[cvsnt] Re: Password file in addition to NT Authentication?

Glen Starrett grstarrett at cox.net
Sat Aug 14 23:20:35 BST 2004


Siegfried Heintze wrote:

>  
> 
> I'm using pserver only because that seems to be simplest and I'm trying to
> grant someone else (Marty) access to my repository.

SSPI is actually a little simpler still.  As long as Marty has a valid 
account that will allow access to your machine (on the machine or in a 
trusted domain) then he can use that account to connect in a reasonably 
secure manner.

> 
> Andreas said to "see the docs". Does that mean
> http://www.cvsnt.org/wiki/SetAcl? After studying this document I see I need
> cacls or xcacls. I'm running XP 2003 and Glen only gave the address for the
> NT and XP. After using google I see there is a resource kit for me at
> http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-
> 96ee-b18c4790cffd
> <http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7
> -96ee-b18c4790cffd&displaylang=en> &displaylang=en but it does not appear to
> have cacl or xcacl on it!

SetAcl is a method to secure your repository files with NTFS permssions. 
     There are several ways to secure your repository, it really depends 
on your goals as to how you go about it.  As long as the files aren't 
directly accessible by the other users, then I think they are all about 
equal as far as security go.

Here's a quickie outline on methods to control access to a repository 
that might help (but you might want to skip this and read the next section).

SetAcl method:  Secure individual directories and files with NT 
permissions.  Works only on entire directories (since the files are 
re-created every time, with small exception).  Uses NTFS file 
permissions, so NT groups are honored as well as usernames.

lsacl / chacl commands in CVSNT:  Directory based control that can be 
used to control access on an individual branch of a file.  Typically 
used to lock down branches or prevent commits to MAIN.  Defaults to 
everyone with full access for each new branch created.  User based 
(doesn't understand groups).

readers / writers files:  Files in CVSROOT that control overall status 
to the repository.  Controls only at the entire repository level, user 
based.

(others I missed?)

> 
>  
> 
> So now what do I do to grant Marty access? Maybe the cacl from XP will work
> on XP 2003. Has anyone tried it on XP2003? 

The simplest way to grant him access is to:
1)  Make sure that Marty's user account on W2003 allows him control on 
the repository files.

2)  Make the reasonable precaution that no one has easy direct access to 
the ,v files (e.g. do NOT put the repository on a public file share).

3)  Give marty the CVSROOT ":sspi:YourMachine:/YourRepository" and have 
him checkout the files.

4)  Optionally set up a "writers" file in your CVSROOT that you can use 
to control who can write to your repostory, otherwise anyone who can 
authenticate with Windows will be allowed to.

> 
>  
> 
> Andreas said to make sure Marty is in the passwd file. Which documentation
> describes the passwd file? Why does Andreas say to update this? I'm using
> pserver and Marty can check out a new sand box, make changes, and commit
> with out an error and I can update and commit since I manually added him to
> have full control over the files in the repository. (I get an error  when I
> commit after Marty's commit - however. I assume this will be remedied when I
> get the resource kit and run setacls.)

If you don't want to create a Win2003 account for Marty then you can add 
him to the passwd file with the "cvs passwd" command.  I suggest the 
SSPI setup described above since it's dead simple.

> 
>  
> 
> So this leads me to believe I don't have a password file since I never
> created one. Why would I have a password file if I'm using NT Authentication
> and Authorization?

You don't necessarily need to.  The default setting "Use System 
Authentication" tells CVSNT to try and validate against the Win user 
accts anyway.

-- 
Glen Starrett



More information about the cvsnt mailing list