Hi all!
To better fit the purposes at our institute, I implemented a small
extension to the CVS server (see below). Find attached the patch (created with
"cvs diff -u"), including all my changes to source code and documentation. I
tried to follow the guidelines described in "HACKING", with two exceptions:
*) All recent ChangeLog entries are by Derek or Larry, so I gave a short
explanation to "NEWS" only.
*) The self-test procedures in "sanity.sh" explicitly turn off system
authentication. However, my code requires system authentication to work. I
could add an extra entry with SystemAuth=yes, but a fully automatic test of
the new code requires the script to run as root (since a test user has to be
created) which, I guess, is undesirable. Anyway, I could try to hack such a
thing, but I would prefer to have some other opinions on this before.
Regards,
Markus
P.S.: short description of my patch: by providing the "passwd" file in
the CVSROOT directory, the administrator can define users that should be
allowed to access the repository, passwords of these users, and
optionally user names to which each connection should be mapped at the
server. We found it convenient to use each user's system password for
authentication instead of the one provided in CVSROOT/passwd to avoid
having to keep CVSROOT/passwd up to date manually. Our modified CVS
server checks for the system password if "+" is given in CVSROOT/passwd
instead of the encrypted password (inspired by the syntax in
/etc/passwd, where "+::::::" tells the system to look elsewhere (namely,
YP) for user records).
--
Markus Grabner - Computer Graphics and Vision
Graz University of Technology, Inffeldgasse 16/II, 8010 Graz, Austria
Phone: +43/316/873-5041, Fax: +43/316/873-5050
Email: [EMAIL PROTECTED], WWW: http://www.icg.tu-graz.ac.at/~grabner
Index: doc/cvs.texinfo
===================================================================
RCS file: /cvsroot/ccvs/doc/cvs.texinfo,v
retrieving revision 1.541
diff -u -r1.541 cvs.texinfo
--- doc/cvs.texinfo 17 Apr 2002 18:12:48 -0000 1.541
+++ doc/cvs.texinfo 29 Jul 2002 12:40:15 -0000
@@ -2385,9 +2385,10 @@
administrative files}). It uses a colon-separated
format, similar to @file{/etc/passwd} on Unix systems,
except that it has fewer fields: @sc{cvs} username,
-optional password, and an optional system username for
+optional password (or @code{+} to tell @sc{cvs} to use
+the system password), and an optional system username for
@sc{cvs} to run as if authentication succeeds. Here is
-an example @file{passwd} file with five entries:
+an example @file{passwd} file with six entries:
@example
anonymous:
@@ -2395,6 +2396,7 @@
spwang:1sOp854gDF3DY
melissa:tGX1fS8sun6rY:pubcvs
qproj:XR4EZcEs0szik:pubcvs
+markus:+:pubcvs
@end example
@noindent
@@ -2440,6 +2442,15 @@
system username is so that you can arrange permissions
in the relevant area of the repository such that only
that account has write-permission there.
+
+The sixth line will grant access to @code{markus}, if he
+supplies his correct system password (this requires setting
+@code{SystemAuth=yes} in the @sc{cvs} @file{config} file,
+@pxref{config}). Authentiocation is the same as if
+@code{markus} were not listed in the password file, but
+his @sc{cvs} operations will run on the server side under
+the system user @code{pubcvs}. Please see below for a
+discussion of security risks when using system passwords.
If the system-user field is present, all
password-authenticated @sc{cvs} commands run as that
Index: src/server.c
===================================================================
RCS file: /cvsroot/ccvs/src/server.c,v
retrieving revision 1.275
diff -u -r1.275 server.c
--- src/server.c 18 Jun 2002 13:35:28 -0000 1.275
+++ src/server.c 29 Jul 2002 12:40:17 -0000
@@ -5399,6 +5399,7 @@
* 0 means no entry found for this user.
* 1 means entry found and password matches (or found password is empty)
* 2 means entry found, but password does not match.
+ * 3 means entry found, but system password check requested.
*
* If 1, host_user_ptr will be set to point at the system
* username (i.e., the "real" identity, which may or may not be the
@@ -5529,6 +5530,11 @@
*host_user_ptr = xstrdup (host_user_tmp);
retval = 1;
}
+ else if ((found_password != NULL) && (strcmp(found_password, "+") == 0))
+ {
+ *host_user_ptr = xstrdup (host_user_tmp);
+ retval = 3;
+ }
else
{
*host_user_ptr = NULL;
@@ -5574,7 +5580,7 @@
/* host_user already set by reference, so just return. */
goto handle_return;
}
- else if (rc == 0 && system_auth)
+ else if (((rc == 0) || (rc == 3)) && system_auth)
{
/* No cvs password found, so try /etc/passwd. */
@@ -5626,14 +5632,26 @@
* might be expired. I think the way to go here
* is with PAM.
*/
- strtok (found_passwd, ",");
+ strtok ((char *)found_passwd, ",");
if (*found_passwd)
{
/* user exists and has a password */
- host_user = ((! strcmp (found_passwd,
- crypt (password, found_passwd)))
- ? xstrdup (username) : NULL);
+ if (rc == 3)
+ {
+ /* host_user has already been set */
+ if (strcmp (found_passwd,
+ crypt (password, found_passwd)))
+ {
+ host_user = 0;
+ }
+ }
+ else
+ {
+ host_user = ((! strcmp (found_passwd,
+ crypt (password, found_passwd)))
+ ? xstrdup (username) : NULL);
+ }
goto handle_return;
}
else if (password && *password)
Index: NEWS
===================================================================
RCS file: /cvsroot/ccvs/NEWS,v
retrieving revision 1.108
diff -u -r1.108 NEWS
--- NEWS 9 Jul 2002 18:15:32 -0000 1.108
+++ NEWS 29 Jul 2002 12:40:17 -0000
@@ -1,5 +1,9 @@
Changes since 1.11.2:
+* An additional authentication mode has been implemented, allowing to use the
+system password of a CVS user, but still to map the CVS user name to a
+different system user name.
+
* When waiting for another user's lock, the message timestamps are now
in UTC rather than the server's local time.
