[Cvsnt] cvsnt pserver ntfs permissions - please help

Bo Berglund bo.berglund at telia.com
Tue Jul 16 22:28:03 BST 2002


Hi,
pserver definitely needs the passwd file since the protocol starts out
authenticating
users against that file and only after successful verification here goes on
to either
use that login or the alias in the passwd file as the account to perform the
actual cvs
tasks with.

If you use :ntserver: as the connection protocol (as I do in two separate
installations),
then you need the passwd file as well because it tells cvs which users are
accepted
to work with the cvs repository. In this case it is enough to have a list of
login names
without the password part (create using cvs passwd -a <username> and enter
nothing
as the password), because ntserver will authenticate using the login from
tghe workstation
over the named pipe that is set up for the connection.
The use of the passwd file was introduced when CVSNT went from 1.10.8 to
1.11.1.x,
in 1.10.8 the passwd file was not used for ntserver.

Recently there was another protocol added called sspi, which uses strong
encryption
over TCP/IP (I think on a single port) and uses the workstation login as
well.
I have not experimented a lot using this protocol, but what i have seen
looks good.
It also needs the passwd file.

If you are setting up things now I recommend that you check out sspi since
it seems like
that will be what is most convenient over the Internet.

What all this boils down to is that you need to manage the CVS user access
separately from
the NT user database. Not all valid domain accounts are given CVS access and
this is controlled
with the passwd file. But when you continue with granular access control
using NTFS you need to
also manage the NT user groups additionally to the passwd file.

/Bo


----- Original Message -----
From: "Brennan, Dennis" <DBrennan at seic.com>
To: "'Bo Berglund'" <bo.berglund at telia.com>
Sent: Tuesday, July 16, 2002 9:41 PM
Subject: RE: [Cvsnt] cvsnt pserver ntfs permissions - please help


> Thanks Bo.  I'll give your instructions a try.
>
> One question - do we need the passwd file if we only want to pserver with
> impersonation?  Our client wants to be able to use NT security so they
don't
> have to maintain additional sets of uids/psswds.
>
> I thought if the passwd didn't exist and you modify the config file to
> SystemAuth=yes, then nt domain authentication was the default.  With this
> set up, it looks like the System user is actually making the changes and
> then changing the owner of the files to the user that made the request.
>
> Any thoughts?
>
> -Dennis
>
> -----Original Message-----
> From: Bo Berglund [mailto:bo.berglund at telia.com]
> Sent: Tuesday, July 16, 2002 2:56 PM
> To: Brennan, Dennis
> Cc: 'CVS-NT List'
> Subject: Re: [Cvsnt] cvsnt pserver ntfs permissions - please help
>
>
> First of all:
> I had not yet tested the setup you describe, namely having a module
> directory on the server
> set to readonly for a certain user group and then trying to import stuff
> into that module.
>
> But now I have done this on my test server at my summer house:
>
> 1. I have created a few usergroups for this test:
> - CVSReaders (readonly access everywhere)
> - CVSUsers (normal access everywhere except to CVSROOT which is readonly)
> - CVSAdmins (full control to all CVS directories)
>
> 2. I have added myself to CVSAdmins (obviously) and added one of the users
> of this machine to CVSREaders.
>
> 3. I have set the repository security as follows:
> c:\cvsrepo = remove security inheritance, then add the following groups
(my
> PC ia named antares):
> antares\CVSAdmins (full control)
> antares\CVSUsers (full control)
> antares\CVSReaders (read only)
> SYSTEM (full control) - this is really impotant!
> Remove Everyone from the list! Also very important!
>
> 4. I have created a new directory c:\cvslocks with full access for
everybody
>
> 5. As myself I have checked out CVSROOT of teh repository and then entered
> this modification to config:
> LockDir=c:/cvslocks
> Then I have committed this important change, it is needed if you are to
get
> granular access using NTFS.
>
> 6. On a command prompt in an empty directory I have entered this:
> set cvsroot=:ntserver:antares:/test
> cvs passwd -a brittis
> <typed her password twice>
> This adds the user brittis to the passwd file which is used for pserver
and
> some other protocols as well.
>
> 7. Then in WinCvs I have checked out a test module ModuleA from the server
> using pserver with the user account 'brittis'
> This worked fine and the locks are placed in c:\cvslocks
>
> 8. Now I have created a directory with one text file in a temp location
>
> 9. Then I have navigated to ModuleA in WinCvs and activated Create/Import
to
> start the import process.
> I have specified the import to become ModuleA\Imported
>
> When I click OK WinCvs tries to do the import but fails with these errors:
>
> cvs -z3 import -I ! -I CVS -m "Testar att importera till en readonly
module"
> ModuleA/Imported Start brittis (in directory C:\test\Imported)
>
> cvs server: cannot make path to C:/cvsrepo/test/ModuleA/Imported:
Permission
> denied
>
> N ModuleA/Imported/Newreadme.txt
>
> cvs server: ERROR: cannot write file
> C:/cvsrepo/test/ModuleA/Imported/Newreadme.txt,v: No such file or
directory
>
> No conflicts created by this import
>
> *****CVS exited normally with code 1*****
>
> As you can see there are two cases of failure, one to create the new
module
> dir and the other to write the file.
>
> So it all works OK as far as I can see...
>
> /Bo
>
> ----- Original Message -----
> From: "Brennan, Dennis" <DBrennan at seic.com>
> To: <bo.berglund at telia.com>
> Sent: Tuesday, July 16, 2002 7:38 PM
> Subject: cvsnt pserver ntfs permissions - please help
>
>
> > Bo,
> >
> > I've seen a lot of material on the web regarding cvsnt and creating fine
> > grain security access with ntfs permissions.  I'm trying to set up
module
> > level read only access using standard windows 2000 security, but with no
> > luck.  Most of the things I've read indicate it should work.
> >
> > Specifically I deny write access to a module for a given group but I am
> > still able to import a new module connecting as a user in that group.
I'm
> > using pserver with impersonation turned on (build 57f) - and yes I did
> make
> > sure the local system account has the 'Create a token object'
privilege:)
> >
> > Any help you could provide would be greatly appreciated.  Thanks.
> >
> > -Dennis

_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt



More information about the cvsnt mailing list