Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Mike Wake wrote: > Hi All, > > Does anyone know if is possible to reject a cvs login using SSPI for > some users that are not a member of a particular group? Ie Effectively > completely hide the existance a repository that users are not authorised > to see without resorting to a different protocol and/or maintaining a > local passwd file? Not at present, although I've considered it... ACLs handle it to a point but it would be nice to have some way of stopping them logging in. > With the setup below, users not in the "CVS_Access_Lockdown" group, are > able to succesfully login to the repository but are restricted from > doing much else. (Although when they try, the physical location of the > repository is exposed in the error message, even though I use > Repository0Name in /etc/cvsnt/PServer. Which is probably a bug.) Which error message? AFAIK this kind of information leak shouldn't happen (there are certain fatal error messages that will give the information for admin purposes, but they're rare). > I run cvsnt v2.0.58d on a linux server using winbind to allow user > authentication to be handled by our IT department from a windows PDC. I > run a series of repositories and require that people are members of the > "CVS_Access" group on the PDC. > > I would like to have a separate repository that is hidden to casual > users, by requiring the authenticated users to be members of a > "CVS_Access_Lockdown" group. > > Permissions below this will also be set using chacl. > > I ensure that the repository in question is locked down with the > following script. IIRC 2.0.58d doesn't use .owner and .perms any more. Just a chacl on the root of the module will automatically block any lower level users from using it, as permissions are recursive unless overridden specifically. You can set the permissions for the whole repository as: cvs co -d repos . cd repos cvs chacl -u CVS_Access_Lockdown -a read,write,control,tag,create cvs chacl -a noread,nowrite,nocontrol,notag,nocreate (I think this works in 58d anyway). Tony