[cvsnt] Intermittent group membership / security error
Bo Berglund
bo.berglund at telia.com
Sat May 31 07:27:26 BST 2008
On Fri, 30 May 2008 14:44:40 +0100, Tony Hoyle
<tony.hoyle at march-hare.com> wrote:
>kmknox at aep.com wrote:
>
>> We have found a discrepancy between traces run during the problem and
>> traces run after the problem resolves itself. When the problem is
>> affecting us, the "add_valid_group" step ONLY finds the Linux Operating
>> System group, "cafdev." When the problem is not affecting us, the
>> "add_valid_group" step finds the OS group cafdev AND 3 groups identified
>> in the CVSROOT\group file.
>>
>> For some reason, between Tuesday afternoon and Thursday morning, our CVSNT
>> implementation suddenly is not reading in the groups from the group file!
>>
>> We've changed nothing in the way the group file is stored, updated or
>> read. We've not upgraded or downgraded the OS or hardware. We've not
>> changed antivirus settings. Nothing is regularly querying the server. And
>> somehow, CVSNT quits reading the group file.
>>
>> Any ideas?
>>
>Sounds like your nsswitch configuration is screwed somehow - we don't
>read the group file directly, rather call getgroups() which returns the
>list of groups. The OS gets this information from nsswitch.conf (and
>via PAM I think also).
>
>As we rely on the OS to return the list of groups there are lots of
>things that could go wrong, but they're not directly CVSNT related...
>any fault with that will affect the entire OS eg. file ownership reading
>incorrectly, inability to sudo, etc.
>
Do you mean that the OS is linking in to the group file in CVSROOT??
Sounds very strange to me. What if you have say 50 repositories and
therefore 50 CVSROOT/group files, how can the operating system know
which are valid and which are not for a particular cvs call?? And how
do you tell it to include the group file from CVSROOT into its scope
of groups?
What the OP is saying is that CVSNT is suddenly not reading
*CVSROOT/group* and therefore not getting the internal CVS defined
user groups and therefore not correctly giving access to certain
users.
HTH
/Bo
(Bo Berglund, developer in Sweden)
More information about the cvsnt
mailing list