[cvsnt] Re: permission denied when users are not admins on the server (using :pserver:)

Tony Hoyle tony.hoyle at march-hare.com
Thu Dec 22 22:14:17 GMT 2005


Oliver Giesen wrote:
> I always thought :pserver: also used impersonation unless SystemAuth
> was false. How else could it regard file system ACLs? Surely CVS
> doesn't check these by itself?

SystemAuth doesn't affect impersonation.  cvsnt always impersonates... 
SystemAuth merely tells pserver whether to allow system users to log in 
directly.

There are sometimes some slight differences with pserver, since it's 
constructing a new token, however the important things (group 
membership, privileges, etc.) are the same.

> Actually, I just did a quick test by running a cvs rlog . on my local
> CVSNT server with varying CVSROOT strings and then checked the cvs.exe
> process that was spawned by cvsservice.exe using SysInternals'
> ProcessExplorer. Strangely enough the result of this was that with both
> :sspi: and :pserver: the spawned process was running as SYSTEM...
> 
> Or is this simply not the correct way to check what user a process is
> impersonating?

That'll show you the process token.  You want the thread token probably, 
if you can display that.

Tony



More information about the cvsnt mailing list