[Cvsnt] Re: user-aliases ? - PARTIALLY WORKING NOW

Brian Smith brian-l-smith at uiowa.edu
Thu Apr 4 20:24:41 BST 2002


Tony Hoyle wrote:
> Brian Smith wrote:
> set the repository root during authentication. AFAIK, pserver is the
>
>> only protocol that sets the repository root during authentication. I
>
>
> All protocols except 'ext' and 'gserver' send the root during
> authentication, for precisely this reason (and gserver only for
> historical reasons).

I looked at the code for :ntserver: and it does send/receive the root as
part of authentication. The MIT :gserver:, the sspi :gserver:, and the
:sspi: protocols do not send/receive the root as part of authentication.
  I remember looking at this with a packet sniffer, and I also just
inspected the code for all of them. I admit I could be mistaken but I
just don't see my mistake.

 > In many (most, probably) cases you don't want all the users of a
 > system to be able to log onto the repository.  The passwd file is the
 > most obvious way to achieve this.

Well, the authentication part is there so that the server knows who the
user is.
But whether or not the user can access the repository in what way is an
authorization
issue that can be controlled by file permissions and/or the "readers"
and "writers" files in the individual repositories. It seems dangerous
to me to have non-pserver protocols use the passwd file because it makes
it too easy to allow pserver access when you don't want to (if you don't
have a passwd file, nobody can use pserver).

I believe that traditionally (on unix), :gserver: and :kserver: modes
have never sent the root in the authentication request because they have
never used the passwd file, so they never needed to tell the server what
repository root to use. My understanding is that the original intention
was that only :pserver: would use the passwd file. In fact, I attempted
to make a patch for you that moved check_password,
check_repository_password, etc. out of server.c and put it in
pserver_protocol.dll. The only reason I didn't submit it was because it
required rearranging the contents of a lot of files due to a lot of
cross-file dependencies.

- Brian

_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt



More information about the cvsnt mailing list