[cvsnt] Yet Another Security Question

Glen Starrett grstarrett at cox.net
Thu Feb 27 21:36:25 GMT 2003


Hi Lawson,

First off, it looks like you're using an old client (and server).  I get the
same client and server version numbers:  "1.11.1.3 (Build 72)
(client/server)".  I'm not sure where you got the version you listed.  If
you are using winCVS, you need to be on the latest Beta version to be able
to use sspi protocol (I am using 1.3.10.1 beta 10 build 1)--and even then,
they ship an old version of CVSNT with their client (build 57k).  I don't
know how much of what you're seeing is due to client/server versions, but
it's best to get that straight right away to be sure it isn't the cause
especially since you're still just testing.

>>>>>>>
duplicate access control system (with SystemAuth = Yes, using a passwd file
and chacl, etc.)
<<<<<<<
I think you (or I) have the SystemAuth setting backwards.  I believe
SystemAuth=Yes is the default, it checks your credentials on the login
domain and then impersonates you on the server to get access to the
files--exactly what we want.

It's all a bit confusing--it talks about pserver checking domain
account--but this is regarding sspi, not pserver.  I think.  The settings
affect the way CVSNT works over different protocols, but I'm not entirely
clear on which affect when.

>>>>>>>
The thing that I just discovered does not work is "cvs admin <anything>". I
get the error:
<<<<<<<
Yes, that confused me too.  I poked through the code to figure this out
(hooray open source!), and here is the psuedo-code of how it works--all from
memory, mind you--going through the SSPI code assuming system auth is active
(pardon my hack code if you are|aren't a programmer):

NOTE:  CVSUsername is your BASE username (e.g. rlawson) NOT your
domain\username.

	....
	if (check_admin()) {...}
	else { TellNonAdminUserToGetLost() }
	....

	check_admin() {
		If CVSUsername is Listed in "admin", return TRUE

		If SystemAuth=YES AND there the DOMAIN account on the
			DOMAIN SERVER with the same CVSUsername
			AND that user is in Administrators (in the DOMAIN),
			return TRUE.
Note:  If you are an admin on the CVSNT server but NOT on your login domain,
it doesn't think you are in Administrators!

		If SystemAuth=NO And there is a LOCAL account on
			the machine with the same CVSUsername
			AND that user is in Administrators, return TRUE

Note:  The latest build (73) has some additional code in it that changes the
above line to act like this, but I haven't tried it yet:
		If there is a LOCAL account on
			the machine with the same CVSUsername
			AND THAT user is in Administrators, return TRUE

		Otherwise, return FALSE

So, my SystemAuth=Yes and in the CVSROOT *on the server* (not just checked
in with CVS), in each repository, I added an admin file.  I don't believe it
works at all if you have admin file under source control.  It is recommended
against in the docs, but I think it is coded to REFUSE to use it if it is
under source control to prevent a security hole.

Hope this helps.

Regards,

Glen Starrett




More information about the cvsnt mailing list