QuidnuncSimcha
Wed Sep 06 20:51:01 CDT 2006
Hello,
Don't believe my last post was posted....
I am not an expert but would like to offer you some advice. There may be a
better way, but the mounted drive may be more efficient for managing user
access. If the new local group and new user is created, you may be able to
give this group the only access to the mounte drive.
You probably know how to do this: a GUI or command line can be used to
create a new user "SVN" and new local group "Subversion". Command line is
pretty easy to do this task:
start---->run-----> type: cmd
After the command prompt opens, type the following:
Note: net /? ---> help ....... net localgroup /? -----> help for localgroup
---To create a new local group and user -----
Type: (net localgroup Subversion /add & net user SVN /add)
---To add "SVN" to "Subversion" and delete "SVN" from Built-in Users---
Type: (net localgroup Subversion SVN /add & net localgroup users SVN /delete)
Then you can use the GUI to set password and access permissions. This can be
done via cmd line also.
If you like, you can create a batch program similar to this:
echo off
rem
********************************************************************************
rem Create new user account and localgroup for user "SVN" and localgroup
"Subversion"
rem
********************************************************************************
rem **************************************************************
rem Create a localgroup called "Subversion" and user called "SVN"
rem ***************************************************************
(net localgroup Subversion /add & net user SVN /add)
rem
**************************************************************************************
rem Add user "SVN" to localgroup "Subversion" and delete user "SVN" from
localgroup "Users"
(net localgroup Subversion SVN /add & net localgroup users SVN /delete)
rem
***************************************************************************************
rem Check Actions
rem ***********************************
(net localgroup Subversion & net localgroup users) > c:\SubversionAccount.txt
echo
################################################################################ >> c:\SubversionAccount.txt
echo SVN should not be in the Built-in "Users" group. >>
c:\SubversionAccount.txt
echo Use LS GUI to set password. >> c:\SubversionAccount.txt
c:\subversionAccount.txt
If you are interested in creating a mounted drive, follow the below link to
learn about mounted drives:
"Mounted drives make data more accessible and give you the flexibility to
manage data storage based on your work environment and system usage. For
example, you can:"
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/dm_modify_access_path.mspx?mfr=true
"jonas.maurus@gmail.com" wrote:
> Hi everybody.
>
> I've looked everywhere, I googled, I read windowssecurity.com, I found
> no information on how to do this :-(. So I have to ask for help:
>
> I want to run Subversion as a service on a Windows XP 64bit Pro
> machine. To do this, I use SrvAny.exe by Microsoft. I created a service
> that runs svnserve.exe (Subversion's server process).
>
> My problem is this: I want to create a user that svnserve.exe runs as
> that is restricted to read just the directory that contains my code
> repository, nothing else. The user can't login, can't open any files or
> anything outside of c:\repositories.
>
> I created an user-account called SVN (with password) using the
> Computer-Management MMC and didn't add it to any group, so that it
> doesn't inherit existing group-level permissions for "Users". Then I
> used the Local Security Policy Snap-In to give SVN the permission to
> "Logon as a Service".
>
> But this doesn't work as it seems that any process automatically is
> part of the Builtin\Users-group that, according to Sysinternal's
> ProcessExplorer, is "mandatory" (whatever that means). Users has
> Read/Execute rights on c:\ and these are inherited by c:\repositories.
> So while SVN might not be able to read or open files, any process
> started by SVN can... as far as I understand that.
>
> However, removing "Users" from c:\ and adding SVN to c:\repositories
> with "Full Control"-privileges interestingly removes SVN's ability to
> read or write files vom c:\repositories even though the user account
> has full control privileges...
>
> please help me, I have no idea how to do this.
>
> How do I create a user-account that has access to only one directory?
> (and additionally all libraries that are needed to run a Win32
> executable, presumably read&execute access to c:\windows and
> c:\subversion)
>
> Thanks!
> -Jonas
>
>