[cvsnt] Pserver authentication stopped working after upgrade...

[Bo Berglund]

On Wed, 8 Feb 2006 09:49:26 -0800, "Michael Wojcik"
<Michael.Wojcik at microfocus.com> wrote:

>> From: cvsnt-bounces at cvsnt.org 
>> [mailto:cvsnt-bounces at cvsnt.org] On Behalf Of Bo Berglund
>> Sent: Wednesday, 08 February, 2006 11:56
>> 
>> 
>> To quote the error message:
>> 
>> cannot change permissions on temporary directory 
>> D:\CVSTEMP/cvs-serv2612
>> 
>> Why does this happen?
>
>Well, taking a quick look at the code for 2.0.51d (src/server.cpp) where
>this message is produced, what CVS is trying to do is create its
>temporary directory for this request.  (Here 2612 is the PID of the CVS
>server process.)
>
>CVS creates the directory, then sets its permissions to S_IRWXU - full
>permissions for current user, no permissions for others.  That's to
>prevent an attacker from altering the contents of the temporary
>directory.
>
>When this message is produced, CVS has successfully created the
>directory, but CVS_CHMOD has failed.  (It'd be nice if CVS reported the
>system error code, so we'd know *why* it failed.)

Actually, the directory is *not* created. I had a look at the temp
folder while running these commands. Unless of course cvs first
succeded to create the dir, then failed changing permissions and then
finally vcleaned up by removin the dir again. This would not be slow
enough to show up in Windows Explorer.


>On Windows, CVS_CHMOD is wnt_chmod, defined in windows-NT/win32.cpp.  It
>does a couple of things, but it appears that it only returns an error if
>_tchmod (the TCHAR version of Windows chmod) fails.
>
>> Absolutely every account and group 
>> involved has Full Control on CVSTEMP and its contents, so why 
>> does CVSNT fail to change permissions?
>
>The question really is why does _tchmod (which is actually _chmod or
>_wchmod, depending on what character set CVSNT is compiled for) fail?
>(It'd be good to run with tracing just to be sure that CVSNT is making
>the _tchmod call correctly, but the code is pretty simple.)
>
>I'm not actually sure how S_IRWXU is being defined here; it isn't
>actually defined by any of the Microsoft C headers, as far as I can
>tell.
>
>According to the MSDN docs I have installed here, though, _tchmod
>ignores everything except whether the "write" bit is set, so really it
>shouldn't matter.  They also claim that it will only fail if the target
>doesn't exist.
>
>Maybe the behavior of _tchmod has changed in a recent release of the MS
>C7 runtime?  More likely, though, it's some problem with ACLs.  If the
>user associated with the current security token for the CVS server
>process has a Deny entry for the Write Attributes permission for the new
>directory, or if that user doesn't have an Allow entry for it, they
>won't be able to set the permission bits with _tchmod.  (I just tried
>it.)

I looked up the security settings for the CVSTEMP folder and went over
the Advanced page for every single entity listed to have permissions
here. THey had all the checkboxes for allow checked and none for deny
checked...

>I'd double-check what account the CVS server is using, then look at
>effective permissions for the D:\CVSTEMP directory for that user.

I also did the following:
We have two CVS user groups in the domain, CVS_Admins (where I am the
only member) and CVS_Users (where all of my developers are members).
So we added the cvs_setup domain user account to CVS_Users group and
hoped that this would fix the problem.
But not, the same error for pserver users aliased to cvs_setup.

Then I even went as far as rebooting the CVSNT Win2000 Server PC in
order for it to refresh the security tokens from the domain
controller. But no-go, same error again after startup.

Finally as a check I again added the domain\cvs_setup account to the
local Administrator group. This again made the pserver operations work
properly! But I *really* do not want to be forced to have the pserver
users operate as a server admin!!!!

What can I do now?


/Bo
(Bo Berglund, developer in Sweden)