CVS, SSH, (Light) Security

[Richard Caley]

[sorry if you see this twice, my first attempt seemed to go into
 nowhere at a time when my ISP ws having problems]

I have a repository which is, for firewall and other practical
reasons) accessible only by ssh (ie CVS_RSH=ssh and :ext: repository
name).

I would like to give some people read only access. Preferrably only to 
some modules.

CVS provides no support, as it does for pserver.

I can't, so far as I can see, use file permissions, users need write
acess to the repository to make lockfiles etc all over the place.

The best temporary solution I have been able to come up with is a
combination of

        Give them ssh access with a restricted shell that only allows
        cvs seerver to be run.

        Create a commit test which fails for that user (Actually I do
        it based on groups).

This is ugly and only partially works. Eg they can play with tags and
probably other potentially damaging things. For the current user this
is not a problem, I am really only trying to prevent accidental
errors, but in future I think I am loikely to need more. 

Does anyone have a better solution?

-- 
Mail me as address@hidden        _O_
                                                 |<