Protections and passwords
Until you define a Helix Core Server superuser, every user is a superuser and can run any Helix Core Server command on any file. After you start a new Perforce service, use:
$ p4 protect
as soon as possible to define a
Helix Server
superuser. To learn more about how p4 protect
works,
see
Authorizing access.
Without passwords, any user is able to impersonate any other
Helix Server
user, either with the -u
flag or by setting
P4USER
to an existing
Helix Server
user name. Use of
Helix Server
passwords prevents such impersonation. See "Passwords" in the
Helix Core Command-Line (P4) Guide.
To set (or reset) a user’s password, either
- use
p4 passwd
(as a Helix Server superuser), and enter the new password for the user, orusername
- invoke
p4 user -f
(also while as a Perforce superuser) and enter the new password into the user specification form.username
The security-conscious
Helix Server
superuser also uses p4 protect
to ensure that no
access higher than list
is granted to unprivileged users,
p4 configure to set the security
level
to a level that requires that all users have strong passwords, and
p4 group
to assign all users to groups (and,
optionally, to require regular changes of passwords for users on a
per-group basis, to set a minimum required password length for all users
on the site, and to lock out users for predefined amounts of time after
repeated failed login attempts).
An alternate way to reduce security risk during initial setup or
during a maintenance interval is to start the
Helix Core Server
using localhost:
syntax. For
example:port
$ p4d localhost:2019
This forces the server to ignore non-local connection requests.
For complete information about security, see the chapter on Securing the server, including Recommended settings to configurables for security .