Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
When a user authenticates to CVS using SSPI, what determines the lifetime of the authentication? We have observed what seems to be a security issue with respect to this, so I am trying to understand the behavior. In our application, we have CVSNT 2.041a running on an NT4 server to control production software. A limited number of users (the software developers) can access the repository via Windows permissions (members of group 'CVS Users'. Our client software is TortoiseCVS, and, in the developers IDE, "cvs proxy" (scc api) from pushok software (pushok.com). Both of these clients use CVS NT as the CVS component. Here's the issue: On a QA machine, configured as a production machine, a developer logged in as a non-privileged user and checked out and checked in some files (as part of our qualification plan). He used his login name in CVSROOT, since the user logged into the PC did not have CVS privileges. The first time he connected, a password dialog appeared. Subsequent invocations do not result in a password dialog. This behavior persists even though the non-privileged user has logged off of the machine, and back on. The consequence of this is that the non-privileged user now effectively has full privileges on CVS. This is a bad thing. Why does this occur? What is the lifetime and scope of an authentication in CVSNT? Is there a way for forcibly terminate these privileges? Best regards, Jon McLin