Setting up a CVS server (pserver)

rsk · Posted: Thu May 08, 2003 8:47 pm Post subject: Setting up a CVS server (pserver)

NOTE: This was done with Gentoo 1.4rc3 and 1.4rc4, YMMV

Hey guys,
I was wondering how to do this about 3 days ago and hunted through the forums and got it working by combining a lot of feedback from a lot of good people (this thread in particular: https://forums.gentoo.org/viewtopic.php?t=38844&highlight=cvs+server) and I just wanted to summarize for the people out there that didn't have the time to go hunting. Please note that I am summarizing the way I setup CVS, but I think there is just a hair more than 10e6 ways to do it :)

This setup is for using pserver with CVS. No ssh stuff yet, I haven't figured that out yet :)

1) emerge xinetd (this guy is in charge of listening for CVS service requests and waking up a cvs process to take care of the user)
2) emerge CVS (here is the big guy himself)
3) OPTIONAL: emerge superadduser (this is just a damn handy util to have around)

Ok that's it for emerging, now we just have to change configurations and all that jazz.

NOTE: I did all of this while logged in as root, so adjust your plan of attack accordingly.

NOTE 2: Whenever I name something, like a group name, or user name, or directory name... feel free to use something different, just be consistent.

3) create a new "cvs" group with our friend groupadd (groupadd cvs).

4) create a new user (using superadduser or useradd) with the name "cvs" and make their initial (and ONLY) group "cvs". So don't stick them in users or something. Also make sure their shell points to "/bin/false" so someone can't use that account to login (assuming you gave it some easy to guess name.). And lastly make their home directory "/home/cvsroot"

Ok so now you have the software installed, and the user created. Now we need to tie these two things together so they play nice.

5) go into your /etc dir
6) edit the xinetd.conf file, and remove the first line "only_from". It probably says something like only_from localhost. This will limit logins to only localhost, or only whatever IP you put there. If you WANT this kind of security, then change it. NOTE: I don't know how you specify multiple hosts (commas, spaces, whatever) sorry.

Ok we should be done with this file.

7) Go into your /etc/xinetd.d directory

8) type "ls" and look at all the pretty files. These all represent services that xident can start for you and do stuff with. "Stuff" more specifically meaning 'i don't know'.

9) edit the cvspserver file

Now just peruse this file, take a look at the field names. Notice in this file that user/group are already "cvs", you see that? I'm psychic.

Some people have throw security to the wind and changed the user to "root", although I suppose that is about as safe as sticking your face into a bee hive.

anyway...

10) Look at the first line "disable yes", change that to a "no". By default all xinetd services are disabled, so the user can enable what he/she wants. Or atleast this is good practice, and cvs seems to be cooperating with that.

You should be done with that file, unless you want to change the port or something.

Ok so now we need to make sure the repository is setup alright.

11) type "cvs -d /home/cvsroot init" to init the repository.

Now keep in mind though that you just did that as root, so now you need to give the files back to user "cvs" so he won't cry

12) cd /home
chown cvs:cvs -R cvsroot

you should be in good shape now, make sure that cvs/cvs owns that dir as well as every file and dir under it (right now should just be CVSROOT). If you have some shell config files in there (.bashrc, .bash_profile) go ahead and erase them, the user can't ever login to use them anyway.

ok to recap we have:
* user and group "cvs"
* software "xinetd" and "cvs" installed
* software "xinetd" configured to enable cvspserver service for the user cvs/cvs using the dir /home/cvsroot
* we've inited the repository
* we've fixed the permissions

what's left? Nothing right? WRONG!

This one had me stumped for about an hour.

Now we need to create/edit the /home/cvsroot/CVSROOT/passwd file. This file is used by CVS to either provide name/pass pairs, or loginName/systemName mappings. So for example, we want to tell cvs "Hey, I'm going to allow a login called "cvs", but I want you to map it to my local system user "cvs"". Let me clarify.

You created a system account called "cvs" in a group called "cvs". You told xinetd that the cvspserver service is allowed to play only with users named "cvs" in the group "cvs". But now you have to tell CVS what login names (just names, not accounts) are allowed to use CVS. So you could have 10 cvs logins (bob, frank, john, marry, etc. etc.) all mapped to the "cvs" account. That way when "frank" logs in, CVS goes "oh ok, frank is really the CVS account, so I'll have to validate against the system password for that account". You can of course specify passwords in the passwd file and not do mappings if you wish, but I prefer to map them to accounts.

so now the format of this passwd file is:

cvsLoginName:optionalCvsPassword:optionalSystemAccountMapping

so for our purposes, we want to put this in the passwd file:

13) cvs::cvs

So here you see I've mapped CVS login name "cvs" to our system user "cvs". So i'll have to use the system user's password when I login using cvs.

Ok we are getting close, I think that's pretty much it, just make sure to restart xinetd or else all of this was for naught:

14) /etc/init.d/xinetd restart

Ok now try to login to the cvs repository:

15) cvs -d :pserver:cvs@myDomainName.com:/home/cvsroot login
// enter your password

walla!

If that didn't work, I'm sorry I must have missed a step. post your problem here and hopefully I can ammend the post to address it (or someone else can correct me). I'm only 3-days new to this anyway...

NOTE: Some people have mentioned that changing the ownership of the cvs executable has helped them with permission denied problems, but I don't necessarily think this is a good idea.

Ok that's it for now, I hope this helped all 2 of you that wnated to setup CVS :)
_________________
Best,
Riyad

pjp · Administrator Joined: 16 Apr 2002 Posts: 20067

Moved from Portage & Programming.
_________________
Quis separabit? Quo animo?

rsk · Posted: Thu May 08, 2003 9:23 pm Post subject:

woops sorry
_________________
Best,
Riyad

sessionID · Posted: Fri May 09, 2003 7:03 am Post subject:

Very nice tutorial, thanks!

A few notes:

I had to copy /usr/portage/dev-util/cvs/files/cvspserver.xinetd.d to /etc/xinet.d (there was no cvspserver file).
The other thing that was not clear for me, is that you have to use encrypted passwords in the passwd file :oops:

rsk · Posted: Fri May 09, 2003 7:12 am Post subject:

no problem I'm glad it helped!

That cvspserver thing is strange, what ver of gentoo are you using?

And yes your absolutely right, encrypted passwords! Thx for the refinement.
_________________
Best,
Riyad

iplayfast · Posted: Fri May 09, 2003 7:29 am Post subject:

I've just set up a pserver cvs as well. I didn't use your tutorial, but I wish I'd seen it.

I've still got one niggling little problem. If I check something out locally the owner chnages to me (ok) but the group is root.

Anyone know what would cause that, and how to make it something sensible (cvsadmin).

Thanks in advance.

PS. Your tut should be submitted as one of the docs.

charlieg · Posted: Fri May 09, 2003 9:08 am Post subject:

A similar tutorial for setting up CVS over SSH instead of pserver would be nice.

_________________
Want Free games?
Free Gamer - open source games list & commentary

Open source web-enabled rich UI platform: Vexi

sessionID · Posted: Fri May 09, 2003 9:34 am Post subject:

sessionID · Posted: Fri May 09, 2003 9:58 am Post subject:

Stalione · Guru Joined: 21 Apr 2002 Posts: 335

logic · n00b Joined: 12 Apr 2002 Posts: 2

nice, worked great for me..

only one thing
# emerge CVS

should be :
# emerge cvs

S_aIN_t · Guru Joined: 11 May 2002 Posts: 488 Location: Ottawa

thanks it worked just fine for me. i did the same thing with fbsd a long time ago.. and didn't remember. the guide helped.
_________________
"That which is overdesigned, too highly
specific, anticipates outcome; the anicipation of
outcome guatantees, if not failure, the
absence of grace."
- William Gibson, "All Tomorrow's Parties"
----
http://petro.tanreisoftware.com

rsk · Posted: Sat May 17, 2003 8:19 pm Post subject:

thanks guys for the positive feedback... maybe one of these days (now that its summer) I should sit down and write a much better structured guide, including all the refinements and info I find on the forums, and include SSH setup and submit it to gentoo docs...
_________________
Best,
Riyad

mikepb78 · Apprentice Joined: 27 Feb 2003 Posts: 171 Location: London

Why not use SSH and CVS. It is easier to install and manage. And as a bonus it more secure.

1) emerge cvs ssh
2) cvs -d /cvs init (as non root)
3) add users and create ssh keys.

Once the have added there keys then then can access the cvs repository

adrenalin · Tux's lil' helper Joined: 29 Dec 2002 Posts: 129

Thanks too

your guide saved me some hours, but are you sure about that one in the passwd file ?

rsk · Posted: Wed May 21, 2003 4:13 pm Post subject:

Oh shit, you're right! I just tried logging in by hitting "enter" on an account that has a password, and it logged in fine

Thanks so much for pointing this out. Then I suppose the "correct" way around this is to copy the encoded password out of the /etc/passwd file into the CVSROOT/passwd file into the middle place holder. I had read this is the way to set passwords before, but I think I misinterpreted it mean "another" way you could do passwords instead of the "WAY" to do passwords...

Wow that's a big oversight on my part. Thanks again!
_________________
Best,
Riyad

adrenalin · Tux's lil' helper Joined: 29 Dec 2002 Posts: 129

uh, did you read my whole post ?

If yes, then i guess you didnt get it right.

If you want to use system auth, then you should remove the user from CVSROOT/passwd. However you should avoid using system account passwords through pserver anyway, because they are sent cleartext. Use different passwords for pserver or even better use ssh instead of pserver. As far as i understand, pserver should only be used for anonymous read only access. If you need any type of auth, then use ssh fex instead and read the docs again

. If you insist on using auth trough pserver, then DONT use system account passwords

phunni · Posted: Tue Jun 03, 2003 2:23 pm Post subject:

OK - I have file permissions problems. I can only import a new project as root, and I can only check out the CVSROOT module

How do I use this setup to allow me to import a project as a non root user and then be able to check it out?

Edit the specific error I am getting is:

adrenalin · Tux's lil' helper Joined: 29 Dec 2002 Posts: 129

TAF · n00b Joined: 20 Jan 2003 Posts: 31

You have a little error, more or less reported about the passwd file.

The correct way to do it is:

1.put the user name followed by ':'

Eg.

teste:

2.get some program that generates DES keys. in CVS's site it's available one:

http://ccvs.cvshome.org/fom//cache/168.html

3. generate the password for the user and copy it to the passwd file

4. do step 1 until not necessary

vulcan_ · n00b Joined: 06 May 2003 Posts: 61 Location: Gent, Belgium

the CVS guide at http://cvsbook.red-bean.com/cvsbook.html#The_Password-Authenticating_Server
shows how to use this script:

mog · Posted: Thu Aug 14, 2003 11:48 am Post subject:

your tutorial is great ... thx a buch ... :lol:

there is only one question remaining ... how can I create a repository and add things to it?
I know it may be a stupid question, but I have searched a long time and found no answer ...

_________________
To thine own self be true.

MrPyro · Posted: Thu Aug 14, 2003 3:46 pm Post subject:

To create the repository