[cvsnt] CVSNT on Windows XP SP2 PServer Impersonation not working?

Wed Feb 7 13:02:54 GMT 2007

Vitali Lovich wrote:

> Glen Starrett wrote:
>> Vitali Lovich wrote:
>>> The CVSNT service is set to run under an administrator account and in
>>> the service log on page it has the Local System account selected.
>> 
>> Do you mean the CVSNT control panel has the "Run as user" set to 
>> something other than (client user)?  Do I also understand you're using 
>> NTFS permissions to restrict access to users, or are you using the lsacl 
>> and chacl commands built into CVSNT?
>> 
>> Setting the Run as user to something other than (client user) will cause 
>> the NTFS permissions of only the Run as user to be applied.

> The CVSNT control panel has:
> 
> SUPERSPEEDY\Vitali Lovich which is my admin account (single PC machine).

As Glen says, if you want cvsnt to use impersonation, this should be
"(client user)".

> In the services.msc snap-in, it has the CVS server set to run as Local 
> System with desktop interaction (basically, the CVS server runs at the 
> same permission level as a System process - when I look in the task 
> manager, it's registered under the SYSTEM user, not Vitali Lovich).

This is the service. AIUI, the service itself only handles the
communication. It spawns processes to do the actual work, and the setting
in the config applet determines what user is used to spawn these processes.
Currently, it seems they all run under your "Vitali Lovich" account.

> Currently, I fell back to using the chacl built-in command as a 
> workaround because I need this right now.

Don't consider this as a workaround; it's the real thing. NTFS permissions
lack some functionality compared to cvsnt's built-in ACLs. Two of the
differences are that the ACLs provide better permission granularity (with
NTFS there's no way to separate between write and tag, for example), and
they can completely hide a module. With NTFS permissions, the user gets a
message of the type "access to <secret directory> denied" -- which is
usually not what you want. 

> I want to use NTFS permissions because the implication that I got from
> the FAQ and various guides is that if you use SSPI (and maybe pserver as
> well), the CVS server will attempt to login the user using Windows
> credentials, and then all operations, i.e. commit, checkout, etc, will
> be done as if it was that logged in user (i.e. Guest) and so that the
> NTFS permissions would control access to the repository. 

That's basically correct (if you use "(client user)") and the reason why
you /can/ use NTFS permissions. But it still doesn't mean you couldn't or
shouldn't use cvsnt ACLs. I only see one advantage in using NTFS
permissions: there are tools that show the effective permission on any
given file or directory. Unluckily cvsnt doesn't have that for its built-in
ACLs. But that's the only one, and there are a few disadvantages. That's
why I'm using cvsnt ACLs instead of NTFS permissions.

Gerhard