github - No security on TFS+Git Service? -


(see update below)

i'm evaluating team foundation service , observing strange behavior. since understand tfs+git repositories private - thought see how security managed.

so changed visual studio 2012 git settings use "fake" user - wasn't asked password - see below:

enter image description here

after that, added "fake.txt" file, committed changes , pushed them server repository.

to surprise - server allowed me - , "fake user" commit appears in tfs repository:

enter image description here

i wasn't asked password @ stage. doing wrong? or there's no security @ in tfs service?

thank you, boris.

update: here's found far:

  • the user/email described in git settings has nothing user authenticates, nathan explained.
  • vs2012 uses ie on background, in order authenticate tf service. result, if there's instance of ie running, authenticated (or if it's "remember me" auto-authenticated) - that's authentication used. imho, ugly, can live that.
  • worse - need sign-out in "configure team projects" dialog (which hidden, when logon managed via control panel's "manage credentials" feature - see here how can change default credentials used connect visual studio online (tfspreview) when loading visual studio up?). still ugly, can live well.

so original question - found kind of solution.

but, still remains mystery there's no way figure out "fake user" was. in other words, following workflow seems current standard:

  • logon "realuser", well-authenticated via ie or github client
  • change details, you'll "fakeuser"
  • "do bad stuff files in repo" > commit > push
  • tf service accept change (because you're authenticated "realuser")
  • but damage in repo appear done "fakeuser" , couldn't find ui/command "extracts" real authenticated user did change (see screenshot above, tfs web ui - no mention of real authenticated username/liveid).

interestingly, github has pretty same behavior, there complicated workaround - can go collaborators, select each collaborator , check collaborator's activity - you'll see "fake" push operation there. ease of impersonation officially admitted github here: https://help.github.com/articles/why-are-my-commits-linked-to-the-wrong-user

so considering above - question is:

is there no way prevent/detect malicious/accidential user impersonation in tf service?

after hours of digging - found acceptable solution:

  • navigate browser repository > code > commits

  • select relevant commit , expand arrow near "fakeuser" authoring:

    enter image description here

  • voila! real "pusher" username shown

    enter image description here


Comments

Post a Comment

Popular posts from this blog

blackberry 10 - how to add multiple markers on the google map just by url? -

i have android application, want convert blackberry 10 , google map needed in app,but blackberry 10 not support googlemap , blackberry developer web site supply way replace it.the sample below: @override public void oncreate(bundle savedinstancestate) { super.oncreate(savedinstancestate); setcontentview(r.layout.main); webview webview = (webview) findviewbyid(r.id.mywebview); webview.getsettings().setjavascriptenabled(true); webview.loadurl("http://maps.google.com/?ll=36.97, -122&lci=bike&z=13&t=p"); } i cannot understand it,i not know how add multiple markers on googlemap via url? can me? this worked me map shown in webview.
Read more

php - guestbook returning database data to flash -

i've been struggling problem long , unable make work, hope can me it. first, know php files correct , mysql database works fine. in flash, able submit comment database comments not display. did many tests such making returned_database flash separately , worked fine - can see old comments. long combine submitting 1 , returning 1 together, flash doesn't show comments more. put lower version flash effects on frame thinking doesn't collaborate returning flash, submitting flash works fine. since pretty complex problem hard me copy actionscript code because on different frames in flash. if has ideas fixing maybe can send file you?
Read more

delphi - Dynamic file type icon -

i want register file type in windows , make program delphi draw icon of file according contents (something custom icon format). how can this? thanks nortd , user539484 comments, searched internet "shell icon handler delphi" , found sample here , , shell+ components has component this.
Read more