[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

secure cvs setup (yet again)

From: Peschko, Edward
Subject: secure cvs setup (yet again)
Date: Wed, 28 May 2003 15:33:55 -0700

I've been having a horrible time accessing this list - this is try #4. 
Forgive it if it is a dup;I'd also like some help from the cvs group 
owner to figure out what the #$$% is going on. I shouldn't have to
post from 4 different mailing addresses to get one post; posting
from google looks screwed up too.

Elsewise, help on the following is appreciated.

hey all,

My other email address (address@hidden) has been having difficulty in
reaching this list, so I thought I might try it from here.

Anyways, I'm getting lost in a quagmire (bog? murky swamp?) of options for
running a secure CVS server on a box where I have limited access. For
security's sake, I may get a root process to run in the background but
I'll have to share that root process with others. In short, this is what I
want to do:

1) be able to run a cvs server securely.

2) set it up so this cvs server uses CVSROOT/??? makes all files inside
   CVS be owned by the same user and in the same group.

3) use CVSROOT/passwd to control who accesses the server, checks in and out
   (hence eliminating the need for having one unix user per cvs user).

4) use a configuration file to limit what people receive via 'cvs
   checkout/cvs update'.

Now, #1 I think I have sorted out, but its still a mess of options:
cvsauth vs cvsd, vs something called sserver vs whatever... Anyways, I
think I'm going to go with ssh tunnelling.. and setting up cvs pserver
through xinetd
so the only traffic that can hit the pserver comes from the localhost (ssh

As for #2, how do you do this? Since I'm sharing the box with other
people, I'd like them to have the ability to run *their* cvs repositories,
using the same method that *I'm* doing, all going through one server.

Hence, I'd like pserver to have the ability to use CVSROOT to figure out
what user to use (perhaps picking the user/group combo up from the
directory where CVSROOT is located?) in checking in files.. Is this
possible? If not, what's a workaround? And what are the risks in running
cvs pserver as root? Have their been exploits in pserver to get a root
shell or run root code? And if so, are there ways of running xinetd for
user processes as well as root?

As for #3, I know using CVSROOT/passwd for authentication is doable, but
is it somehow possible to fineagle CVS so that the file is put inside
source control and then edited to get entry? I don't see how this could
be, but the author of cvsauth seems to think it could happen.. Any one
have any ideas?

And finally, using a configuration file to figure out who-gets-what is
totally murky to me. How do you do it? My design would be to have a single
file, with a list of files and directories that pserver would pick up per
user, something like:



which says, cvsuser1 gets dir1, file1, and everything in dir2 minus file2.
Or, maybe:



which says cvsuser1 gets everything minus dir1 and dir2.

Somehow I don't think that cvs is this easy though.

Anyways, any help on this is appreciated. I know this is a long post, but
I think a small doc on setting up a standard, secure, multi-user cvs would
be most appreciated. Lord knows I've looked for one - I've found bits and
pieces, but never the whole picture..


reply via email to

[Prev in Thread] Current Thread [Next in Thread]