info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS newbie - I want to make a new CVS installation secure...


From: Todd Denniston
Subject: Re: CVS newbie - I want to make a new CVS installation secure...
Date: Wed, 19 May 2004 09:16:23 -0500

Flossie wrote:
> 
> >>1) However the first real problem I have is that a CVSROOT folder
> >>appeared locally - this must have been created automatically in the
> >>/usr/local/cvsroot folder. This has all sorts of files with settings
> >>for controlling various CVS behaviour.
> >>a) I don't want CVS users to be able to change these
> >
> > Use a commitinfo trigger. See
> > http://www.cvshome.org/docs/manual/cvs-1.12.7/cvs_18.html#SEC169
> Good grief, maybe I'm missing the point here? I had a look - this
> feature implies that you can write some fancy script to verify that the
> code being committed confirms to all the rules we laid out in the config
> files in the CVSROOT folder. I.e do a ton or reg-ex stuff to verify that
> each file is ok?? That could be a huge amount of work.
> I simply want to 'lock away' from the user access to any config changes
> they may otherwise me able to make in the files in the CVSROOT folder.
> 
If all you are wanting to protect is the contents of the $CVSROOT/CVSROOT
directory, then I agree, Mark's suggestion is overkill.  usually, what I
believe, you want can be done with directory permissions.
http://www.cvshome.org/docs/manual/cvs-1.11.15/cvs_2.html#SEC13

usually I do something like the following when cmuser is the only one to be
changing things in $CVSROOT/CVSROOT:
cd $CVSROOT
chown cmuser:cmgroup CVSROOT
chmod og-w CVSROOT
chmod ug+w CVSROOT/history 
chmod ug+w CVSROOT/val-tags
#and you may need to 
chmod ug+w CVSROOT/Emptydir


<SNIP>
> >>3) Can I stop the general users from performing things like code
> >>branching? Stop them from removing files?
> >
> > Yes. See http://www.cvshome.org/docs/manual/cvs-1.12.7/cvs_18.html#SEC176
> > for taginfo as well as the info on commitinfo from the link provided
> > in answer to #1.a.
> I cannot see any hint in this section as to how I can stop users from
> creating branches, removing files, etc. Nor can I see how it relates to
> commitinfo (unless you auto-create a tag when someone commits to CVS,
> but that's not what I'm wanting here).
> Perhaps you could elaborate?

I think the cvs_acls script in the distribution contrib directory
(cvs-1.11.15/contrib) might get you headed where you want and I think there
were some recent changes to that script (to make it more flexible) posted to
the mailing list, so you should look in the archive if this one looks close to
what you want.

In the first message Flossie wrote:
> 
> Hi, I'm new to CVS - at least from a setup perspective (I've only been a
> bystander before now). I have some things that I want to configure to be
> more secure than they currently are - first, here's what I've done so far:
> I have a new Mandrake Linux 10.0 installation, CVS installed following
> the conventional recommendations. In particular:
>      CVSROOT=/usr/local/cvsroot
> I've set up several users, made them members of a cvs group, etc etc.
> 
> My client is TortoiseCVS running on windows XP. The first thing I did
> was create locally c:\Projects, which is the local root point which will
> correspond to CVSROOT. Within that, I created (as a test) a folder
> called 'current'.
<SNIP>

Ok it sounds like you are exporting /usr/local/cvsroot over SMB (via samba)
and mounting that as if it were a local drive on some windows boxes... this is
a *_BAD_* thing to do.
There are many problems with running cvs in local mode on multiple boxes when
the repository is on a Network File System (look in the archive for examples),
please don't do it.
With Windows if you are not using cygwin, pserver is probably the easiest
thing to setup this will get all your locks happening on the linux box and
that will remove the repository corruption/data loss possibilities.  If you
can though get ssh setup as it offers more security and accountability (look
for messages from Greg Woods in the Archive). 
http://www.cvshome.org/docs/manual/cvs-1.11.15/cvs_2.html#SEC26

-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane) 
Harnessing the Power of Technology for the Warfighter




reply via email to

[Prev in Thread] Current Thread [Next in Thread]