First of all, you probably want to tighten the permissions on the `$CVSROOT' and `$CVSROOT/CVSROOT' directories. See section Security considerations with password authentication, for more details.
On the server side, the file `/etc/inetd.conf'
needs to be edited so inetd knows to run the
command cvs pserver when it receives a
connection on the right port. By default, the port
number is 2401; it would be different if your client
were compiled with CVS_AUTH_PORT defined to
something else, though.
If your inetd allows raw port numbers in
`/etc/inetd.conf', then the following (all on a
single line in `inetd.conf') should be sufficient:
2401 stream tcp nowait root /usr/local/bin/cvs cvs --allow-root=/usr/cvsroot pserver
You could also use the `-T' option to specify a temporary directory.
The `--allow-root' option specifies the allowable CVSROOT directory. Clients which attempt to use a different CVSROOT directory will not be allowed to connect. If there is more than one CVSROOT directory which you want to allow, repeat the option.
If your inetd wants a symbolic service
name instead of a raw port number, then put this in
`/etc/services':
cvspserver 2401/tcp
and put cvspserver instead of
2401 in `inetd.conf'.
Once the above is taken care of, restart your
inetd, or do whatever is necessary to force it
to reread its initialization files.
Because the client stores and transmits passwords in cleartext (almost--see section Security considerations with password authentication, for details), a separate CVS password file may be used, so people don't compromise their regular passwords when they access the repository. This file is `$CVSROOT/CVSROOT/passwd' (see section The administrative files). Its format is similar to `/etc/passwd', except that it only has two or three fields, username, password, and optional username for the server to use. For example:
bach:ULtgRLXo7NRxs cwang:1sOp854gDF3DY
The password is encrypted according to the standard
Unix crypt() function, so it is possible to
paste in passwords directly from regular Unix
`passwd' files.
When authenticating a password, the server first checks
for the user in the CVS `passwd' file. If it
finds the user, it compares against that password. If
it does not find the user, or if the CVS
`passwd' file does not exist, then the server
tries to match the password using the system's
user-lookup routine (using the system's user-lookup
routine can be disabled by setting SystemAuth=no
in the config file, see section The CVSROOT/config configuration file). When using the CVS
`passwd' file, the server runs as the
username specified in the third argument in the
entry, or as the first argument if there is no third
argument (in this way CVS allows imaginary
usernames provided the CVS `passwd' file
indicates corresponding valid system usernames). In
any case, CVS will have no privileges which the
(valid) user would not have.
It is possible to "map" cvs-specific usernames onto system usernames (i.e., onto system login names) in the `$CVSROOT/CVSROOT/passwd' file by appending a colon and the system username after the password. For example:
cvs:ULtgRLXo7NRxs:kfogel generic:1sOp854gDF3DY:spwang anyone:1sOp854gDF3DY:spwang
Thus, someone remotely accessing the repository on `chainsaw.yard.com' with the following command:
cvs -d :pserver:cvs@chainsaw.yard.com:/usr/local/cvsroot checkout foo
would end up running the server under the system identity kfogel, assuming successful authentication. However, the remote user would not necessarily need to know kfogel's system password, as the `$CVSROOT/CVSROOT/passwd' file might contain a different password, used only for CVS. And as the example above indicates, it is permissible to map multiple cvs usernames onto a single system username.
This feature is designed to allow people repository access without full system access (in particular, see section Read-only repository access); however, also see section Security considerations with password authentication. Any sort of repository access very likely implies a degree of general system access as well.
Right now, the only way to put a password in the
CVS `passwd' file is to paste it there from
somewhere else. Someday, there may be a cvs
passwd command.
Go to the first, previous, next, last section, table of contents.