View previous topic :: View next topic |
Author |
Message |
rsk Apprentice
Joined: 18 Apr 2002 Posts: 220 Location: Tucson, AZ
|
Posted: Thu May 08, 2003 8:47 pm Post subject: Setting up a CVS server (pserver) |
|
|
NOTE: This was done with Gentoo 1.4rc3 and 1.4rc4, YMMV
Hey guys,
I was wondering how to do this about 3 days ago and hunted through the forums and got it working by combining a lot of feedback from a lot of good people (this thread in particular: https://forums.gentoo.org/viewtopic.php?t=38844&highlight=cvs+server) and I just wanted to summarize for the people out there that didn't have the time to go hunting. Please note that I am summarizing the way I setup CVS, but I think there is just a hair more than 10e6 ways to do it :)
This setup is for using pserver with CVS. No ssh stuff yet, I haven't figured that out yet :)
1) emerge xinetd (this guy is in charge of listening for CVS service requests and waking up a cvs process to take care of the user)
2) emerge CVS (here is the big guy himself)
3) OPTIONAL: emerge superadduser (this is just a damn handy util to have around)
Ok that's it for emerging, now we just have to change configurations and all that jazz.
NOTE: I did all of this while logged in as root, so adjust your plan of attack accordingly.
NOTE 2: Whenever I name something, like a group name, or user name, or directory name... feel free to use something different, just be consistent.
3) create a new "cvs" group with our friend groupadd (groupadd cvs).
4) create a new user (using superadduser or useradd) with the name "cvs" and make their initial (and ONLY) group "cvs". So don't stick them in users or something. Also make sure their shell points to "/bin/false" so someone can't use that account to login (assuming you gave it some easy to guess name.). And lastly make their home directory "/home/cvsroot"
Ok so now you have the software installed, and the user created. Now we need to tie these two things together so they play nice.
5) go into your /etc dir
6) edit the xinetd.conf file, and remove the first line "only_from". It probably says something like only_from localhost. This will limit logins to only localhost, or only whatever IP you put there. If you WANT this kind of security, then change it. NOTE: I don't know how you specify multiple hosts (commas, spaces, whatever) sorry.
Ok we should be done with this file.
7) Go into your /etc/xinetd.d directory
8) type "ls" and look at all the pretty files. These all represent services that xident can start for you and do stuff with. "Stuff" more specifically meaning 'i don't know'.
9) edit the cvspserver file
Now just peruse this file, take a look at the field names. Notice in this file that user/group are already "cvs", you see that? I'm psychic.
Some people have throw security to the wind and changed the user to "root", although I suppose that is about as safe as sticking your face into a bee hive.
anyway...
10) Look at the first line "disable yes", change that to a "no". By default all xinetd services are disabled, so the user can enable what he/she wants. Or atleast this is good practice, and cvs seems to be cooperating with that.
You should be done with that file, unless you want to change the port or something.
Ok so now we need to make sure the repository is setup alright.
11) type "cvs -d /home/cvsroot init" to init the repository.
Now keep in mind though that you just did that as root, so now you need to give the files back to user "cvs" so he won't cry
12) cd /home
chown cvs:cvs -R cvsroot
you should be in good shape now, make sure that cvs/cvs owns that dir as well as every file and dir under it (right now should just be CVSROOT). If you have some shell config files in there (.bashrc, .bash_profile) go ahead and erase them, the user can't ever login to use them anyway.
ok to recap we have:
* user and group "cvs"
* software "xinetd" and "cvs" installed
* software "xinetd" configured to enable cvspserver service for the user cvs/cvs using the dir /home/cvsroot
* we've inited the repository
* we've fixed the permissions
what's left? Nothing right? WRONG!
This one had me stumped for about an hour.
Now we need to create/edit the /home/cvsroot/CVSROOT/passwd file. This file is used by CVS to either provide name/pass pairs, or loginName/systemName mappings. So for example, we want to tell cvs "Hey, I'm going to allow a login called "cvs", but I want you to map it to my local system user "cvs"". Let me clarify.
You created a system account called "cvs" in a group called "cvs". You told xinetd that the cvspserver service is allowed to play only with users named "cvs" in the group "cvs". But now you have to tell CVS what login names (just names, not accounts) are allowed to use CVS. So you could have 10 cvs logins (bob, frank, john, marry, etc. etc.) all mapped to the "cvs" account. That way when "frank" logs in, CVS goes "oh ok, frank is really the CVS account, so I'll have to validate against the system password for that account". You can of course specify passwords in the passwd file and not do mappings if you wish, but I prefer to map them to accounts.
so now the format of this passwd file is:
cvsLoginName:optionalCvsPassword:optionalSystemAccountMapping
so for our purposes, we want to put this in the passwd file:
13) cvs::cvs
So here you see I've mapped CVS login name "cvs" to our system user "cvs". So i'll have to use the system user's password when I login using cvs.
Ok we are getting close, I think that's pretty much it, just make sure to restart xinetd or else all of this was for naught:
14) /etc/init.d/xinetd restart
Ok now try to login to the cvs repository:
15) cvs -d :pserver:cvs@myDomainName.com:/home/cvsroot login
// enter your password
walla!
If that didn't work, I'm sorry I must have missed a step. post your problem here and hopefully I can ammend the post to address it (or someone else can correct me). I'm only 3-days new to this anyway...
NOTE: Some people have mentioned that changing the ownership of the cvs executable has helped them with permission denied problems, but I don't necessarily think this is a good idea.
Ok that's it for now, I hope this helped all 2 of you that wnated to setup CVS :) _________________ Best,
Riyad |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Thu May 08, 2003 9:19 pm Post subject: |
|
|
Moved from Portage & Programming. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
rsk Apprentice
Joined: 18 Apr 2002 Posts: 220 Location: Tucson, AZ
|
Posted: Thu May 08, 2003 9:23 pm Post subject: |
|
|
woops sorry _________________ Best,
Riyad |
|
Back to top |
|
|
sessionID Apprentice
Joined: 11 Nov 2002 Posts: 266 Location: hungary
|
Posted: Fri May 09, 2003 7:03 am Post subject: |
|
|
Very nice tutorial, thanks!
A few notes:
I had to copy /usr/portage/dev-util/cvs/files/cvspserver.xinetd.d to /etc/xinet.d (there was no cvspserver file).
The other thing that was not clear for me, is that you have to use encrypted passwords in the passwd file |
|
Back to top |
|
|
rsk Apprentice
Joined: 18 Apr 2002 Posts: 220 Location: Tucson, AZ
|
Posted: Fri May 09, 2003 7:12 am Post subject: |
|
|
no problem I'm glad it helped!
That cvspserver thing is strange, what ver of gentoo are you using?
And yes your absolutely right, encrypted passwords! Thx for the refinement. _________________ Best,
Riyad |
|
Back to top |
|
|
iplayfast l33t
Joined: 08 Jul 2002 Posts: 642 Location: Cambridge On,CA
|
Posted: Fri May 09, 2003 7:29 am Post subject: |
|
|
I've just set up a pserver cvs as well. I didn't use your tutorial, but I wish I'd seen it.
I've still got one niggling little problem. If I check something out locally the owner chnages to me (ok) but the group is root.
Anyone know what would cause that, and how to make it something sensible (cvsadmin).
Thanks in advance.
PS. Your tut should be submitted as one of the docs. |
|
Back to top |
|
|
charlieg Advocate
Joined: 30 Jul 2002 Posts: 2149 Location: Manchester UK
|
Posted: Fri May 09, 2003 9:08 am Post subject: |
|
|
A similar tutorial for setting up CVS over SSH instead of pserver would be nice. _________________ Want Free games?
Free Gamer - open source games list & commentary
Open source web-enabled rich UI platform: Vexi |
|
Back to top |
|
|
sessionID Apprentice
Joined: 11 Nov 2002 Posts: 266 Location: hungary
|
Posted: Fri May 09, 2003 9:34 am Post subject: |
|
|
rsk wrote: | That cvspserver thing is strange, what ver of gentoo are you using? |
It's installed from the 1.4_rc1 live cd, cvs is 1.11.2. I never updated it, so maybe the ebuild is old. |
|
Back to top |
|
|
sessionID Apprentice
Joined: 11 Nov 2002 Posts: 266 Location: hungary
|
|
Back to top |
|
|
Stalione Guru
Joined: 21 Apr 2002 Posts: 335
|
Posted: Mon May 12, 2003 5:16 pm Post subject: |
|
|
Quote: |
Now we need to create/edit the /home/cvsroot/CVSROOT/passwd file. This file is used by CVS to either provide name/pass pairs, or loginName/systemName mappings. So for example, we want to tell cvs "Hey, I'm going to allow a login called "cvs", but I want you to map it to my local system user "cvs"". Let me clarify.
|
If you created a new passwd file, make sure after make the changes to it the permissions are set to the cvs user and cvs group
chown cvs.cvs passwd |
|
Back to top |
|
|
logic n00b
Joined: 12 Apr 2002 Posts: 2
|
Posted: Tue May 13, 2003 3:37 pm Post subject: |
|
|
nice, worked great for me..
only one thing
# emerge CVS
should be :
# emerge cvs |
|
Back to top |
|
|
S_aIN_t Guru
Joined: 11 May 2002 Posts: 488 Location: Ottawa
|
Posted: Wed May 14, 2003 6:08 pm Post subject: |
|
|
thanks it worked just fine for me. i did the same thing with fbsd a long time ago.. and didn't remember. the guide helped. _________________ "That which is overdesigned, too highly
specific, anticipates outcome; the anicipation of
outcome guatantees, if not failure, the
absence of grace."
- William Gibson, "All Tomorrow's Parties"
----
http://petro.tanreisoftware.com |
|
Back to top |
|
|
rsk Apprentice
Joined: 18 Apr 2002 Posts: 220 Location: Tucson, AZ
|
Posted: Sat May 17, 2003 8:19 pm Post subject: |
|
|
thanks guys for the positive feedback... maybe one of these days (now that its summer) I should sit down and write a much better structured guide, including all the refinements and info I find on the forums, and include SSH setup and submit it to gentoo docs... _________________ Best,
Riyad |
|
Back to top |
|
|
mikepb78 Apprentice
Joined: 27 Feb 2003 Posts: 171 Location: London
|
Posted: Sun May 18, 2003 2:01 am Post subject: Why not SSH -> CVS |
|
|
Why not use SSH and CVS. It is easier to install and manage. And as a bonus it more secure.
1) emerge cvs ssh
2) cvs -d /cvs init (as non root)
3) add users and create ssh keys.
Once the have added there keys then then can access the cvs repository |
|
Back to top |
|
|
adrenalin Tux's lil' helper
Joined: 29 Dec 2002 Posts: 129
|
Posted: Tue May 20, 2003 11:46 pm Post subject: Re: Setting up a CVS server (pserver) |
|
|
Thanks too
your guide saved me some hours, but are you sure about that one in the passwd file ?
rsk wrote: |
13) cvs::cvs
So here you see I've mapped CVS login name "cvs" to our system user "cvs". So i'll have to use the system user's password when I login using cvs.
|
did you ever try logging in without/with different password ?
'info cvs RET g TAB p TAB i TAB s TAB r TAB RET' wrote: |
...
CVS can also fall back to use system authentication. When
authenticating a password, the server first checks for the user in the
`$CVSROOT/CVSROOT/passwd' file. If it finds the user, it will use that
entry for authentication as described above. But if it does not find
the user, or if the CVS `passwd' file does not exist, then the server
can try to authenticate the username and password using the operating
system's user-lookup routines (this "fallback" behavior can be disabled
by setting `SystemAuth=no' in the CVS `config' file, *note config:: ).
...
|
|
|
Back to top |
|
|
rsk Apprentice
Joined: 18 Apr 2002 Posts: 220 Location: Tucson, AZ
|
Posted: Wed May 21, 2003 4:13 pm Post subject: |
|
|
Oh shit, you're right! I just tried logging in by hitting "enter" on an account that has a password, and it logged in fine
Thanks so much for pointing this out. Then I suppose the "correct" way around this is to copy the encoded password out of the /etc/passwd file into the CVSROOT/passwd file into the middle place holder. I had read this is the way to set passwords before, but I think I misinterpreted it mean "another" way you could do passwords instead of the "WAY" to do passwords...
Wow that's a big oversight on my part. Thanks again! _________________ Best,
Riyad |
|
Back to top |
|
|
adrenalin Tux's lil' helper
Joined: 29 Dec 2002 Posts: 129
|
Posted: Wed May 21, 2003 6:04 pm Post subject: |
|
|
uh, did you read my whole post ?
If yes, then i guess you didnt get it right.
If you want to use system auth, then you should remove the user from CVSROOT/passwd. However you should avoid using system account passwords through pserver anyway, because they are sent cleartext. Use different passwords for pserver or even better use ssh instead of pserver. As far as i understand, pserver should only be used for anonymous read only access. If you need any type of auth, then use ssh fex instead and read the docs again . If you insist on using auth trough pserver, then DONT use system account passwords |
|
Back to top |
|
|
phunni Apprentice
Joined: 05 May 2003 Posts: 217 Location: Bristol, UK
|
Posted: Tue Jun 03, 2003 2:23 pm Post subject: |
|
|
OK - I have file permissions problems. I can only import a new project as root, and I can only check out the CVSROOT module
How do I use this setup to allow me to import a project as a non root user and then be able to check it out?
Edit the specific error I am getting is:
my cvs server wrote: | cvs server: Updating ConygreProject
cvs server: failed to create lock directory for `/home/cvsroot/ConygreProject' (/home/cvsroot/ConygreProject/#cvs.lock): Permission denied
cvs server: failed to obtain dir lock in repository `/home/cvsroot/ConygreProject'
cvs [server aborted]: read lock failed - giving up
|
_________________ Old School is the way forward! |
|
Back to top |
|
|
adrenalin Tux's lil' helper
Joined: 29 Dec 2002 Posts: 129
|
Posted: Tue Jun 03, 2003 5:32 pm Post subject: |
|
|
phunni wrote: | OK - I have file permissions problems.
...
|
Right you are. While this matter is not pserver specific, the repository maintainer is in fact required to set up an appropriate ownership/permission model inside the repository for users that should have access to it. Your specific problem results from the fact, that cvs creates lock files while operating on modules inside the repostitory. Thus whoever (in the setup described here this should be a user called cvs) executes the cvs commands locally, is required to have write permissions inside the specific module directory. You can specify another temp dir if you dont want that for some reason. |
|
Back to top |
|
|
TAF n00b
Joined: 20 Jan 2003 Posts: 31
|
Posted: Wed Jul 16, 2003 11:15 pm Post subject: |
|
|
You have a little error, more or less reported about the passwd file.
The correct way to do it is:
1.put the user name followed by ':'
Eg.
teste:
2.get some program that generates DES keys. in CVS's site it's available one:
http://ccvs.cvshome.org/fom//cache/168.html
3. generate the password for the user and copy it to the passwd file
4. do step 1 until not necessary |
|
Back to top |
|
|
vulcan_ n00b
Joined: 06 May 2003 Posts: 61 Location: Gent, Belgium
|
Posted: Thu Jul 17, 2003 10:54 pm Post subject: encrypting CVSROOT/passwd passwords |
|
|
the CVS guide at http://cvsbook.red-bean.com/cvsbook.html#The_Password-Authenticating_Server
shows how to use this script:
Code: |
#!/usr/bin/perl
srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);
print "${crypttext}\n";
|
used this way Quote: |
I keep the preceding script in /usr/local/bin/cryptout.pl:
floss$ ls -l /usr/local/bin/cryptout.pl
-rwxr-xr-x 1 root root 265 Jun 14 20:41 /usr/local/bin/cryptout.pl
floss$ cryptout.pl "some text"
sB3A79YDX5L4s
|
there is also a good discussion of CVS issues in this post
https://forums.gentoo.org/viewtopic.php?t=55659&highlight=cvs+setup
hope this helps _________________ vulcan was a Roman myth - god of smiths |
|
Back to top |
|
|
mog Apprentice
Joined: 05 Jul 2003 Posts: 253 Location: Auckland [NZ]
|
Posted: Thu Aug 14, 2003 11:48 am Post subject: |
|
|
your tutorial is great ... thx a buch ...
there is only one question remaining ... how can I create a repository and add things to it?
I know it may be a stupid question, but I have searched a long time and found no answer ... _________________ To thine own self be true. |
|
Back to top |
|
|
MrPyro Tux's lil' helper
Joined: 14 Aug 2003 Posts: 121 Location: Sheffield, England
|
Posted: Thu Aug 14, 2003 3:46 pm Post subject: |
|
|
To create the repository
Code: |
cvs -d /your/CVS/ROOT init
|
The CVSROOT can be pretty much any directory on your system: most people use /home/cvs. This command sets up the directory as a repository.
To add a new module, enter the directory containing the code you want to add, and
Code: |
cvs -d /your/CVS/ROOT import REPOSITORY VENDORTAG RELEASETAG
|
REPOSITORY is what you want the module to be called. VENDORTAG and RELEASETAG are to do with what version the existing code is. I personally just make these up.
CVS over ssh
Once the repository is set up, no additional work needs to be done to access over ssh. No xinetd files or anything. When checking out from the repository, use ext instead of pserver in the CVSROOT definition, like this
Code: |
cvs -d :ext:MrPyro@nekrodomos.net:/home/cvs checkout MyCode
|
|
|
Back to top |
|
|
|