[cvsnt] Re: Is it possible to reject SSPI login for non-group members ?

Tony Hoyle tmh at nodomain.org
Thu Jan 13 11:52:06 GMT 2005


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Mike Wake wrote:
> cvs -d sspi;username=naughtyuser;hostname=mycvsserver:/MyLockedDownRepos 
> checkout _all (in directory D:\HowItCouldBeDone)
> cvs [checkout aborted]: cvs [server aborted]: Repository directory 
> /home/cvsuser/CVSREPOS_LOCKDOWN/MyLockedDownRepos does not exist: 
> Permission denied

You have completely denied access to the repository for those users. 
The whole path is given in the error here because it's a configuration 
failure - the server can't access it (or even verify it exists).  You 
can perform a lockout like this by denying access to CVSROOT or even 
just CVSROOT/config.

> Would you recommend that I remove them if I am totally sure that I don't 
> want to revert to an older version of the server (Be assured that I 
> don't, If it were possible for this version ;) )?

You might as well - everything is in the fileattr.xml files now.

> I haven't played with/completely missed the deny ( ie noread, nowrite ) 
> stuff.  When I was experimenting with this a few months ago I was trying 
> to explicitly and recursively allow read by users that fall into the 
> "default" category.  And I was not not setting anything else for the 
> default user.  I was assuming that not setting "write" was equivalent to 
> using "nowrite"

The default is 'allow everything' (for compatibility), so it's the other 
way around at the moment (there's an implicit default 'allow all' ACL in 
the root of the repository).

> Instead I should have just been denying everything except "read" for the 
> default users at the root level and then explicitly allowing operations 
> for the relevant users and groups in the sections of the repository that 
>  are required.
> 
> Is this correct?  If it is, I hope helps someone else get it.

Yes if you put a deny at the root it'll work more like you expect.

Tony



More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook