On Thu, Dec 27, 2001 at 02:01:51AM -0800, Prasad Paranjape wrote:
> Dear Binand and gurus at LIH,
Don't know whether to get offended by this or not ;-)
> I also have rwx rights to all users on all the files
> and the directory CVSROOT under /usr/local/cvsroot
> which is my cvs root.So there is universal read write
> execute access to the world.
That is bad.
An HDI (ask Bish what that means ;-):
Add a user called cvs (home directory /usr/local/cvsroot). Add a group called
project.
groupadd project
useradd -d /usr/local/cvsroot -g project cvs
Then (after su'ing to cvs user):
cvs -d /usr/local/cvsroot/myproject init
Now, still as cvs user, go to the directory where you have your sources,
and add the files:
cd /path/to/myproject/files
cvs -d /usr/local/cvsroot/myproject import -m 'Initial import' myproject myproject
start
Now, set the ownerships and permissions:
cd /usr/local/cvsroot
chown -R cvs.project myproject # This shouldn't be necessary, if you
# have done all the above correctly
find myproject -type d | xargs chmod 770
find myproject -type f | xargs chmod 660
Put all the users who will be checking out/in this codebase into the
project group:
for user in user1 user2 user3; do usermod -G project $user; done
Have an /etc/xinetd.d/cvspserver file like:
service cvspserver
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/bin/cvs
env = HOME=/usr/local/cvsroot
server_args = --allow-root=/usr/local/cvsroot/myproject pserver
disable = no
}
Tell xinetd that things have changed.
/sbin/service xinetd reload
(This is redhat specific - adapt this to the way you reload services in
your distribution)
That is all. You don't have to do anything else. Any other changes you made,
undo them.
Now, to test:
su over to one of your users - let us say user1:
su -l user1
Check if the user is in the project group:
id -Gn user1
The output should have "project" in it, apart from his primary group.
Now, get the sources from CVS:
mkdir checkedout; cd checkedout
cvs -d :pserver:user1@localhost:/usr/local/cvsroot/myproject login
(Give the password for user1 on localhost here).
cvs -d :pserver:user1@localhost:/usr/local/cvsroot/myproject checkout myproject
This should checkout the sources for user1.
Now you are all set. Give out to users that their cvsroot is
:pserver:[EMAIL PROTECTED]:/usr/local/cvsroot/myproject
To have many projects in CVS, have one group per project. Add the cvs user
to all these groups. Keep the group of these files as the project group. Add
developers to their projects' groups. Add an allow-root option for each
project in the xinetd file. Reload xinetd.
Binand
PS: This is a minimal, simplistic setup. This may not be the most secure.
In particular, the permissions and ownerships that I have suggested
might not be the best way to do it. Do not put this CVS server open on
the Internet. Ask your firewall administrator to block port 2401. I
sincerely believe the best way to access remote cvs servers is via
ssh. Don't blame me if things go wrong.
PPS: CVS is not yet PAM-aware. So, every developer will need a login
on your cvs server. You have to evaluate the implications of this. A
rewrite of CVS's network code that is PAM aware is available on
http://cvs-nserver.sourceforge.net - you can try that also.
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
