[cvsnt] using pserver with cvsnt

Malzer Ferdinand AS SD MalzerF at spardat.at
Mon Nov 11 12:53:08 GMT 2002


hi,
we are using sspi protocol - for NT/W2K client - along with pserver for unix clients againt a CVS server running on a W2K member server of a domain!
sspi works fine, access control is realted to NTFS permission.
if you use pserver with settings from below you'll receive an error!

To solve the problem we found 2 possible sollution
1) is to turn off impersonation on the cvs server (which we don't like to do)
2) is related to cvs source code:

we've check out cvsnt source of 1.11.1.3 (Build 57j) and looked for the NT impersonation code
in module setuid.c the funktion nt_setuid(...) seems to du the real stuff!
The problem we see is very simple: After impersonation of the NT account you delete all handles to the just created tokens. From now on all file access failes, because you've told NT to use the created tokens via ImpersonateLoggedOnUser() but afterwards you destroy the information! We'd suggest to keep the hPrimaryToken handle in a static variable until you have to destroy the users context 
so the code could look like the following:

186:	static HANDLE hPrimaryToken = INVALID_HANDLE_VALUE;
...
397:	RevertToSelf();
>>	if (INVALID_HANDLE_VALUE != hPrimaryToken)
>>	{
>>		CloseHandle(hPrimaryToken); hPrimaryToken=INVALID_HANDLE_VALUE;
>>	}
398:	if(!ImpersonateLoggedOnUser(hPrimaryToken))
	{
		goto nt_setuid_out;
	}
...
425:	if(retval && hPrimaryToken!=INVALID_HANDLE_VALUE)
		CloseHandle(hPrimaryToken);
..

We are not able to compile the code here onsite, but perhaps anybody else could try to do so ....

:-) ferry malzer
tel.: +43(5)0100-15778
fax:  +43(5)0100-915778
handy: +43(664) 817 05 49
mail: malzerf at spardat.at






More information about the cvsnt mailing list