I tryed that chroot setup and encountered the same problems. I am
not sure what the chroot jail would/could buy you but grief, if you
do not want to run cvs as root.
Here's what I setup for a non-root pserver.
One account, cvspserv, in one group, cvsadm. That account has no
password and no login shell. I don't know if this setup helps with
anything, but a password and login are not needed for the server
account.
No users should belong to the cvsadm group. This is the group that
owns the CVS repository. (Also have a CM cvsadm account in the
cvsadm group, all CM dirs, builds, files, etc. outside the
repository are chmod go-w and owned by the cvsadm account)
/etc/services are setup the as normal, but the /etc/inetd.conf file
has this line instead of the normal one (of course you could use
the normal line from the manual replacing the root account with
cvspserv):
cvspserver stream tcp nowait cvspserv /home/cvsadm/bin/run-cvs
run-cvs
run-cvs is a c program that calls cvs pserver after reading in a
config file for --allowroot options. This allows me to
create/move/delete respositories dynamically without having to
change inetd.conf.
the cvs repositories are located at some place like /cvs/roots/.
there is one password file owned by cvsadm account and all the
CVSROOT/passwd files are symlinked to it. Access to each project
repository is managed by the CVSROOT/writers file.
Since only 2 accounts are in the cvsadm group, all access to the
repositories must be through pserver, even users on the local
machine. (except of course, the cvsadm account)
If you are looking for NORAD level security, search the posts for
the last fews months. It's a well discussed topic.
hope something here helps.
Mark
--- Rob Eso [EMAIL PROTECTED] wrote:
Hey everyone
I have been trying to setup a chroot cvs server for a while now,
but keep
running into the same problem. I have created a user cvs to run
the
server under, and have chroot'd the server to /home/cvs/jail/
i have followed the instructions in a few howtos on setting up a
Chroot
CVS Server, but always run into this problem:
I am able to login and authenticate with the pserver alright, but
when
I try to import a new project into the respository I get :
[rae@skywalker myproj]$ cvs -d $CVSROOT import myproj v1 r1
Fatal error, aborting.
cvs: no such user
cvs import: authorization failed: server vader rejected access to
/cvsroot
for user rob
The respository is setup in /home/cvs/jail/cvsroot
the CVSROOT/passwd file contains:
rob::cvs
billy::cvs
susy::cvs
the CVSROOT/readers file contains:
susy
the CVSROOT/writers file contains:
rob
billy
(Just using sample names )
But each time I get the no such user error.
I have gone seaching though the cvs-info mailing list archive,
and found
no other mention of this problem. I am curious though, is a
chroot jail
necessary? In one thread about the chroot patch for 1.10,
someone posted
that it was easy for a malicious user to execute a script and
escape from
the chroot jail, which makes me wonder what is the point then of
a chroot
jail?
Oh yes, i am running Red Hat 7.1 with
CVS 1.11 ( cvs-1.10.8-8.i386.rpm )
Thanks
-
Rob
[EMAIL PROTECTED]
-
\ ^__^
\ (**)\___
(__)\ )\/\
U ||w |
|| ||
___
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
__
Do You Yahoo!?
Spot the hottest trends in music, movies, and more.
http://buzz.yahoo.com/
___
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
