[cvsnt] cvstemp

[Tony Hoyle]

On Wed, 21 Aug 2002 14:51:58 +0100, "Kevin Jones" <kevinj at develop.com>
wrote:

>
>BTW - what happens when I have impersonation enabled? This is when the
>pserver connection is failing. If I disable impersonation it's fine. The
>ntserver protocol is fine either way,
>
Pserver impersonation is a hack to drop privileges (which NT still
doesn't support for some reason).  It creates a process token for the
logged in user then impersonates that user.

This causes the NT security system to see the process as 'insecure'
which is why you can't use network shares with this mode.  Access to
the local filesystem, though, is unaffected which makes it extremely
useful to enforce NTFS permissions on a per-user basis (as well as
being far more secure than running as 'System' all the time).

Other protocols (ntserver, sspi, etc.) have their own impersonation
mechanisms (although cygwin sshd uses a mechanism very similar to
pserver impersonation to drop its privileges).

Tony