Databases
StackOverflow2013
Postsdbo
PONo security on TFS+Git Service?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PONo security on TFS+Git Service?
    primarykey
    data
    text
    <p>(see update below)</p> <p>I'm evaluating Team Foundation Service and observing a somewhat strange behavior. Since I understand that TFS+Git repositories are private - I thought to see how security is managed.</p> <p>So I changed my Visual Studio 2012 Git Settings to use a "Fake" user - I wasn't asked for any password - see below:</p> <p><img src="https://i.stack.imgur.com/HzLLD.png" alt="enter image description here"></p> <p>After that, I added some "fake.txt" file, committed changes and pushed them to the server repository. </p> <p>To my surprise - the server allowed me to do it - and now this "fake user" commit actually appears in my TFS repository:</p> <p><img src="https://i.stack.imgur.com/miMst.png" alt="enter image description here"></p> <p>I wasn't asked for a password at any stage. What am I doing wrong? Or there's no security at all in TFS service?</p> <p>Thank you, Boris.</p> <p><strong>UPDATE:</strong> here's what I found so far:</p> <ul> <li>The user/email described in Git settings has nothing to do with the user who actually authenticates, as Nathan explained.</li> <li>VS2012 uses IE on the background, in order to authenticate with TF service. As a result, if there's any instance of IE running, which is already authenticated (or if it's "remember me" auto-authenticated) - that's the authentication which will be used. IMHO, this is ugly, but I can live with that.</li> <li>Worse than that - you also need to sign-out in "Configure Team Projects" dialog (which sometimes is hidden, when logon is managed via control panel's "Manage Credentials" feature - see here <a href="https://stackoverflow.com/questions/12407668/how-can-i-change-the-default-credentials-used-to-connect-to-tfspreview-when-load">How can I change the default credentials used to connect to Visual Studio Online (TFSPreview) when loading Visual Studio up?</a>). Still ugly, but I can live with that as well.</li> </ul> <p>So for the original question - I found some kind of solution.</p> <p><strong>But,</strong> what still remains a mystery is that there's no way to figure out who that "Fake User" really was. In other words, the following workflow seems to be the current standard:</p> <ul> <li>Logon as some "RealUser", this will be well-authenticated via IE or GitHub client</li> <li>Change your details, so that you'll be "FakeUser"</li> <li>"Do bad stuff to files in the repo" > commit > push</li> <li>TF service will accept the change (because you're authenticated as "RealUser")</li> <li>But the damage in the repo will appear as done by "FakeUser" and I couldn't find any UI/command which "extracts" the real authenticated user who did the change (see the screenshot above, from the TFS web UI - no mention of my real authenticated username/liveID).</li> </ul> <p>Interestingly, GitHub has pretty much the same behavior, but there is somewhat complicated workaround - you can go to your collaborators, select each collaborator and then check collaborator's activity - you'll see the "Fake" push operation there. This ease of impersonation is even officially admitted by github here: <a href="https://help.github.com/articles/why-are-my-commits-linked-to-the-wrong-user" rel="nofollow noreferrer">https://help.github.com/articles/why-are-my-commits-linked-to-the-wrong-user</a></p> <p>So considering all the above - my question now is:</p> <p><strong>Is there really no way to prevent/detect malicious/accidential user impersonation in TF service?</strong></p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USBorka
    plurals
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload