Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Here is a good guide for setting up ssh access to a Linux cvs server, with local users, which allows you to restrict shell access: http://ioctl.org/unix/cvs/server, and permit access to different projects/modules based on permission groups. I have successfully set this up, but am switching to sspi, to avoid the maintenance headache, and since all my users will access the server from inside our network, and are on a windows domain with active directory. I am struggling with configuring this, and would also like some *detailed* help if anyone can help. Mark -----Original Message----- From: cvsnt-bounces at cvsnt.org [mailto:cvsnt-bounces at cvsnt.org] On Behalf Of Glen Starrett Sent: Tuesday, January 25, 2005 11:29 AM To: cvsnt at cvsnt.org Subject: [cvsnt] Re: Linux setup problems I don't have all the answers, but I'll offer what I can... Thomas Keller wrote: > Hello there! > > I'm currently trying to move over our old cvs repo to cvsnt. I > installed the RH9 2.0.58d rpm from cvsnt.org and are now puzzled with > some problems: > > First thing: The only connection method which is allowed should be > :ext:, so I disabled the pserver in xinetd. Is there any way to enable/ > disable other compiled-in methods explicitely through some config file? > What other connection method could be used e.g. for windows users, is > :sspi: possible on Linux? "pserver" is the name of the server component for CVSNT. Like CVSROOT, it has multiple meanings. You want to remove the unwanted *_protocol files from /usr/local/lib/cvsnt/ to disable a particular protocol (there might be a config option when building manually, not sure, but this works). SSPI is only client side on Linux. You can use PAM with winbind (sorry, never tried it myself so I don't have any details) to authenticate against a Win DC. > > Secondly, I created two user groups: cvsadmins and cvsusers. In my > thoughts all normal modules should be owned by cvsusers, cvsadmins > would only own the CVSROOT dir (history, val-tags and EmptyDir would > be owned by cvsusers, too, since they need to be writable). Then I set > the permissions for each file/ directory that way that single users as > well as group users had read/write access to the specific file/ dir > via chmod 775/664. I did some test commits under various logins and > noticed that the dir and file permissions I set are ignored by cvs. > Each file which is committed gets 444 permissions, obviously I already > "hacked" an alias in /etc/profile > > alias cvs="umask 002;cvs" > > which should make cvs create new files with group-read-write > permissions. Now, its not too bad that commits from other users do not > fail even if the file is not group-writable, but its a problem for the > CVSROOT-directory where really *only* admins should be able to commit > changes. I did a different approach with my repository, but I am *not* a linux security expert and this is a hobby server -- but hopefully it can help. All users (admin and regular) are in CVSUsers group. Group sticky tag is set on all repository directories to keep permissions straight (I don't know what the umask is set to, but it works). Then I set up an admins file. I also apply CVS ACL with chacl command to prevent non-admins from committing to the CVSROOT. I use SSH with mine (aka EXT by typical use) and each user has a login acct on my Linux box. The caveat to this approach is that the users then have (via SSH) physical access to the directory structure, and I don't know enough to work around that -- I assume there is a way but I can afford to be selective about who I let onto my box. > > I know that there are access control ways via passwd and group, but > since the users connect via ssh which needs a valid Linux user account > I thought of minimizing the administrative overhead (I have to move > about 15 repositories, each contains commit and loginfo scripts) and > not add users into cvs via `cvs passwd`. > I don't even know if the build-in access control thing (via > readers, > writers, admin and group file) works at all when > not using :pserver: - you can correct me on this point. Those files all works the same regardless of the protocol used AFAIK. > > What is a good way to go? I just need *detailed* help... > > Thank you guys in advance. > -- Glen Starrett _______________________________________________ cvsnt mailing list cvsnt at cvsnt.org http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt cvsnt downloads at march-hare.com https://www.march-hare.com/cvspro/en.asp#downcvs @CVSNT on Twitter CVSNT on Facebook "Secure Server" made the following annotations on 01/25/2005 01:48:55 PM ------------------------------"This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately." ==============================