[cvsnt] SSPI Protocol security

Thomas Muller ttm at online.no
Tue Mar 11 12:03:00 GMT 2003


John Peacock:
| There are a couple of things that are "wrong" with your
| configuration; you might
| be able to get it to work this way, but it is not a supported
| configuration.
|
| 1) Repositories on shares are not supported; not withstanding the
| fact that CVS
| has very weak locking support, the basic Win security model makes
| it quite
| painful to configure properly.  You may/will have repository corruption
| occurring on occasion.  The use of non-local repository is
| strongly discouraged.

I understand. I'd still like to give it a go, though.

| 2) Drive maps are an interactive client feature, not something
| that services can
| use; it doesn't matter how you create the drive map, it is not
| visible to the
| service even if mounted by the same user.

OK. I'm not an OS expert, so this was definately new to me. Thanks.

| 3) Running services as an administrator account is always (IMHO)
| the wrong thing
| to do.  If you must use a domain account for a service, it should
| only be an
| ordinary account, with specific ACL rights to resources.

I totally concur. However, from experience I've learnt that it's good to
start with "maximum priviliges, minimum security" to get it to work, and
then upgrade security/downgrade privileges till you reach the wanted
security level.

|  You may
| also need to
| assign additional rights to the identity, specifically "Log in as
| a service",
| "Act as part of the Operating System", as well as possibly
| "Create a token
| object" and "Replace a process level token" though I am not sure
| that the latter
| two are strictly required for CVSNT.

OK.

| If you still want to try and get this working, you should start
| with trying to
| use a non-system user on a _local_ repository.  Get the rights
| working and make
| sure the service works completely.  Perform all steps under CVS:
| import, add,
| delete, update, etc.  Only when this is working 100% should you
| proceed to the
| next step.

Good thinking, and I have done that; a local repository is working fine.

| Then you will need to refer to the remote repository by a UNC
| path, not by a
| drive mapped letter.

Pardon my ignorance; what is a UNC? Is that a fully qualified path, such as
\\<ip>\shared-folder-with-CVSROOT.

| I would suggest using the Repository prefix
| in the more
| recent releases.  You will likely have to add additional ACL's to
| the remote
| repository to get it to work.

Again, pardon my ignorence. What is an ACL?

| If you are not in a domain
| environment (i.e.
| workgroup), you may have better luck.  But I would suspect that
| performance is
| going to suffer, since the UNC drive has to be created each time
| the service
| runs (AFAIK, Win32 does not cache the UNC drives).

Do you mean for each server session, each client session or each client
command?

One more q: should systemauth be set to yes or no in CVSROOT\config?

Thanks a lot for your input so far.

--

Thomas








*************************************************************************
Copyright ERA Technology Ltd. 2002. (www.era.co.uk). All rights reserved. 
The information supplied in this Commercial Communication should be treated
in confidence.
No liability whatsoever is accepted for any loss or damage 
suffered as a result of accessing this message or any attachments.

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________


More information about the cvsnt mailing list