[cvsnt] Is it possible to reject SSPI login for non-group members ?

Mike Wake mike.wake at thales-tts.com
Wed Jan 12 17:26:23 GMT 2005


Hi All,

Does anyone know if is possible to reject a cvs login using SSPI for 
some users that are not a member of a particular group?  Ie Effectively 
completely hide the existance a repository that users are not authorised 
to see without resorting to a different protocol and/or maintaining a 
local passwd file?

With the setup below, users not in the "CVS_Access_Lockdown" group, are 
able to succesfully login to the repository but are restricted from 
doing much else.  (Although when they try, the physical location of the 
repository is exposed in the error message, even though I use 
Repository0Name in /etc/cvsnt/PServer. Which is probably a bug.)

Some more detail.

I run cvsnt v2.0.58d on a linux server using winbind to allow user 
authentication to be handled by our IT department from a windows PDC.  I 
run a series of repositories and require that people are members of the 
"CVS_Access" group on the PDC.

I would like to have a separate repository that is hidden to casual 
users, by requiring the authenticated users to be members of a 
"CVS_Access_Lockdown" group.

Permissions below this will also be set using chacl.

I ensure that the repository in question is locked down with the 
following script.

#!/bin/bash

echo " Repository Permissions Tool ";
echo "-----------------------------";

if [ -d $1/CVSROOT ] ; then
    echo "Fixing up permissions on $1" ;
    echo "mwake" > $1/CVSROOT/.owner ;

    chown -R cvsuser $1 ;
    chgrp -R "OurITDomain+CVS_Access_Lockdown" $1 ;
    chmod 770 $1 ;

    find $1 -type d -print | while read dir;
    do
       echo "Fixing \"$dir\"";
       chmod 2770 "$dir";
    done

    find $1 -type f \( -name '.perms' -o -name '.owner' \) -print \
    | while read filename;
    do
        echo "Fixing \"$filename\"";
        chmod 660 "$filename";
    done

    chmod 660 $1/CVSROOT/history
    chmod 660 $1/CVSROOT/val-tags

fi


Cheers
Mikew



More information about the cvsnt mailing list