[p4] Reverting files for another user using "p4 -u<user> reopen"
Tetlow, Gordon
gtetlow at soe.sony.com
Thu Jan 21 13:51:36 PST 2010
The host field can be spoofed by using the -H field with p4:
p4 -H otherhost -c otherclient reopen //depot/path/to/file.txt
Trying to say that Perforce is 100% secure is a fallacy. Perforce
support will tell you as much. The tool is meant to be used by
developers with a common goal. If you have people that are doing evil
nefarious things with your Perforce server, you have much bigger
problems than Perforce's security model.
Gordon
> -----Original Message-----
> From: perforce-user-bounces at perforce.com
> [mailto:perforce-user-bounces at perforce.com] On Behalf Of
> Looney, James B
> Sent: Thursday, January 21, 2010 8:00 AM
> To: Sheizaf, Yariv; perforce-user at perforce.com
> Subject: Re: [p4] Reverting files for another user using "p4
> -u<user> reopen"
>
> I asked the same question a year or two ago.
>
> The response I received was that no, it's not considered a
> security hole because the Perforce paradigm expects that
> workspaces are located on an individual's machine and the
> workspace's client is locked to that machine (host field).
> Assuming that's true, you wouldn't be able to reopen another
> user's file since Perforce would halt the operation due to
> you being on a machine other than what's specified in the
> client's 'host' field. (That statement obviously fails if
> you're on the same machine or if the host field is not set).
>
> In our case, we put our workspaces on a common server since
> we need access to that workspace from multiple machines
> (cube, lab, conference rooms, etc). So we must trust one
> another to not go and mess with another user's files, unless
> there's a specific need.
>
> My 2-cents,
> -JB
>
> -----Original Message-----
> From: perforce-user-bounces at perforce.com
> [mailto:perforce-user-bounces at perforce.com] On Behalf Of
> Sheizaf, Yariv
> Sent: Thursday, January 21, 2010 12:21 AM
> To: perforce-user at perforce.com
> Subject: Re: [p4] Reverting files for another user using "p4
> -u<user> reopen"
>
> Hi,
>
> I think that "p4 -u<user> reopen" by non-superuser is a big
> hole in Perforce security system.
> Isn't it?
>
> Regards,
> Yariv Sheizaf
>
>
> Message: 1
> Date: Tue, 19 Jan 2010 14:28:20 -0700
> From: Shawn Hladky <p4shawn at gmail.com>
> To: Rick Macdonald <rickmacd at shaw.ca>
> Cc: Perforce Users Mailing List <perforce-user at perforce.com>
> Subject: Re: [p4] Reverting files for another user?
> Message-ID:
> <e251a8701001191328x34c73e7ep218056a4417df0e8 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> You can reopen the files to your user with p4 reopen, then
> revert. You will
> need to set the client and host to match the client/host the
> files where the
> files checked out. See the following (for simplicity OtherUser has no
> password):
>
> C:\>p4 edit //depot/file.txt
> //depot/file.txt#1 - opened for edit
>
> C:\>p4 -uOtherUser reopen //depot/file.txt
> //depot/file.txt#1 - reopened; user OtherUser
>
> C:\>p4 -uOtherUser revert //depot/file.txt
> //depot/file.txt#1 - was edit, reverted
>
>
>
> Oddly enough, any user can do this... not just superusers.
> It even works
> for files that are locked.
>
> _______________________________________________
> perforce-user mailing list - perforce-user at perforce.com
> http://maillist.perforce.com/mailman/listinfo/perforce-user
>
> _______________________________________________
> perforce-user mailing list - perforce-user at perforce.com
> http://maillist.perforce.com/mailman/listinfo/perforce-user
>
More information about the perforce-user
mailing list