[cvsnt] Re: Is it possible to reject SSPI login for non-group members ?

Tony Hoyle tmh at nodomain.org
Thu Jan 13 00:14:18 GMT 2005


Mike Wake wrote:
> Hi All,
> 
> Does anyone know if is possible to reject a cvs login using SSPI for 
> some users that are not a member of a particular group?  Ie Effectively 
> completely hide the existance a repository that users are not authorised 
> to see without resorting to a different protocol and/or maintaining a 
> local passwd file?

Not at present, although I've considered it...  ACLs handle it to a 
point but it would be nice to have some way of stopping them logging in.

> With the setup below, users not in the "CVS_Access_Lockdown" group, are 
> able to succesfully login to the repository but are restricted from 
> doing much else.  (Although when they try, the physical location of the 
> repository is exposed in the error message, even though I use 
> Repository0Name in /etc/cvsnt/PServer. Which is probably a bug.)

Which error message?  AFAIK this kind of information leak shouldn't 
happen (there are certain fatal error messages that will give the 
information for admin purposes, but they're rare).

> I run cvsnt v2.0.58d on a linux server using winbind to allow user 
> authentication to be handled by our IT department from a windows PDC.  I 
> run a series of repositories and require that people are members of the 
> "CVS_Access" group on the PDC.
> 
> I would like to have a separate repository that is hidden to casual 
> users, by requiring the authenticated users to be members of a 
> "CVS_Access_Lockdown" group.
> 
> Permissions below this will also be set using chacl.
> 
> I ensure that the repository in question is locked down with the 
> following script.

IIRC 2.0.58d doesn't use .owner and .perms any more.

Just a chacl on the root of the module will automatically block any 
lower level users from using it, as permissions are recursive unless 
overridden specifically.  You can set the permissions for the whole 
repository as:

cvs co -d repos .
cd repos
cvs chacl -u CVS_Access_Lockdown -a read,write,control,tag,create
cvs chacl -a noread,nowrite,nocontrol,notag,nocreate

(I think this works in 58d anyway).

Tony




More information about the cvsnt mailing list