I install cvs using a small wrapper program that chroots it, as well as
allows the repository to be safely maintained by a non-administrator
user without any concern of stuff doing things it shouldn't. However, I
am still limited to using the cvs passwd file. The wrapper makes it very
simple to do a single-uid regular-user repository that can be accessed
anonymously or directly.
Using the rsh/ssh/kerberos rsh methods doesn't really help, since those
require that you let the users log on to your server. No thanks.
Here are a couple of ideas I had that might be a good way to make cvs
easier to set up in a secure manner.
1. Extend my chroot wrapper to allow it to figure out what repository is
being requested and chroot accordingly. This should be easy enough, just
haven't done it yet - will involve a extra i/o layer between cvs and the
client, but that shouldn't hurt much. (The extra I/O layer could be
eliminated if the cvs pserver had some method to pass the initializing
information other than stdin, or if cvs itself did the chrooting.)
2. Add a 'spserver' connection type that uses SSL. Sure, you could use
ssltunnel, but that's alot more of a contortion, and it will hurt
adoption by end users, simply saying CVSROOT=:spserver:... with a ssl
capable cvs client would be alot easier.
3. Add a 'admins' file in cvsroot/CVSROOT that would quickly and easily
allow you to define who can do stuff to the CVSROOT portion of the
repository. I'm sure you could do this with some of the wrapper
scripts/etc, but that's not particularly clean. Syntax could be
something like
-----------------
user:aurd:
user1:ur:file1 file2 file3
-----------------
which would allow user to add update or read or delete any file, and
user1 could update or read file1 file2 or file3. Initially though, I
would suggest the file be simply a list of userids, like readers and
writers.
4. After the ssl stuff is working, allow use of client certificates to
authenticate instead of the cvs passwd file.
5. Add a command line flag that defines an anonymous user(s) - yes, you
can do this by defining the user in the passwd file, but it would be
nice to have ftp style anonymous connections, where you could put in
your email address as the password and have that logged. Defining the
user as anonymous would automatically apply a non-admin and non-writer
restriction to the connection.
These are just a few things that I think might yield a cvs server that
is easier to setup and secure. All of the above changes should remain
completely compatible with existing clients. The spserver method could
still be used with ssltunnel for those users that wanted to do it that
way.
As for the SSL, I'd say just build it with OpenSSL - granted at the
moment that's not legal in the U.S. unless you're building with rsaref
and even then only for non-commercial - but it will be legal in a little
over 6 months.
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: [EMAIL PROTECTED]
University of Missouri - Rolla Phone: (573) 341-4841
CIS - Systems Programming Fax: (573) 341-4216
