, something I tried but abandoned 6 months ago. Too much work
>> and we use NT only clients anyway.
>
>ugg, yeah, that's a pain.  we just use stunnel.  it's not as secure as ssh
>but you can use cvs' account database and nothing is plain text.

I personally use Cisco's VPN system to access my corporate LAN from
the web and once logged in I am authenticated by the domain. But I am
using NT4 and W2000 clienst exclusively of course...

>
>> This issue is with the way WinCvs finds out which files to show as
>> modified. WinCvs uses a Windows API that basically puts a watch on a
>> directory which fires as soon as any file in the directory has
>> changed. This API works fine on local drives (which are maintained by
>> the local CPU), but for network mapped drives it seems to
>> automatically convert to a polling system that creates a *lot* of
>> network traffic and also ups the WinCvs CPU cycle usage something
>> awful. If the users will work with WinCvs by starting it when they
>> want to do some CVS stuff and then immediately closes WinCvs when they
>> are done then it will be OK to use a sandbox on a mapped drive, but in
>> my view not otherwise.
>
>okay so more questions.  what are the SANDBOX, HOME and TEMP variables
>that i'm supposed to set actually used for?

I don't give much for this issue with all the env variables. I have
set up my *server* with TMP and TEMP variables, that is all. Don't
understand why people seem so keen on discussing these, the other vars
seem not to be needed at all. I have never set any and my
installations work just fine both on server and client side...

Anyway, the sandbox I refer to above is the workspace into which the
developer checks out the project files and in which he works during
his development effort. WinCvs will watch this directory structure as
long as it is running and look for file changes so it can mark changed
files with a clear (red) icon and so notify the developer of a need to
commit the changes to the server. This watch process is what is so CPU
intensive across network connections.

>
>> But if you and your users are careful and not too many you might get
>> away with this, but I doubt that you will sleep very well if your data
>> are anywhere close to valuable.....
>
>yah, our data is important.

I think data are more valuable than any hardware you can come up with
today after only a small time of development.
Value >= <number of developers> * <avg time per developer> * <salary>
Value monotonically increases as time goes by (hopefully).

>
>thanks for all the info.
You're welcome

>
>adam.
>
/Bo
_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

More information about the cvsnt mailing list