[chora] Security Issues, Not a nice solution

Luis Martinez luimarma@iti.upv.es
Thu, 28 Jun 2001 17:18:21 +0200

Previous message: [chora] Security Issues
Next message: [chora] Security Issues, Not a nice solution
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you are (us I do) in a rush to get a working per module/group/user auth 
you can manage the following solution. This solution is not an ellegant, 
final solution but it will help you for now, and it only will work in one 
repository (all the modules should be under the same directory.)

Imagine that you have a large CVS repository that sites on ${CVSROOT} and has 
an extructure like ${CVSROOT}/client/project/, the setting for this situation 
would be:

The chora side:
	-You must set config/cvsroots.php to have only one repository with its 
location pointing to its root. Example:
<?php                                                                        
$cvsroots = array();
 
$cvsroots['iti'] = array(
    'name' => 'ITI',
    'location' => '/export/apps1/cvsroot',
    'title' => 'ITI CVS Repository',
    'default' => true
);
?>

The apache side:
	-You have to grant the acces to the chora directory to everyone and auth the 
modules by group. In the following example I grant permision only to 
cvsadmins group for the cvsroot and then grant to module/group for each one I 
want. (I do it this way because I only need to show modules for projects that 
I have a website, so I put a web link there pointing directli to the module.)

   <Directory /$MyPathToChora>
      Options Indexes FollowSymLinks
      Order Deny,Allow
      Allow from All
      .
      .
      .
   </directory>
   <Location "/cvs.php">
    Order Deny,Allow
    Deny from All
    Allow from 192.168.1.0/255.255.255.0 <--- If you want to limit it to your 
intranet
    AuthName "ITI CVS Repository"
    AuthType Basic
    AuthUserFile /$PathToMyUsersFile/users
    AuthGroupFile /$PathToMyGroupsFile/groups
    Require group cvsadmins
    Satisfy all
  </Location>
<Location "/cvs.php/$PathToMyModuleProject">
    Order Deny,Allow
    Allow from All
    AuthName "ITI $PROJECT CVS Repository"
    AuthType Basic
    AuthUserFile /$PathToMyUsersFile/users
    AuthGroupFile /$PathToMyGroupsFile/groups
    Require group cvs_$PROJECTusers
</Location>

The last  <Location> directive should be repeated for each module that you 
want to make browseable.

This works for me now. If anybody has a question or improvement to the method 
exposed above, please mail back.
I will wait impatient for the SQL/sesion solution which I think is easier to 
mantain.

Luis Martínez
On Thursday 28 June 2001 15:57, you wrote:
> Quoting Mathieu Arnold <arn_mat@club-internet.fr>:
> > I was looking at a per folder auth because I have a big repository which
> > is like this :
> > ${CVSROOT}/client/project/ (mainly because I didn't wanted to have
> > hundreds of repositories)
> >
> > so I was looking for a way to able to add auth wherever I needed to.
> > I was planning to work on this in august or september if my clients were
> > still bugging me with web cvs access.
>
> Sounds like a great use for the Horde Auth and Perms systems. I'll look at
> this eventually if no one else gets to it...
>
> -chuck
>
> --
> Charles Hagenbuch, <chuck@horde.org>
> Some fallen angels have their good reasons.

-- 
----------------------------------------------------------------------
Luis   Javier Martínez Martínez   Instituto Tecnológico de Informática
				  System Administrator
Telf:  34 (9) 63 87 72 33         Universidad  Politécnica de Valencia
Email: luimarma@iti.upv.es        Camino de Vera s/n    46071 Valencia
----------------------------------------------------------------------

Previous message: [chora] Security Issues
Next message: [chora] Security Issues, Not a nice solution
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]