[cvsnt] Intermittent group membership / security error

kmknox at aep.com kmknox at aep.com
Mon Jun 2 13:28:03 BST 2008


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Thank you, Bo. You are exactly correct. 

Nsswitch.conf appears to be good on our system, but the problem has gone 
into hibernation since Thursday (until this Tuesday afternoon?) I 
reasonably expect it's going to occur again, and don't know where to start 
in troubleshooting the CVSROOT\group file not being read when it starts 
again,

Kevin






On Fri, 30 May 2008 14:44:40 +0100, Tony Hoyle
<tony.hoyle at march-hare.com> wrote:

>kmknox at aep.com wrote:
>
>> We have found a discrepancy between traces run during the problem and 
>> traces run after the problem resolves itself. When the problem is 
>> affecting us, the "add_valid_group" step ONLY finds the Linux Operating 

>> System group, "cafdev." When the problem is not affecting us, the 
>> "add_valid_group" step finds the OS group cafdev AND 3 groups 
identified 
>> in the CVSROOT\group file. 
>> 
>> For some reason, between Tuesday afternoon and Thursday morning, our 
CVSNT 
>> implementation suddenly is not reading in the groups from the group 
file! 
>> 
>> We've changed nothing in the way the group file is stored, updated or 
>> read. We've not upgraded or downgraded the OS or hardware. We've not 
>> changed antivirus settings. Nothing is regularly querying the server. 
And 
>> somehow, CVSNT quits reading the group file. 
>> 
>> Any ideas?
>>
>Sounds like your nsswitch configuration is screwed somehow - we don't 
>read the group file directly, rather call getgroups() which returns the 
>list of groups.  The OS gets this information from nsswitch.conf (and 
>via PAM I think also).
>
>As we rely on the OS to return the list of groups there are lots of 
>things that could go wrong, but they're not directly CVSNT related... 
>any fault with that will affect the entire OS eg. file ownership reading 
>incorrectly, inability to sudo, etc.
>

Do you mean that the OS is linking in to the group file in CVSROOT??
Sounds very strange to me. What if you have say 50 repositories and
therefore 50 CVSROOT/group files, how can the operating system know
which are valid and which are not for a particular cvs call?? And how
do you tell it to include the group file from CVSROOT into its scope
of groups?

What the OP is saying is that CVSNT is suddenly not reading
*CVSROOT/group* and therefore not getting the internal CVS defined
user groups and therefore not correctly giving access to certain
users.

HTH

/Bo
(Bo Berglund, developer in Sweden)
_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt



More information about the cvsnt mailing list