[cvsnt] Re: Password file in addition to NT Authentication?
Glen Starrett
grstarrett at cox.net
Sat Aug 14 23:20:35 BST 2004
Siegfried Heintze wrote:
>
>
> I'm using pserver only because that seems to be simplest and I'm trying to
> grant someone else (Marty) access to my repository.
SSPI is actually a little simpler still. As long as Marty has a valid
account that will allow access to your machine (on the machine or in a
trusted domain) then he can use that account to connect in a reasonably
secure manner.
>
> Andreas said to "see the docs". Does that mean
> http://www.cvsnt.org/wiki/SetAcl? After studying this document I see I need
> cacls or xcacls. I'm running XP 2003 and Glen only gave the address for the
> NT and XP. After using google I see there is a resource kit for me at
> http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-
> 96ee-b18c4790cffd
> <http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7
> -96ee-b18c4790cffd&displaylang=en> &displaylang=en but it does not appear to
> have cacl or xcacl on it!
SetAcl is a method to secure your repository files with NTFS permssions.
There are several ways to secure your repository, it really depends
on your goals as to how you go about it. As long as the files aren't
directly accessible by the other users, then I think they are all about
equal as far as security go.
Here's a quickie outline on methods to control access to a repository
that might help (but you might want to skip this and read the next section).
SetAcl method: Secure individual directories and files with NT
permissions. Works only on entire directories (since the files are
re-created every time, with small exception). Uses NTFS file
permissions, so NT groups are honored as well as usernames.
lsacl / chacl commands in CVSNT: Directory based control that can be
used to control access on an individual branch of a file. Typically
used to lock down branches or prevent commits to MAIN. Defaults to
everyone with full access for each new branch created. User based
(doesn't understand groups).
readers / writers files: Files in CVSROOT that control overall status
to the repository. Controls only at the entire repository level, user
based.
(others I missed?)
>
>
>
> So now what do I do to grant Marty access? Maybe the cacl from XP will work
> on XP 2003. Has anyone tried it on XP2003?
The simplest way to grant him access is to:
1) Make sure that Marty's user account on W2003 allows him control on
the repository files.
2) Make the reasonable precaution that no one has easy direct access to
the ,v files (e.g. do NOT put the repository on a public file share).
3) Give marty the CVSROOT ":sspi:YourMachine:/YourRepository" and have
him checkout the files.
4) Optionally set up a "writers" file in your CVSROOT that you can use
to control who can write to your repostory, otherwise anyone who can
authenticate with Windows will be allowed to.
>
>
>
> Andreas said to make sure Marty is in the passwd file. Which documentation
> describes the passwd file? Why does Andreas say to update this? I'm using
> pserver and Marty can check out a new sand box, make changes, and commit
> with out an error and I can update and commit since I manually added him to
> have full control over the files in the repository. (I get an error when I
> commit after Marty's commit - however. I assume this will be remedied when I
> get the resource kit and run setacls.)
If you don't want to create a Win2003 account for Marty then you can add
him to the passwd file with the "cvs passwd" command. I suggest the
SSPI setup described above since it's dead simple.
>
>
>
> So this leads me to believe I don't have a password file since I never
> created one. Why would I have a password file if I'm using NT Authentication
> and Authorization?
You don't necessarily need to. The default setting "Use System
Authentication" tells CVSNT to try and validate against the Win user
accts anyway.
--
Glen Starrett
More information about the cvsnt
mailing list