ID: 6237 Fixed in:
Issue Date: 2011-08-17 10:05 AEST Owner:  CVS Support
Last Modified:  2012-07-11 08:53 AESTReporter:  Arthur Barrett
Current Est.  0.0 hours % Complete:  0.0  
Status:NEW / Severity:normal

Affected:  2.8.01
Description:  Win: Member of Administrators cannot do 'cvs passwd'

Actions:    
2011-08-17 10:05 AEST by Arthur Barrett - A user who is a member of a local Administrators group on Windows 7 cannot use the 'cvs passwd' or 
checkin/checkout the CVSROOT directory.

The check for 'admin' which happens early, does not detect that the user is an admin, but the check for 
groups does show they are:

18:48:32: S -> Checking admin file C:/PROGRA~2/MARCHH~1/myrepo/CVSROOT/admin for user 
UD6_Sales
18:48:32: S -> Checked admin file (null) for user UD6_Sales they are not an admin.
18:48:32: S -> Check windows admin for user.
18:48:32: S -> Determine if the current thread is running as a user that is a member of the local admins 
group.
18:48:32: S -> No - is NOT admin (WIN32).
18:48:32: S -> Check windows admin for user completed.

.
.
.


18:48:32: S -> Finished reading the admin group file CVSROOT/group
18:48:32: S -> Get the groups for windows
18:48:32: S -> Checking local access token for groups
18:48:32: S -> add_valid_group(None)
18:48:32: S -> add_valid_group(Everyone)
18:48:32: S -> add_valid_group(Administrators)
18:48:32: S -> add_valid_group(Users)
18:48:32: S -> add_valid_group(INTERACTIVE)
18:48:32: S -> add_valid_group(CONSOLE LOGON)
18:48:32: S -> add_valid_group(Authenticated Users)
18:48:32: S -> add_valid_group(This Organization)
18:48:32: S -> add_valid_group(This Organization)
18:48:32: S -> add_valid_group(LOCAL)
18:48:32: S -> add_valid_group(NTLM Authentication)
18:48:32: S -> add_valid_group(Medium Mandatory Level)



The user who created the repository can list the CVSROOT, but still cannot create users using passwd.

cvs -d :sspi:localhost:/myrepo rlsacl CVSROOT

Directory: CVSROOT
Owner: UD6_Sales

user=UD6_Sales
        all

user=admin
        all

<default>
        none


The test was ran on a non-Domain Windows 7 x32 V (UD6_SALES).  This is most likely a bug that 
primarily affects windows 7 or otherwise we would have seen it earlier.  Need to test on Windows XP to 
be sure, and also on a domain connected PC.
 
2011-08-19 18:44 AEST by Arthur Barrett - Could this in fact be by design?  Could some customers be relying on the fact Administrators can't do cvs 
passwd or access CVSROOT?
 
2011-08-19 23:33 AEST by Glen Starrett - I seem to recall that previous behavior was that members of Administrators were
automatically included as CVS admins as well -- I'm not sure when that changed,
but I'd expect the Administrators would always be able to access those portions
of the repository.

2011-08-24 18:58 AEST by Arthur Barrett - OK - this all comes down to the Microsoft philosophy on UAC.  Basically - by the rule book - the 
'Administrator' user is not to be treated as an 'administrator' unless it is first 'elevated'.

So here is a new test, with SystemAuth=Yes, and my account NOT in CVSROOT/admin.

test 1: normal command prompt:
C:\Users\adminguy>cvs -d :sspi:localhost:/myrepo passwd -a xoxxy
Adding user xoxxy@localhost
New Password:
Verify Password:
cvsntsrv [server aborted]: Only administrators can add or change another's password


test 2: elevated command prompt:
C:\Windows\system32>cvs -d :sspi:localhost:/myrepo passwd -a xoxxy
Adding user xoxxy@localhost
New Password:
Verify Password:
cvsntsrv server: *WARNING* CVS user 'xoxxy' will not be able to log in until they are aliased to a valid 
system user.


So that look like it is working correctly.  Note: the windows isadmin() is not checked unless 
systemauth=yes (default).


So I'm inclined to list this as NOTABUG.


The code in win32.cpp win32_isadmin() currently uses this KB:
http://support.microsoft.com/kb/118626

However this discussion points out that it wont work on vista/w7 unless elevated:
http://blogs.msdn.com/b/larryosterman/archive/2007/03/14/why-does-kb-118626-use-
accesscheck-to-check-if-you-re-a-member-of-the-administrators-group.aspx

The original KB is actually for windows NT - from Windows 2000 and later we can use the 
CheckTokenMembership() API, which is probably what we should upgrade the code to do:
http://msdn.microsoft.com/en-us/library/aa376389(v=vs.85).aspx


But none of that will change the current behaviour -so it's probably not worth doing.  If you need to do 
admin functions, you need to be admin - which on vista/7 means you need an elevated prompt...
 
2012-07-11 09:53 AEST by Glen Starrett - *** Bug 6519 has been marked as a duplicate of this bug. ***


     Query page