[cvsnt] Is it possible to reject SSPI login for non-group members ?
Mike Wake
mike.wake at thales-tts.com
Wed Jan 12 17:26:23 GMT 2005
Hi All,
Does anyone know if is possible to reject a cvs login using SSPI for
some users that are not a member of a particular group? Ie Effectively
completely hide the existance a repository that users are not authorised
to see without resorting to a different protocol and/or maintaining a
local passwd file?
With the setup below, users not in the "CVS_Access_Lockdown" group, are
able to succesfully login to the repository but are restricted from
doing much else. (Although when they try, the physical location of the
repository is exposed in the error message, even though I use
Repository0Name in /etc/cvsnt/PServer. Which is probably a bug.)
Some more detail.
I run cvsnt v2.0.58d on a linux server using winbind to allow user
authentication to be handled by our IT department from a windows PDC. I
run a series of repositories and require that people are members of the
"CVS_Access" group on the PDC.
I would like to have a separate repository that is hidden to casual
users, by requiring the authenticated users to be members of a
"CVS_Access_Lockdown" group.
Permissions below this will also be set using chacl.
I ensure that the repository in question is locked down with the
following script.
#!/bin/bash
echo " Repository Permissions Tool ";
echo "-----------------------------";
if [ -d $1/CVSROOT ] ; then
echo "Fixing up permissions on $1" ;
echo "mwake" > $1/CVSROOT/.owner ;
chown -R cvsuser $1 ;
chgrp -R "OurITDomain+CVS_Access_Lockdown" $1 ;
chmod 770 $1 ;
find $1 -type d -print | while read dir;
do
echo "Fixing \"$dir\"";
chmod 2770 "$dir";
done
find $1 -type f \( -name '.perms' -o -name '.owner' \) -print \
| while read filename;
do
echo "Fixing \"$filename\"";
chmod 660 "$filename";
done
chmod 660 $1/CVSROOT/history
chmod 660 $1/CVSROOT/val-tags
fi
Cheers
Mikew
More information about the cvsnt
mailing list