[cvsnt] Re: How to contorl the access right within the ViewCVS

Mike Wake mike.wake at thales-tts.com
Wed Mar 2 09:57:06 GMT 2005 

On Apache I do something like this.

<Location /cgi-bin/viewcvs.cgi/MyClosedCode/src>
   AuthType Basic
   AuthName "Closed Source - Ask and you may receive"
   AuthUserFile /etc/httpd/passwd/passwords
   Require user mwake
</Location>
<Location /cgi-bin/viewcvs.cgi/*checkout*/MyClosedCode/src>
   AuthType Basic
   AuthName "Closed Source - Ask and you may receive"
   AuthUserFile /etc/httpd/passwd/passwords
   Require user mwake
</Location>
<Location /cgi-bin/viewcvs.cgi/~checkout~/MyClosedCode/src>
   AuthType Basic
   AuthName "Closed Source - Ask and you may receive"
   AuthUserFile /etc/httpd/passwd/passwords
   Require user mwake
</Location>

Note it is only basic authentication to stop casual viewing.  Someone 
could still sniff the network to intercept the actual contents of any 
source that was being viewed by an authenticated person.

I should set up some sort of encryption/SSL for this but haven't worked 
that out yet.  Any hints would be most welcome.

Cheers
Mikew

Bo Berglund wrote:
> On Wed, 2 Mar 2005 10:47:24 +0800, "Pierce Li" <pierce.li at utstar.com>
> wrote:
> 
> 
>>Dear all,
>>
>>I have installed ViewCVS following the guidance of
>>http://web.telia.com/~u86216121/ViewCvsSetup.html and it seems works
>>well. Then I found a critical issue: every user can browse and download
>>any file through the whole database by it. It's absolutely not allowed
>>by our policy. Could I have any means to limit the CvsView only give
>>information according to viewer's permission? We are deploying :sspi
>>protocal.
> 
> 
> The ViewCvs system is *not* using the cvsnt server for its work and it
> also uses no protocol as a consequence of that. Instead it goes
> directly to the repository files and parses them to produce the
> output.
> 
> In order to put security measures in place you probably need to use
> the permission system of IIS. In this case I do not think that Apache
> is up to the task, so if you have Apache running there will be
> problems...
> 
> The default install for ViewCvs is to use the anonymous Internet
> account for the ViewCvs operations (IUSR_<computername>). If you want
> to lock it down I think you must do the following:
> - Use the IIS permission system by disallowing IUSR_ access
> - Then allow specific usergroup access only
> - If you want to fine grain the permissions then you must also use
> NTFS file system permissions on your repository folders/files
> 
> It all boils down to having the IIS server authenticate the user and
> then use this user's credentials when running the ViewCvs scripts.
> 
> I am not by a long shot an IIS guru so the steps above are merely
> starting points from which you should investigate the IIS
> possibilities.
> You may also join the ViewCvs mail list and ask there. They are mostly
> Linux people though....
> http://viewcvs.sourceforge.net/
> http://sourceforge.net/projects/viewcvs/
> Mail list subscription:
> http://mailman.lyra.org/mailman/listinfo/viewcvs
> 
> HTH
> 
> /Bo
> (Bo Berglund, developer in Sweden)
> _______________________________________________
> cvsnt mailing list
> cvsnt at cvsnt.org
> http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

More information about the cvsnt mailing list