[cvsnt] Re: Least Privilege configuration for CVSNT service
Tony Hoyle
tmh at nodomain.org
Tue Nov 5 21:08:33 GMT 2002
On Tue, 05 Nov 2002 19:58:45 +0100, news.microsoft.com wrote:
> Hi there,
>
> since I hope to save time without going into deep testing, is there
> someone who can tell me the least necessary privileges the CVSNT Service
> account need to do his job ?
>
> I'd like to change the current common praxis: running as SYSTEM So it
> can run under a special account with only the rights it needs.
>
> It seems to need this: SeTcbPrivilege (to impersonate)
>
The cvs service itself doesn't need any rights except those required to
maintain its network connections & do some initial repository access
(CVSROOT/config and CVSROOT/passwd). It uses SeTcbName to drop priviliges
at the earliest opportunity to those of the client user, so it's only
running as System for maybe a fraction of a second - not enough for there
to be any worries about security, generally.
If you're running pserver it also needs 'Create a system level token'
privilege to do its impersonation. If this bothers you simply disable
pserver and don't give the process that privilige.
Disabling impersonation completely will cause the process to run as
'System' all the time. This is not recommended on secure systems.
Tony
More information about the cvsnt
mailing list