[cvsnt] Permission denied error

Jonas Bergvall jonas.bergvall at ibitec.se
Wed Dec 18 10:09:02 GMT 2002


Hi all,

Earlier I complained about errors trying to migrate to build 62 from 57f. Now I think I have narrowed down the problem to some kind of authentication/permisson error. In 62 I couldn't login at all (my guess is the server couldn't impersonate to the user account). However, this works in 57f.

Server setup is:
 * CVSNT build 57f (installed using a local admin account) running as LocalSystem.
 * Windows 2000 in AD domain (not a DC or anything)
 * Repository and temp folders are fully controlled by everyone
 * SystemAuth=no
 * Users in passwd map to their domain user names (ok, not correct case, but does it matter?)
 * I used to have DevGuy's PCTK exe dist v. 1.6.16, but I uninstalled it to debug

In CVSROOT\notify I have:

ALL echo Hello
ALL dgnotify "%s"

Last line shouldn't be possible to execute as I have uninstalled the PCTK dist.

However, the symptom is this result from a cvs edit:

D:\Projects\cvsserver\cvsroot>cvs -t edit notify
 -> main loop with CVSROOT=:pserver:jonasb at cvs-server:/cvs
notify  jonasb  Wed Dec 18 08:12:38 2002 GMT    jonasb  D:\Projects\cvsserver\cvsroot
 -> chmod(notify,100666)
 -> copy(notify,CVS/Base/notify)
 -> rename(CVS/Baserev.tmp,CVS/Baserev)
 -> ParseInfo(E:/repositories/cvs/CVSROOT/notify, cvsroot, ALL)
S-> run_popen(echo Hello)
cvs server: Script execution failed
cvs server: cannot write entry to notify filter: echo Hello: Permission denied
S-> run_popen(dgnotify "JonasB")
cvs server: Script execution failed
cvs server: cannot write entry to notify filter: dgnotify "JonasB": Permission denied

Note that I get a permission denied trying to execute a script/exe that doesn't exist! Do I miss some fork priviliges or what for LocalSystem (or the JonasB account)? When the server tries to execute the scripts (S-> run_popen(echo Hello)), isn't it still running as LocalSystem?

When I tried to run the service under the local admin account I got an impersonation error, so I guess the impersonation works using the LocalSystem account. The question is the what could cause the permission error? Can the server silently fail the impersonation if it can't find the doma user? But the same user can check in/out and commit files.

I wish I was more familiar with the Windows security system... :(

Hope anyone has a clue.

Regards,
Jonas




More information about the cvsnt mailing list