[cvsnt] Re: How to restrict access to the admin command?

Gerhard Fiedler lists at connectionbrazil.com
Mon May 31 16:53:06 BST 2004


>> I'm running a cvsnt server on a Win2k machine, using the sspi protocol, and
>> would like to restrict access to the admin command.
>> 
>> I have tried to create admin and passwd files, I have tried to set
>> SystemAuth to yes and to no, but it seems normal users that are not part of
>> the Administrators group on the server still have access to the admin
>> command.

Ok, after further investigation I found out that the cvs admin command is
not treated as one command in terms of permissions.

Most options (like -o, delete revisions) are restricted to admins, while
the -k option (change file options) is not restricted. Unluckily this
option has been my test admin command... :-\

To summarize: If I read the source correctly, an entry in the admin file
always gives a user admin permissions. (This seems to require an entry in
the passwd file, too, independently of the protocol used.) If there is no
entry and SystemAuth is set, it checks whether the user is in the
Administrators group (on Windows, on Unix that's a compile-time
configurable group, usually cvsadmin).


Is there anywhere some documentation about all this? I can't remember
having read anything that mentioned the -k exception. It seems I need to
use the source more than I used to, to find out how things are supposed to
work... :)

Thanks,
Gerhard



More information about the cvsnt mailing list