[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] read-only access to server repository
From: |
David Decotigny |
Subject: |
[PATCH] read-only access to server repository |
Date: |
Tue, 17 Feb 2004 18:58:00 +0100 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040119 |
Hi,
This is not a "bug" in cvs, but rather a (very small) patch proposal.
I've added a "roserver" command that does essentially the same as
"server", with a slight difference: it allows only read-only commands to
be executed. This allows for an anonymous read-only cvs access through ssh.
The patch is against cvs 1.11.12, and has been tested on x86/linux 2.6.2.
If interested in the "anonymous cvs access through ssh", refer to
google's cache :
http://216.239.59.104/search?q=cache:nfX48ERSj0EJ:www.kitenet.net/programs/sshcvs/+anonymous+cvs+ssh&hl=fr&ie=UTF-8
Since it may not be there forever, here are the basics. The principle is
to distribute a private ssh key (with an empty passphrase) on one side
(the clients). And, on the other (server) side, to configure the ssh
account on the server by adding the associated public key to the
authorized_keys file (usually in ~/.ssh/), *AND* making it limited to
the execution of the cvs roserver command. The latter is achieved by
preceding this public key with something like the following in the
authorized_keys file:
---
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/usr/bin/cvs
roserver" ssh-rsa AA..._remaining_of_the_public_key_...
---
And the user simply has to use the private key distributed above
("IdentityFile" config statement in a "Host" declaration of his
~/.ssh/config) to access the server.
Difference with CVSROOT/readers and writers files ? This method allows
user "foo" to make its cvs management through ssh in a normal
(read/write) way, while allowing other people to access to this same
account (login="foo") for cvs access only in a read-only and controlled
way. Actually, one cannot set correctly the readers/writers files to
behave differently with a same user name. Furthermore, they only work
with the 'pserver' method, not the 'ext' method.
Please reply to me personnaly, I don't plan to register to the mailing
list. BTW, I was not able to enter this into issuezilla, please do it
for me...
I have been using cvs daily for many years, and really enjoy it, thanks
to you all !
Sincerely,
--
David Decotigny
diff -ru cvs-1.11.12/src/cvs.h mycvs/src/cvs.h
--- cvs-1.11.12/src/cvs.h 2004-02-03 18:42:59.000000000 +0100
+++ mycvs/src/cvs.h 2004-02-17 17:39:13.388577565 +0100
@@ -387,6 +387,7 @@
extern int trace; /* Show all commands */
extern int noexec; /* Don't modify disk anywhere */
extern int logoff; /* Don't write history entry */
+extern int roserver; /* Server repository access is read-only */
extern int top_level_admin;
diff -ru cvs-1.11.12/src/main.c mycvs/src/main.c
--- cvs-1.11.12/src/main.c 2004-02-03 15:37:53.000000000 +0100
+++ mycvs/src/main.c 2004-02-17 18:03:01.185121408 +0100
@@ -42,6 +42,7 @@
int trace = 0;
int noexec = 0;
int logoff = 0;
+int roserver = 0;
/* Set if we should be writing CVSADM directories at top level. At
least for now we'll make the default be off (the CVS 1.9, not CVS
@@ -135,6 +136,7 @@
{ "rtag", "rt", "rfreeze", cvstag,
CVS_CMD_MODIFIES_REPOSITORY },
#ifdef SERVER_SUPPORT
{ "server", NULL, NULL, server,
CVS_CMD_MODIFIES_REPOSITORY | CVS_CMD_USES_WORK_DIR },
+ { "roserver", NULL, NULL, server,
CVS_CMD_MODIFIES_REPOSITORY | CVS_CMD_USES_WORK_DIR },
#endif
{ "status", "st", "stat", cvsstatus, CVS_CMD_USES_WORK_DIR },
{ "tag", "ta", "freeze", cvstag,
CVS_CMD_MODIFIES_REPOSITORY | CVS_CMD_USES_WORK_DIR },
@@ -226,6 +228,7 @@
" rtag Add a symbolic tag to a module\n",
#ifdef SERVER_SUPPORT
" server Server mode\n",
+ " roserver Read-only server mode\n",
#endif
" status Display status information on checked out files\n",
" tag Add a symbolic tag to checked out version of
files\n",
@@ -717,6 +720,16 @@
}
# endif /* AUTH_SERVER_SUPPORT || HAVE_GSSAPI */
+ /* Read only access to repository */
+ if (strcmp (command_name, "roserver") == 0)
+ {
+ /* Mark directory access as Read-Only */
+ roserver = 1;
+
+ /* Pretend we were invoked as a plain server. */
+ command_name = "server";
+ }
+
server_active = strcmp (command_name, "server") == 0;
#endif /* SERVER_SUPPORT */
diff -ru cvs-1.11.12/src/server.c mycvs/src/server.c
--- cvs-1.11.12/src/server.c 2004-02-03 17:13:44.000000000 +0100
+++ mycvs/src/server.c 2004-02-17 17:50:08.151303453 +0100
@@ -2421,11 +2421,18 @@
check_command_legal_p (cmd_name)
char *cmd_name;
{
+
+ /* Server access to a read-only repository */
+ if (roserver)
+ return ! (lookup_command_attribute (cmd_name)
+ & CVS_CMD_MODIFIES_REPOSITORY);
+
/* Right now, only pserver notices illegal commands -- namely,
* write attempts by a read-only user. Therefore, if CVS_Username
* is not set, this just returns 1, because CVS_Username unset
* means pserver is not active.
*/
+
#ifdef AUTH_SERVER_SUPPORT
if (CVS_Username == NULL)
return 1;
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PATCH] read-only access to server repository,
David Decotigny <=