[cvsnt] Intermittent group membership / security error

kmknox at aep.com kmknox at aep.com
Fri May 30 13:11:25 BST 2008 

We are running (CVSNT) 2.5.03 (Scorpio) Build 2382 on Linux RedHat, and 
it's been solid as a rock. We are aware of no significant changes in the 
last 6 months to the OS, application, or configuration - but something has 
obviously changed and we're hoping for clues in figuring out what it might 
be. 

The last two Tuesdays at 4:00 pm our users have started experiencing 
access-denial issues. They were correctly authenticating, because they 
could read, but they could not write/tag per our default access control 
list. It was as if they were not members of any authorized group. On 
Wednesday afternoon the problem resolves itself. --- Yeah, I know, but we 
have to start researching somewhere, and we know of no processes that run 
during those hours. There's also one particular user who finds the problem 
first, but she doesn't have the authority to accidently cause this 
problem, so we aren't chasing that rabbit trail either. We need to work 
back to the real issue. 

We have found a discrepancy between traces run during the problem and 
traces run after the problem resolves itself. When the problem is 
affecting us, the "add_valid_group" step ONLY finds the Linux Operating 
System group, "cafdev." When the problem is not affecting us, the 
"add_valid_group" step finds the OS group cafdev AND 3 groups identified 
in the CVSROOT\group file. 

For some reason, between Tuesday afternoon and Thursday morning, our CVSNT 
implementation suddenly is not reading in the groups from the group file! 

We've changed nothing in the way the group file is stored, updated or 
read. We've not upgraded or downgraded the OS or hardware. We've not 
changed antivirus settings. Nothing is regularly querying the server. And 
somehow, CVSNT quits reading the group file. 

Any ideas?

Kevin



Problem trace:
14:04:19: S -> 
verify_perm(/usr/local/cvs/caf/suites/SEPORT/Tools/DesignDocs/SEPORT V7 
Misc Enhancements,ME-2.2.4-Catalog.doc,create,(null),(null))
14:04:19: S -> 
verify_owner(/usr/local/cvs/caf/suites/SEPORT/Tools/DesignDocs/SEPORT V7 
Misc Enhancements)
14:04:19: S -> Checking admin file /usr/local/cvs/caf/CVSROOT/admin for 
user s327051
14:04:19: S -> add_valid_group(cafdev)
14:04:19: S -> 
cache_directory_permissions(/usr/local/cvs/caf/suites/SEPORT/Tools/DesignDocs/SEPORT 
V7 Misc Enhancements)


Success trace: 
10:27:32: S -> 
verify_perm(/usr/local/cvs/caf/suites/SEPORT/Tools/DesignDocs/SEPORT V7 
Remote Access,(null),read,(null),(null))
10:27:32: S -> 
verify_owner(/usr/local/cvs/caf/suites/SEPORT/Tools/DesignDocs/SEPORT V7 
Remote Access)
10:27:32: S -> Checking admin file /usr/local/cvs/caf/CVSROOT/admin for 
user s327051
10:27:32: S -> add_valid_group(SEPORT_lead)
10:27:32: S -> add_valid_group(ScanView_lead)
10:27:32: S -> add_valid_group(SIMPLE_dev)
10:27:32: S -> add_valid_group(cafdev)
10:27:32: S -> 
cache_directory_permissions(/usr/local/cvs/caf/suites/SEPORT/Tools/DesignDocs/SEPORT 
V7 Remote Access)

More information about the cvsnt mailing list