[cvsnt] Intermittent group membership / security error
kmknox at aep.com
kmknox at aep.com
Mon Jun 2 13:28:03 BST 2008
Thank you, Bo. You are exactly correct.
Nsswitch.conf appears to be good on our system, but the problem has gone
into hibernation since Thursday (until this Tuesday afternoon?) I
reasonably expect it's going to occur again, and don't know where to start
in troubleshooting the CVSROOT\group file not being read when it starts
On Fri, 30 May 2008 14:44:40 +0100, Tony Hoyle
<tony.hoyle at march-hare.com> wrote:
>kmknox at aep.com wrote:
>> We have found a discrepancy between traces run during the problem and
>> traces run after the problem resolves itself. When the problem is
>> affecting us, the "add_valid_group" step ONLY finds the Linux Operating
>> System group, "cafdev." When the problem is not affecting us, the
>> "add_valid_group" step finds the OS group cafdev AND 3 groups
>> in the CVSROOT\group file.
>> For some reason, between Tuesday afternoon and Thursday morning, our
>> implementation suddenly is not reading in the groups from the group
>> We've changed nothing in the way the group file is stored, updated or
>> read. We've not upgraded or downgraded the OS or hardware. We've not
>> changed antivirus settings. Nothing is regularly querying the server.
>> somehow, CVSNT quits reading the group file.
>> Any ideas?
>Sounds like your nsswitch configuration is screwed somehow - we don't
>read the group file directly, rather call getgroups() which returns the
>list of groups. The OS gets this information from nsswitch.conf (and
>via PAM I think also).
>As we rely on the OS to return the list of groups there are lots of
>things that could go wrong, but they're not directly CVSNT related...
>any fault with that will affect the entire OS eg. file ownership reading
>incorrectly, inability to sudo, etc.
Do you mean that the OS is linking in to the group file in CVSROOT??
Sounds very strange to me. What if you have say 50 repositories and
therefore 50 CVSROOT/group files, how can the operating system know
which are valid and which are not for a particular cvs call?? And how
do you tell it to include the group file from CVSROOT into its scope
What the OP is saying is that CVSNT is suddenly not reading
*CVSROOT/group* and therefore not getting the internal CVS defined
user groups and therefore not correctly giving access to certain
(Bo Berglund, developer in Sweden)
cvsnt mailing list
cvsnt at cvsnt.org
More information about the cvsnt