Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
> Never mind. The IS guy found the problem using auditing. > Execute permissions on "cmd.exe" was disabled for all but > Admin. Its working now, but the IS guy thinks it could be > a security hole. He's going to look into that. Since CVSNT is OSS, you could theoretically: 1) Make a copy of CMD.EXE, called for example, super-secret-cmd.exe. That copy would have permissions but CMD not. 2) Change the CVSNT source code to execute super-secret-cmd.exe instead of cmd.exe when it spawns off the postcommit changes (and commit, taginfo, et. al.), then compile and install the custom CVSNT server. However, I don't know if that would be either the best or the easiest solution. I do agree that in theory giving more people CMD.EXE access might not be a good thing, but it's preferrable to lock down the applciations that users shouldn't get to--locking down CMD.EXE would (I think) cause any number of apps to fail. Personally I think I'd just allow the CMD.EXE and make sure the other doors are closed. It's a false sense of security locking down CMD if the rest of the box isn't properly configured since CMD isn't the only way to invoke processes, and it only let's you do what you otherwise have permissions for anyway. Regards, Glen Starrett