pserver user id's
Hello. I have a repository configured and working with pserver. I want to restrict user's permissions on subdirectories in the repository. I don't want user A to see user B's projects and vice versa. In my $CVSROOT/CVSROOT/passwd file, I have something like: divap:YBGW948yOKKSA:cvsadm divap is a user on the system. The user id under which CVS runs is 'cvsadm'. In $CVSROOT, I have a subdirectory that looks like this: drwxrws--x 3 divapdhdev 512 Jul 06 17:16 divap/ This all works fine except that, the pserver user divap can read ALL the projects in all the other subdirectories because on the server, he is actually running as cvsadm (see the passwd file entry above). If I change the passwd file to look like this: divap:YBGW948yOKKSA:divap I get an error when I try to run a 'checkout' on a project in the divap directory that says: cvs [checkout aborted]: unrecognized auth response from cae1axp1: setgroups: Not owner I don't want everyone to run as the administrator account (cvsadm) and the docs seem to indicate that they can run as themselves (their shell accounts) but I get the above error. Any help would be GREATLY appreciated. Andrew ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
Re: pserver user id's
foomonkey wrote: Hello. I have a repository configured and working with pserver. I want to restrict user's permissions on subdirectories in the repository. I don't want user A to see user B's projects and vice versa. In my $CVSROOT/CVSROOT/passwd file, I have something like: divap:YBGW948yOKKSA:cvsadm divap is a user on the system. The user id under which CVS runs is 'cvsadm'. In $CVSROOT, I have a subdirectory that looks like this: drwxrws--x 3 divapdhdev 512 Jul 06 17:16 divap/ This all works fine except that, the pserver user divap can read ALL the projects in all the other subdirectories because on the server, he is actually running as cvsadm (see the passwd file entry above). If I change the passwd file to look like this: divap:YBGW948yOKKSA:divap I get an error when I try to run a 'checkout' on a project in the divap directory that says: cvs [checkout aborted]: unrecognized auth response from cae1axp1: setgroups: Not owner I don't want everyone to run as the administrator account (cvsadm) and the docs seem to indicate that they can run as themselves (their shell accounts) but I get the above error. Any help would be GREATLY appreciated. Andrew Obviously divap does not have write access to the repository structure. In my pserver setup, the repository directories files are owned cvs:cvs, and my users run username:password:cvs. My admin users DON'T have the :cvs part at the end, but instead are members of the linux group cvsadmin, who are granted access automatically (I'm not sure if it's by pserver or by CVS itself). Note: I am told it is ill-advised to use admin accounts for regular use. To get back to the original requirement (restricting access on a per-project basis), I believe that CVS/pserver does not conveniently suppport the granularity of access you require. julian. ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
Re: pserver user id's
I believe my problem lies in that my inetd.conf specifies to run cvspserver under the cvsadm user account. When I have my $CVSROOT/CVSROOT/passwd file configured like, username:password:cvsadm, everything works great. With the exception that user A can see user B's projects and vice versa. This is because cvsadm owns the repository directory structure. The mode for it is 771. When I change the passwd file to username:password:username, this does not work. I get the previously mentioned error. My belief is that pserver is running as cvsadm but wants to run in the context of the user specified in passwd. I don't know that this is possible unless pserver is running as root. In a sandbox environment, I have changed pserver to run as root (in inetd.conf) and it works correctly. I may be missing something but that's the way things appear to me. Is there any danger in having pserver run as root? inetd.conf contains many other services running as root. I realize that ANY service running as root or otherwise introduces certain vulnerabilities. Thanks for any clarification anyone can provide. Andrew ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
Re: pserver user id's
foomonkey writes: If I change the passwd file to look like this: divap:YBGW948yOKKSA:divap Note that you can just omit the third field entirely in that case. I get an error when I try to run a 'checkout' on a project in the divap directory that says: cvs [checkout aborted]: unrecognized auth response from cae1axp1: setgroups: Not owner Your [x]inetd must run cvs as root to be able to switch to another user. -Larry Jones I'm not a vegetarian! I'm a dessertarian. -- Calvin ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
Re: pserver user id's
foomonkey writes: I may be missing something but that's the way things appear to me. Is there any danger in having pserver run as root? inetd.conf contains many other services running as root. I realize that ANY service running as root or otherwise introduces certain vulnerabilities. You've got it. Pserver runs as root just long enough to authenticate the user and then it switches to the actual user to run everything else so there's very little risk. -Larry Jones The game's called on account of sudden death. -- Calvin ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
Re: pserver user id's
foomonkey wrote: I believe my problem lies in that my inetd.conf specifies to run cvspserver under the cvsadm user account. When I have my $CVSROOT/CVSROOT/passwd file configured like, username:password:cvsadm, everything works great. With the exception that user A can see user B's projects and vice versa. This is because cvsadm owns the repository directory structure. The mode for it is 771. When I change the passwd file to username:password:username, this does not work. I get the previously mentioned error. My belief is that pserver is running as cvsadm but wants to run in the context of the user specified in passwd. I don't know that this is possible unless pserver is running as root. In a sandbox environment, I have changed pserver to run as root (in inetd.conf) and it works correctly. I may be missing something but that's the way things appear to me. Is there any danger in having pserver run as root? inetd.conf contains many other services running as root. I realize that ANY service running as root or otherwise introduces certain vulnerabilities. Thanks for any clarification anyone can provide. Andrew As Larry said, [x]inetd must run cvs as root. But you don't want to have the repositories owned by an admin account member - it isn't necessary, and gives rise to the problems you're experiencing. Running cvs as root - as Larry says - allows it to control access to other users. To that end ... Create a separate user and group cvs, and change ownership of the repository to that user. Put :cvs after all entries in your password file (that are not admin users, of course). You already have drwxrws--x on your repository directories, which is good. The project files need/should only be 440, CVS takes care of everything. julian. ___ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs