Re: read-only anonymous

[Kevin Turner]

On Sat, 2003-02-22 at 18:21, Kevin Turner wrote:
> Please confirm this is a most sane way to do read-only pserver:
> 
> I. For read-only access of any kind:
>  1. Create a directory /var/lock/cvs, *writable* to all CVS readers,
> plus sticky bit (aka "restricted deletion flag", so users cannot delete
> each others' locks).

Subdirectories will be created here, so this directory must also have
the setgid bit so those subdirectories will be owned by the proper
group.  The permissions look like drwxrwsr-t or octal mode 3775.

>  2. Add LockDir=/var/lock/cvs to CVSROOT/config.
>  3. Ensure modules are readable-not-writable to any read-only users of
> CVS.
> 
> II. The read-only pserver:
>  0. Assumption: You're not using pserver for anything else.
>  1. Create an account 'anoncvs' with shell /bin/false.
>  2. Make anoncvs's group membership consistent with requirements in I.
>  3. Add 'anoncvs:' to CVSROOT/passwd. (Add a password here if you wish.)
>  4. Add anoncvs to CVSROOT/readers to tell CVS this is a read-only
> user.  (This should be redundant, as if your unix permissions are set
> correctly, the server running as anoncvs should be simply unable to
> write anything.)
>  5. In CVSROOT/config, set SystemAuth=no.  This instructs pserver to not
> attempt to do anything as people who are not in CVSROOT/passwd.  (This
> should be redundant, as without root pserver will not be able to switch
> to other users, but can't hurt.)
>  6. Configure inetd as instructed in cvsbook or the Cederqvist, with one
> important exception: where it says "root", instead use "anoncvs".  e.g.:
> 
> cvspserver stream tcp nowait anoncvs  /usr/local/bin/cvs cvs -f 
> --allow-root=/usr/cvsroot pserver

-- 
The moon is waning crescent, 28.8% illuminated, 24.2 days old.