(Msg. 1) Posted: Wed Jun 18, 2008 2:04 am
Post subject: Security Problem in VSS Archived from groups: microsoft>public>visual>sourcesafe (more info?)
Hello,
I'm using VSS 6.0. As far as I understand, VSS is nothing but a file share.
To connect the database, we use the srcsafe.ini file from the VSS user
interface. The admin is creating user rights and doing security related
issues.
Because VSS database is the file share, I can connect to file share from
windows explorer (of course if I have the correct permission) and I can copy
all the file into my local computer. After that if I create the local user
name Admin and if I connect to local copy of my VSS database by that Admin
user, the VSS interface does not ask for the password. Therefore no matter
the security rights defined for particular user, that particular user can
easily access all the source files by the way I just described. My question
is, is there any method to prevent the situation
(Msg. 2) Posted: Sun Jun 29, 2008 9:36 am
Post subject: Re: Security Problem in VSS [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
On Jun 18, 4:04 am, Kralizec <Krali....DeleteThis@discussions.microsoft.com>
wrote:
> Hello,
> I'm using VSS 6.0. As far as I understand, VSS is nothing but a file share.
> To connect the database, we use the srcsafe.ini file from the VSS user
> interface. The admin is creating user rights and doing security related
> issues.
> Because VSS database is the file share, I can connect to file share from
> windows explorer (of course if I have the correct permission) and I can copy
> all the file into my local computer. After that if I create the local user
> name Admin and if I connect to local copy of my VSS database by that Admin
> user, the VSS interface does not ask for the password. Therefore no matter
> the security rights defined for particular user, that particular user can
> easily access all the source files by the way I just described. My question
> is, is there any method to prevent the situation
Not AFAIK.
As you noted, the OS-level Admin is different from the VSS repository
Admin, the latter using a very weak mode of protection (username/
password/nothing else). The password is not requested because VSS
plug-in will use the current users's login as a guess, but the
separation is entirely distinct, otherwise.
In fact, there are some scenarios like using source control over HTTP
where username/password is transmitted in the clear to be seen by any
network analyzer.
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You can post new topics in this forum You can reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Office Other