Lost All Permissions

[carpediemevive]

Somehow I have lost the ability to perform basically any and all tasks on my plastic server. You name the command I can't execute it. I tried as two users, one of which earlier on in the day I could checkout the one repository in the server, but now neither can do anything. I'm wondering if there's anything I can do to get access to it. Keep in mind, I have basically no access to the GUI at all because the GUI requires a workspace, which requires a repository, which I can't access or create a new one.

There were other things potentially going on with the server at this point, but I'm not aware of what. I just know I had other people playing around with it. I know I was attempting to do a fast-import when I noticed the permissions issue.

I am using the Active Directory authentication, if that make's anything clearer to anyone. Active Directory is up and working as I was able to authenticate to multiple machines on the domain so I doubt that's it.

I'm at a loss with what other information to give besides that, but any help would be greatly appreciated. I probably can just blow the system away and re-install from scratch because this is a fresh install, but I might have to answer the "what if this happens again" question.

[manu]

Hello carpediemevive,

can you tell us the exactly error you are facing?

It's a security error like: "You don't have permission for...."?

Regards,

Manu.

[carpediemevive]

Yes that's the exact error I'm getting. When I open the GUI I'm faced with the "Select a workspace" dialog, and when I click "New.." I get an error saying no repositories are found. Then when I go to make a new one, it says I don't have permission for that. On the command line commands like 'cm lrep' return "You don't have permission for". Same think with mkrep.

[manu]

Ok,

seems you have lost the permissions on the repository server.

Do you remember your owner user for the repository server? If not I will email you a process to reset the security on the Repository server.

Regards,

Manu.

[carpediemevive]

I'm assuming the owner of the repository server is the same account I did the install with. If that's so, I'm getting all these same error messages using that user as well as using a straight developer user account. If that isn't the case, then I'm unaware of what the owner would be.

[manu]

I've just sent you an email with the process.

I've used the email that appears on your forum profile.

Regards,

manu

[carpediemevive]

Awesome, I received it. Thank you so much for all your help!

[psantosl]

Manu,

Maybe you should publish the steps so everyone else can check how it is done... kinda hacking but...

[carpediemevive]

For now I'm considering setting up the permissions so only a certain group of people can change permissions. I would hope that wouldn't be necessary since I work at such a small shop, but apparently it is. When I look at the repository server permissions I know what I want to do, which is add a group to the permissions list and give them all the permissions, and then remove certain permissions from the "ALL USERS" group. Is there any reasons ever to change the owner of the repository?

[manu]

Hi carpediemevive,

Yes, you should change the repository server owner. This is the "root" figure so it's safer if you change it to a root account.

The owner can do everything on its object and the repository server is the main object, almost all the system objects inherits their permissions of the repository server.

FYI, there's a permission called "chgperm" useful for this kind of security issues.

Regards,

Manu

[carpediemevive]

Perfect thanks so much! I'll get this implemented right away.

[manu]

We are just writing a new Security Guide for 4.0 according with the changes made on the new version, but if you are still working on 3.0 you will find this guide very useful.

http://www.plasticscm.com/releases/3.0.1/manuals-html/en/securityguide.htm

[skoobiedu]

I agree with psantosl, that the steps for how to do this, should be posted here.

[Giles]

I too seem to have fallen into this scenario.

In retrospect I stupidly denied all permissions for the "ALL USERS" group for one of my repositories in the belief that I would still be able to see the repository given that I was both the Owner of the repository, and failing that, also the administrator of the repository server.

I now constantly get "You don't have permissions for operation view" when using either the gui or command line to try and access the repository.

I'm using User and Password authentication and am currently the only user.

My background to all this is that I'm evaluating Plastic SCM as an alternative to our current source control provider of Alienbrain. Got to say so far Plastic obliterates Alienbrain hands down.

Could I possible get the list of steps, as mentioned elswehere in this thread, required to solve this problem.

Many Thanks.

[manu]

Hello Giles,

please write to out support mail account and I will connect with you.

support at codicesoftware dot com

[CrazyTim]

Add me to the list.

I don't think it is wise to allow the GUI to remove permissions for the ALL USERS group (that's what I did and now no one can do anything!!). arrg Help!! So I realise after the fact that you need to explicitly DENY permissions for user groups. Too late..

Srsly why would the GUI let you do this? Is there a good reason for it? Can I request this be changed in the next version?

Thanks, Jason

[manu]

Hi Jason,

can you please email me to mlucio at codicesoftware dot com?

We will try to fix it.

[carpediemevive]

To setup my permissions in Plastic, I typically remove all rights from the "ALL USERS" group. The problem for me was changing the repository owner. If Plastic were to prevent changing the repository owner to a group that the current user wasn't a part of, or, if changing to a particular user, forcing it to be only the current user might be helpful. You could at least guarantee someone would have access to it. That still wouldn't have fixed my problem though because it was done by someone who never should have had access to do it in the first place, and that's my fault for not setting the settings properly.

In terms of the GUI preventing you from shooting yourself in the foot, there are so many complicated security rules that companies enforce that having Plastic guarantee that some user somewhere should always have access to it to prevent these things would be a lot of work on Plastic's part, and probably result in possible security loops in the software as a result (hidden root-type users make security folks very nervous).

Having been through it, the fix wasn't too big of a deal. I'd rather go through that fix and have Plastic developers focus on other things then getting around this annoyance.

Perhaps some "Best Practice" type documentation on securing your plastic server is worth a blog post? I bet a large majority of people would be happy with the most basic walkthrough of the security settings.

[CrazyTim]

Hi carpediemevive,

To setup my permissions in Plastic, I typically remove all rights from the "ALL USERS" group. The problem for me was changing the repository owner. If Plastic were to prevent changing the repository owner to a group that the current user wasn't a part of, or, if changing to a particular user, forcing it to be only the current user might be helpful. You could at least guarantee someone would have access to it. That still wouldn't have fixed my problem though because it was done by someone who never should have had access to do it in the first place, and that's my fault for not setting the settings properly.

Ahh, I changed the owner too! I was just clicking and experimenting.

In terms of the GUI preventing you from shooting yourself in the foot, there are so many complicated security rules that companies enforce that having Plastic guarantee that some user somewhere should always have access to it to prevent these things would be a lot of work on Plastic's part, and probably result in possible security loops in the software as a result (hidden root-type users make security folks very nervous).

Really? Every other program in the world that I know of has a system admin user and password that gives you access to everything.

Don't get me wrong I'm not hating Plastic - I think its brilliant.

Perhaps some "Best Practice" type documentation on securing your plastic server is worth a blog post? I bet a large majority of people would be happy with the most basic walkthrough of the security settings.

Yes, please. I found where it says in the manual that you shouldnt do this - one small sentence. It needs to be at the beginning fo the docuemnt highlighted in red and bold! ...

3.1.1 ALL USERS... It is important to note that denying permission to the all users group will affect all the users overriding any other permission.

[manu]

For sure we need to improve the Guide and make clear the best way to change the security.

Also some highlighted text in red and bold will help!

[bcsangani]

I have had same problems.

 

I am evaluating Plastic SCM

 

After denying all permissions for the "ALL USERS" group for one of my repositories

I now constantly get "You don't have permissions for operation view" when using either the gui or command line to try and access the repository.

 

I am using User and Password authentication and have 2 other users.

 

How to find out which user is the owner of the Repository Server?

 

Could you explain the list of steps required to solve this problem.

 

Thanks. 

[calbzam]

Hi,

 

Which Plastic version are you using? In 4.2 is not possible to remove all the permissions.

 

First of all try this:

 

 

 

cm setowner -user=YourUser rep:MyRep@MYSERVER:8084

 

 

If you are not able to reconfigure the permissions send me an e-mail:

 

calba at codicesoftware dot com

 

We can get connected and review the issue.

 

Best regards,

Carlos

[bcsangani]

Dear Carlos

 

Unable to solve earlier problem

 

On fresh new PC installed earlier version 4.1.10.434 with authentication mode as User/Password based security and works fine

 

Downloaded vesion 4.2.31.437 and reinstalled newer version on same PC

 

but now new version is not allowing to use authentication mode as User/Password provider even if server.conf shows  <WorkingMode>UPWorkingMode</WorkingMode>

 

Tried changing Authentication mode to User/Password several times,it defaults to Local Users after rerunning the Wizard

 

Is there problem in new version 4.2 or am I missing something?

 

Version 4.1 is working fine with User/Password security 

 

Kindly guide us

[calbzam]

Hi,

 

It shouldn´t be any problem with 4.2 version. Can you you confirm me this 4.2 installation is also in a new PC (no permissions modified)?

 

After configuring your server (configureserver.exe in server folder) as UP mode you also have to configure your client, you can open a command line and execute:

 

plastic --configure

A windows will be open to select UP mode and your user and password.

 

Regards,

Carlos

[bcsangani]

Hi

 

Thanks for the reply

 

I am using 4.2.31.437 on fresh new PC

 

Command (plastic --configure) you mentioned opens Client Configuration , but that is working properly. It saves Auth mode as <user/password>

 

Problem is with the Server Configuration Auth mode in New version 4.2

Tried changing it through configureserver.exe in server folder, changed Auth mode to <user/password>, even server.conf shows <WorkingMode>UPWorkingMode</WorkingMode>

 

But every time wizard opens it shows  Auth mode as <Local Users - OS>

 

While opening <user group tool> dialogue appears saying Server is not with <user/password> security provider

 

This issue is only with new version 4.2 

Older version 4.1 works correctly.

 

Kindly guide us

 

Regads

Bharat