Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
On Tue, 05 Nov 2002 19:58:45 +0100, news.microsoft.com wrote: > Hi there, > > since I hope to save time without going into deep testing, is there > someone who can tell me the least necessary privileges the CVSNT Service > account need to do his job ? > > I'd like to change the current common praxis: running as SYSTEM So it > can run under a special account with only the rights it needs. > > It seems to need this: SeTcbPrivilege (to impersonate) > The cvs service itself doesn't need any rights except those required to maintain its network connections & do some initial repository access (CVSROOT/config and CVSROOT/passwd). It uses SeTcbName to drop priviliges at the earliest opportunity to those of the client user, so it's only running as System for maybe a fraction of a second - not enough for there to be any worries about security, generally. If you're running pserver it also needs 'Create a system level token' privilege to do its impersonation. If this bothers you simply disable pserver and don't give the process that privilige. Disabling impersonation completely will cause the process to run as 'System' all the time. This is not recommended on secure systems. Tony