| View previous topic :: View next topic |
| Author |
Message |
dreambox
Tux's lil' helper
Joined: 09 Mar 2003
Posts: 137
|
 Posted: Thu May 22, 2003 7:39 pm Post subject: Setting up a CVS pserver/xinetd step by step+security issues |
 |
|
Hello,
Sorry if it looks a duplicate post. This post is a personal effort and contains also security issues using pserver connections 
Three days ago, I had to set up a secure cvs pserver. After spending many hour reading the doc at the excellent site www.cvshome.org, I successfully set it up running it with inetd.
I know that the most secure is to use SSH connection since in pserver authentication passwords are sent in clear, but i tried to focus on the state of art of doing it. Today, I tried to set it up with xinetd but some security issues raised that i didn't solve it yet, but this setting should work very fine if u're not paranoid with security 
Here are the steps I used to setup my cvs server :
1) Login as root and create a user/group cvs/cvs. Note: The repository is inside the user's home and not the user's home, this would allow you later to create many repositories as u want in the user's home ( Easier to manage )
| Code: |
# groupadd cvs
# mkdir -p /var/home/cvs
# useradd -d /var/home/cvs -g cvs -s /bin/bash -p <cvs_passwd> cvs
# chown -R cvs:cvs /var/home/cvs
# su - cvs
/> cvs -d /var/home/cvs/repository init
/> chmod g+rwx /var/home/cvs/repository
/> exit
|
2) Create users anoncvs and usercvs. anoncvs will be allowed to read repository but cannot write. usercvs will be allowed to read/write in repository
| Code: |
# useradd -d /var/home/cvs -g cvs -s /bin/false usercvs
# usermod -L usercvs ( Lock user password )
# useradd -d /var/home/cvs -g cvs -s /bin/false anoncvs
# usermod -L anoncvs ( Lock user password )
|
3) We want to use pserver authentication and don't want cvs to fallback to system authentication when user doesn't exist. Doing this, we are trying to secure at maximum access to cvs . Here are the steps:
We have to store users and encrypted passwords in /var/home/cvs/repository/CVSROOT/passwd
Using ur favourite editor, add entries of this form in /var/home/cvs/repository/CVSROOT/passwd:
<cvs_user>:<encrypted_password>:<unix_user>
We encrypt cvs user's password using this well known perl script:
| Code: |
#!/usr/bin/perl
srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);
print "${crypttext}\n";
|
You can create for example a bin directory in cvs home, copy and paste the script to file cryptout in that directory. Then chmod +x cryptout and add $HOME/bin to PATH variable in file .bash_profile. Syntax of cryptout is:
cryptout <clear_text_password>
it'll produce an encrypted password as the ones stored in /etc/passwd.
Here an example of passwd file:
james:qPd3FRr4r3ln2:usercvs
dreambox:AGJaHG3LxpYoA:usercvs
anoncvs::anoncvs
Typical scenario, users james and dreambox would have read/write access to the repository, and anoncvs would have only read access without having to enter a password.
Note: In practice james and dreambox don't exist in the system as unix users, they are virtual cvs users.
To disable cvs to fallback into system authentication when user doesn't exist we have to modify the file under /var/home/cvs/CVSROOT/config.
To set read/write permissions in repository we have to create 2 files ( readers and writers ) also under /var/home/cvs/CVSROOT. Users in readers file are only allowed to read repository. Users in writers are allowed to read/write in repository.
config, readers, writers have to be versionned, so first we checkout module CVSROOT :
| Code: |
/> cvs -d /var/home/cvs/repository co CVSROOT
cvs server: Updating CVSROOT
U CVSROOT/checkoutlist
U CVSROOT/commitinfo
U CVSROOT/config
U CVSROOT/cvswrappers
U CVSROOT/editinfo
U CVSROOT/loginfo
U CVSROOT/modules
U CVSROOT/notify
U CVSROOT/rcsinfo
U CVSROOT/taginfo
U CVSROOT/verifymsg
|
Uncomment line #SystemAuth=no . This will inform cvs to not check in /etc/passwd when user doesn't exist in CVSROOT/passwd
| Code: |
/> echo james > writers
/> echo dreambox >> writers
/> echo >> writers ( We have to add new line after adding last user )
/> echo anoncvs > readers
/> echo >> readers ( We have to add new line after adding last user )
/> cvs -d /var/home/cvs/repository add readers writers
cvs server: scheduling file `readers' for addition
cvs server: scheduling file `writers' for addition
cvs server: use 'cvs commit' to add these files permanently
/> cvs -d /var/home/cvs/repository ci -m "Updated administration files"
cvs commit: Examining .
Checking in config;
/var/home/cvs/repo/CVSROOT/config,v <-- config
new revision: 1.2; previous revision: 1.1
done
RCS file: /var/home/cvs/repo/CVSROOT/readers,v
done
Checking in readers;
/var/home/cvs/repo/CVSROOT/readers,v <-- readers
initial revision: 1.1
done
RCS file: /var/home/cvs/repo/CVSROOT/writers,v
done
Checking in writers;
/var/home/cvs/repo/CVSROOT/writers,v <-- writers
initial revision: 1.1
done
cvs commit: Rebuilding administrative file database
|
Now, we setup xinetd :
Edit as root file /etc/xinetd.d/cvspserver. Mine looks like this :
| Code: |
service cvspserver
{
disable = no
socket_type = stream
wait = no
user = root
log_type = FILE /var/log/cvspserver
protocol = tcp
env = '$HOME=/var/home/cvs'
log_on_failure += USERID
port = 2401
server = /usr/bin/cvs
server_args = -f --allow-root=/var/home/cvs/repository pserver
}
|
Save modification to file end execute the following to start xinetd at boot time ( If it is not set yet ):
| Code: |
# rc-update add xinetd boot
|
Congratulations if u arrived here  , now it should work fine after a reboot or ( /etc/init.d/xinetd start for those who are in a hurry to test ) :
Your can start testing security by trying to import a directory as anoncvs for example ( cvs will not allow u ) :
| Code: |
/> mkdir project
/> cd project
/> touch dreambox
/> cvs -d :pserver:anoncvs@localhost/var/home/cvs/repository login ( Press return when asked a password )
/> cvs -d :pserver:anoncvs@localhost/var/home/cvs/repository import -m "Trying to import" myproject vendor start
|
You should see something like this on ur screen :
| Code: |
cvs server: cannot open /var/home/cvs/repository/CVSROOT/readers: Permission denied
cvs [server aborted]: "import" requires write access to the repository
|
OK, know, I'd like to discuss another security issue which is giving me headaches :
The files CVSROOT/*info can be used to execute programs such as sendmail to notify some users of an update, commit,... The thing is that one malicious guy ( such as james or dreambox ) who has write access to repository can checkout CVSROOT and add entries in that files to execute a malicious program and gain access to private ressources in the system !!!  . So, I decided to re-enforce security by creating another unix group ( admincvs ). All users in that group and only that users have read/write access to CVSROOT ( Of course these users should be trustable in their intentions  ). Users in the group admincvs should only read and update CVSROOT module. Allowing them to import other modules that are intented to be shared would forbid other users ( running as usercvs ) to update those modules...
OK, here it is:
We create admincvs group and admincvs user :
| Code: |
# groupadd admincvs
# useradd -d /var/home/cvs -g cvs -s /bin/false admincvs
# usermod -L admincvs ( Lock user password )
|
We change the group owner of CVSROOT directory and disable
read/write/exec access to that directory to other users
| Code: |
# cd /var/home/cvs/cvsrepository
# chgrp -R admincvs CVSROOT
# chmod o-rwx CVSROOT
|
add the following entry to CVSROOT/passwd ( using bin/cryptout perl program to crypt password ):
| Code: |
admincvs:<crypted_passwd>:admincvs
|
Lets test it. Try to checkout CVSROOT as a normal user who has read/write access to repository but not to CVSROOT :
| Code: |
/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository login ( Enter password when asked )
/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository co CVSROOT
|
You should get the following message:
| Code: |
Cannot access /var/home/cvs/repo/CVSROOT
Permission denied
|
Now try with admincvs:
| Code: |
/> cvs -d :pserver:admincvs@localhost/var/home/cvs/repository login ( Enter password when asked )
/> cvs -d :pserver:admincvs@localhost/var/home/cvs/repository co CVSROOT
|
You should get this:
| Code: |
cvs server: Updating CVSROOT
U CVSROOT/checkoutlist
U CVSROOT/commitinfo
U CVSROOT/config
U CVSROOT/cvswrappers
U CVSROOT/editinfo
U CVSROOT/loginfo
U CVSROOT/modules
U CVSROOT/notify
U CVSROOT/rcsinfo
U CVSROOT/readers
U CVSROOT/taginfo
U CVSROOT/verifymsg
U CVSROOT/writers
|
Then, you would ask me: What's ur problem dreambox, everything is working fine , but then I would ask u to try to import a directory as user who has read/write access to repository ( james o dreambox ) :
| Code: |
/> mkdir test
/> cd test
/> touch test.file
/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository login ( Enter password when asked )
/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository import -m "I want to import" test vendor start
|
You should get the following:
| Code: |
Cannot access /var/home/cvs/repo/CVSROOT
Permission denied
|
Now, I would ask what the hell I did wrong ?
| Code: |
/> ls -l repository
drwxrwx--- 3 cvs admincvs 1224 May 22 20:21 CVSROOT
|
Something I don't understand : xinetd is running as root. When xinetd receives a login request it creates a cvs process with usercvs uid, right?
Since usercvs user is the owner of CVSROOT, it should normally have access to that directory!
Thanks for reading all this , I know, It was long and maybe redundunt 
I would appreciate any feedback 
Regards
dreambox
_________________
Toshiba Tecra 8200
PIII 750Mhz 512Mb 20Gb Hdd
Trident CyberBladeXP 16Mb
Windows Where do you want to go today? MacOS Where do you want to be tomorrow? Linux Are you coming... |
|
| Back to top |
|
 |
mog
Apprentice
Joined: 05 Jul 2003
Posts: 253
Location: Auckland [NZ]
|
| Posted: Thu Aug 14, 2003 9:33 pm Post subject: |
|
|
great post ... thumbs up ...
maybe you could add how to run cvs over ssh 
_________________
To thine own self be true. |
|
| Back to top |
|
|
MrPyro
Tux's lil' helper
Joined: 14 Aug 2003
Posts: 121
Location: Sheffield, England
|
| Posted: Fri Aug 15, 2003 11:58 am Post subject: |
|
|
dreambox said:
| Quote: |
Now, I would ask what the hell I did wrong ?
| Code: |
/> ls -l repository
drwxrwx--- 3 cvs admincvs 1224 May 22 20:21 CVSROOT
|
Something I don't understand : xinetd is running as root. When xinetd receives a login request it creates a cvs process with usercvs uid, right?
Since usercvs user is the owner of CVSROOT, it should normally have access to that directory!
|
I think the problem is that to import a new module, you need to write to CVSROOT, to add the new module to the modules file. In your setup, therefore, only admincvs can import a new module, but james or dreambox should be able to commit changes.
_________________
Back off man, I'm a computer scientist |
|
| Back to top |
|
|
mog
Apprentice
Joined: 05 Jul 2003
Posts: 253
Location: Auckland [NZ]
|
| Posted: Sat Aug 16, 2003 12:19 am Post subject: mhh ... |
|
|
I have followed your post pretty much as you said except for the fact that my repsitory is under /data/cvs/mog/ and the CVSROOT directory under /data/cvs/mog/CVSROOT/, however when I try to connect using either
| Code: | | cvs -d :pserver:guest@localhost/data/cvs/mog login |
or
| Code: | | cvs -d :pserver:guest@localhost/mog login |
it fist prompts me for a password (I just press enter cause guest maps to anoncvs) and then it tells me
| Code: | | /path/to/repository/ : no such repository |
_________________
To thine own self be true. |
|
| Back to top |
|
|
MrPyro
Tux's lil' helper
Joined: 14 Aug 2003
Posts: 121
Location: Sheffield, England
|
| Posted: Sat Aug 16, 2003 6:07 am Post subject: |
|
|
I don't know if it's just a typo you've written on here, but there should be a colon between localhost and the path in that cvsroot definition
| Code: |
cvs -d :pserver:guest@localhost:/data/cvs/mog login
|
_________________
Back off man, I'm a computer scientist |
|
| Back to top |
|
|
EvilCHELU
n00b
Joined: 24 May 2003
Posts: 5
|
| Posted: Sat Aug 16, 2003 2:31 pm Post subject: |
|
|
mog:
check if you have the following in your /etc/xinetd.d/cvspserver file
| Code: |
server_args = -f --allow-root=/data/cvs/mog pserver
|
mrpyro:
i found that it works without to column too, even tho the command syntax says it should be there
_________________
You'll Never Walk Alone. |
|
| Back to top |
|
|
mog
Apprentice
Joined: 05 Jul 2003
Posts: 253
Location: Auckland [NZ]
|
| Posted: Sun Aug 17, 2003 5:18 am Post subject: |
|
|
well I am not entirely sure as to what exactly happened, but I went through the procedure again ... and now ... I can logon ... weird ... but thx anyway
however, what I did now is that I created a new directory in the repository and tried to check it out while I am logged in ... but I get the following error
setuid failed: Operation not permitted
any idea where that could come from ... ???
_________________
To thine own self be true. |
|
| Back to top |
|
|
orb9
Tux's lil' helper
Joined: 02 Sep 2002
Posts: 82
Location: Germany
|
| Posted: Thu Aug 21, 2003 10:38 pm Post subject: |
|
|
to dreambox: superb post
to mog:I had some similiar problem. I got:
setgid failed: Operation not permitted
I found the source of trouble in /etc/xinet.d/cvspserver. Mine looked like this (watch user and group. in dreambox initial post user is root. mine was cvs)
| Code: |
service cvspserver
{
disable = no
socket_type = stream
wait = no
user = cvs
group = cvs
log_type = FILE /var/log/cvspserver
protocol = tcp
env = '$HOME=/home/cvs'
log_on_failure += USERID
port = 2401
server = /usr/bin/cvs
server_args = -f --allow-root=/home/cvs/repository pserver
}
|
So i changed user and group to root, restarted xinetd and was done
But i wanted to know, why this doesn't work with user cvs. Checked all permissions, they are all correct, everything in /home/cvs/ (i used this dir) belongs to cvs/cvs and all flags are set correctly.
So.. why it doesn't work with user cvs ?
_________________
"Without music, life would be a mistake - I would only believe in a god who knew how to dance." (Nietzsche) |
|
| Back to top |
|
|
dreambox
Tux's lil' helper
Joined: 09 Mar 2003
Posts: 137
|
| Posted: Mon Dec 15, 2003 5:22 pm Post subject: |
|
|
Sorry for being late to reply guys/gals. When I first posted this how-to, I used to check every day feedbacks but for some period nothing , and today by luck I was checking my posts and were very happy u liked it .
These last days I was reinstalling the whole gentoo, I'm gonna try cvs again but also subversion which they say is better... If someone succeed with cvs + ssh let me know please.
_________________
Toshiba Tecra 8200
PIII 750Mhz 512Mb 20Gb Hdd
Trident CyberBladeXP 16Mb
Windows Where do you want to go today? MacOS Where do you want to be tomorrow? Linux Are you coming... |
|
| Back to top |
|
|
Thiemo
Tux's lil' helper
Joined: 20 Nov 2002
Posts: 138
|
| Posted: Mon Dec 15, 2003 10:02 pm Post subject: Re: Setting up a CVS pserver/xinetd step by step+security is |
|
|
Hi,
thanks for post. I have a question regarding this perl script generating encrypted text.
| dreambox wrote: | | Code: |
#!/usr/bin/perl
srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);
print "${crypttext}\n";
|
|
I have seen this snipped in a book and tried it out. However, feeding it with the very same term, I don't get the same output: | Code: | cvs@limbo $ cryptout.pl test
jvvAuD7bpZwY2
cvs@limbo $ cryptout.pl test
CiJOVUFmt6GEM
cvs@limbo $ cryptout.pl test
ZBdG38ICoBHYo
cvs@limbo $ cryptout.pl test
vuplQw/0Rp0dU
cvs@limbo $ cryptout.pl test
vuplQw/0Rp0dU
cvs@limbo $ cryptout.pl test
SNOUEr6lAxJJg
cvs@limbo $ cryptout.pl test
SNOUEr6lAxJJg
cvs@limbo $ cryptout.pl test
PgV8Kjke7flWE
cvs@limbo $ cat bin/cryptout.pl
#!/usr/bin/perl
srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);
print "${crypttext}\n";
|
I cannot imagine, if the output is not reproducable, that it can be used to make passwords. Am I wrong?
Cheers
Thiemo
_________________
root ist die wurzel allen uebels |
|
| Back to top |
|
|
dreambox
Tux's lil' helper
Joined: 09 Mar 2003
Posts: 137
|
| Posted: Mon Dec 15, 2003 10:46 pm Post subject: |
|
|
I got the perl script from internet. This algorithm is the same to generate /etc/passwd, but i still don't know how user password is checked to validate it... If someone could give us some light
_________________
Toshiba Tecra 8200
PIII 750Mhz 512Mb 20Gb Hdd
Trident CyberBladeXP 16Mb
Windows Where do you want to go today? MacOS Where do you want to be tomorrow? Linux Are you coming... |
|
| Back to top |
|
|
Thiemo
Tux's lil' helper
Joined: 20 Nov 2002
Posts: 138
|
| Posted: Mon Dec 15, 2003 11:50 pm Post subject: |
|
|
Hm, I checked with the command | Code: | | passwd <passwordcheckuser> |
and the entries in /etc/shadow also vary! 
I only can immagine that for password checks the encrypted password (as in /etc/shadow) gets "unencrypted" by some means and the different encrypted solutions to one password result always in the original. That seemed to me rather questionable.
Another possibility would be that there is some cool algorith and applying it on the different encrypted "versions" as well as on the original text results always in the very same "check sum".
_________________
root ist die wurzel allen uebels |
|
| Back to top |
|
|
ocbMaurice
Tux's lil' helper
Joined: 14 Feb 2003
Posts: 90
Location: Switzerland
|
| Posted: Tue Dec 16, 2003 1:14 am Post subject: |
|
|
Hello,
I also have some problems setting up the cvs server. I'm also stuck at the "setgid/stuid error" which is quite strange and more annoying is that cvs doesn't show exactly what it wants to setgid !?? So far I found out that it has to do with the passwd/group file under the chroot jail. I was able to convert a "setgid" error to a "setuid" error ... but I defenately do not want to run cvs as root !
Anyway, I think I can answer you question according to the password. If I'm not wrong, the crypted password contains the salt as clear-text, so when it wants to match a given string, it will be crypted with the same salt and then the end-strings should be the same (hope that's correct). If I'm not wrong the salt consists of two letters.
Maurice |
|
| Back to top |
|
|
dreambox
Tux's lil' helper
Joined: 09 Mar 2003
Posts: 137
|
| Posted: Tue Dec 16, 2003 3:06 pm Post subject: |
|
|
rand(26) = a random integer between 0 and 26
rand(1) = 0 or 1
In my opinion ( Don't flame my ignorance ), It seems that we can obtain 27 * 2 = 54 possible encryptions of the same passwd. The crypt function probably uses a hash function like MD5. I beleive that we can't find out the text clear password, the algorith compares hash results.
Anyway these are my 2 cents theories, if someone knows what's going behind the scene, let us know...
regards
_________________
Toshiba Tecra 8200
PIII 750Mhz 512Mb 20Gb Hdd
Trident CyberBladeXP 16Mb
Windows Where do you want to go today? MacOS Where do you want to be tomorrow? Linux Are you coming... |
|
| Back to top |
|
|
ocbMaurice
Tux's lil' helper
Joined: 14 Feb 2003
Posts: 90
Location: Switzerland
|
| Posted: Tue Dec 16, 2003 8:34 pm Post subject: |
|
|
I think you understood me wrong ! I'm now 99% sure it is the way I meant :
I'll give a simple example :
| Code: | $ perl -e 'print crypt("password", "sa"), "\n"'
sa3tHJ3/KuYvI
$ perl -e 'print crypt("password", "sn"), "\n"'
snf3JLX29OeF6
$ perl -e 'print crypt("password", "xyz"), "\n"'
xyAjYtmfRYx/. |
So the salt that is used to encrypt the string is included as clear-text in the encrypted string. Therefore we later can do the same encryption. I personally often calculate the salt from the given password and cut the first two chars away from the encrypted string (that works just with my software, not on linux in general!). But not sure if it is more secure. The salt of course can also be randomly created.
Anyway, back to the cvsd setup. I actually managed to get it working quite easily with gentoo 1.4. I will summarize what I did :
* note: this will install cvs and cvsd plus a few tools we'll need later. This way we do not need xinetd. It also creates a system user cvsd and a config file under /etc/cvsd/cvsd.conf. I'll do the rest so it fits the default configuration. You simply _should_ be able to adjust the paths properly.
| Code: | $ cvsd-buildroot /var/lib/cvsd/
$ mkdir /var/lib/cvsd/rep
$ cvs -d /var/lib/cvsd/rep init
$ chown cvsd. /var/lib/cvsd -R |
Now we need to tell the cvsd config what repositories we use (the directories we created and inited, remember that cvs-server will run in a chroot-jail and therefore we need to reference from this root-point).
| Code: | | $ echo "Repos /rep" >> /etc/cvsd/cvsd.conf |
Setting up the users for cvs can be done in two ways. You simply could edit etc/passwd, etc/group and maybe etc/shadow within the chroot-jail to get the users working. I recommend to only use the virtual user file and to disable the system-users for cvs completely. Altough one could say it doesn't make much difference in a chroot-jail where the /etc/passwd file is kept to a mimimum anyway. Anyway, IMHO this approach is much cleaner. To do it that way :
| Code: | | $ nano -w /var/lib/cvsd/rep/CVSROOT/config |
There you should uncomment the second line (thxs to
dreambox for this info), so it does look like
To manage the users for your cvs-repository you should use the cvsd-passwd utility (which hopefully has been installed by cvsd too) :
| Code: | | $ cvsd-passwd /var/lib/cvsd/rep/ +maurice +anoncvs +cvs |
At this stage it seems that every user you created so far has read/write access. To setup the proper security model, we will create/edit the readers and writers file within the CVSROOT of our repository.
| Code: | $ echo "cvs" >> /var/lib/cvsd/rep/CVSROOT/readers
$ echo "anoncvs" >> /var/lib/cvsd/rep/CVSROOT/readers
$ echo "maurice" >> /var/lib/cvsd/rep/CVSROOT/writers |
You should of course change the username maurice to your own Also feel free to add more users, it should be clear how to do this (add passwd and add to readers or writers). You should know, that it is a bad idea to have a username in writers and in readers. Seems you'll then just get read permission !
To test your newly configured server I recommend to start cvsd in debug mode once, to do so enter
On a different console/pc you then can try to login :
| Code: | $ cvs -d :pserver:maurice@localhost:/rep login
Logging in to :pserver:maurice@localhost:2401/rep
CVS password: **********
cvs login: warning: skipping invalid entry in password file at line 1 |
The only last "problem" is the last warning which really seems just a warning as the rest seems to work as it should. Now you simply need to install the cvsd rc-script (use rc-update) to get your cvs server started at boot time. Hope you also got that far and if yes, or no, let us know ! I'll now have a look at ssh logins ...
Maurice
Last edited by ocbMaurice on Mon Jan 12, 2004 5:55 pm; edited 1 time in total |
|
| Back to top |
|
|
dreambox
Tux's lil' helper
Joined: 09 Mar 2003
Posts: 137
|
| Posted: Wed Dec 17, 2003 3:23 pm Post subject: |
|
|
| ocbMaurice wrote: | Hello,
I also have some problems setting up the cvs server. I'm also stuck at the "setgid/stuid error" which is quite strange and more annoying is that cvs doesn't show exactly what it wants to setgid !?? So far I found out that it has to do with the passwd/group file under the chroot jail. I was able to convert a "setgid" error to a "setuid" error ... but I defenately do not want to run cvs as root !
Maurice |
Try this
| Code: |
service cvspserver
{
disable = no
socket_type = stream
wait = no
user = cvs
group = cvs
log_type = FILE /var/log/cvspserver
protocol = tcp
log_on_failure += USERID
port = 2401
server = /usr/bin/cvs
server_args = -f --allow-root=/home/cvsroot pserver
}
|
| Code: |
chmod 2755 /usr/bin/cvs
|
The chmod gives the application set gid permissions
Hope it helps
_________________
Toshiba Tecra 8200
PIII 750Mhz 512Mb 20Gb Hdd
Trident CyberBladeXP 16Mb
Windows Where do you want to go today? MacOS Where do you want to be tomorrow? Linux Are you coming... |
|
| Back to top |
|
|
sankeld
n00b
Joined: 03 Oct 2002
Posts: 9
|
| Posted: Thu Dec 18, 2003 8:44 am Post subject: cvs+ssh |
|
|
Using CVS with SSH is much easier than using it with a pserver. As long as you have a ssh deamon running[1], a remote user may simply do:
export CVS_RSH='ssh'
export CVSROOT='ext:user@someplace.net:/home/cvsroot'
And that's it! All the cvs commands should work as expected.
One can free up the coder from typing passwords all the time using ssh-agent and ssh-add with public/private keys[2]. If it works with ssh itself, it will work with cvs.
A great resource on CVS can be found at
http://av.stanford.edu/books/cvsbook/
A great resource in general is
http://www.freeprogrammingresources.com/miscbook.html
[1] Check to see that 'ps aux | grep sshd' shows a process called /usr/sbin/sshd. If it doesn't, do a `emerge ssh` and a `rc-update add sshd default`. To start the daemon without a reboot do a `/etc/init.d/sshd start`.
[2] More information on that can be found here:
https://forums.gentoo.org/viewtopic.php?t=115096 |
|
| Back to top |
|
|
Squinky86
Retired Dev
Joined: 25 Mar 2003
Posts: 309
Location: Alabama, USA
|
| Posted: Fri Jan 02, 2004 8:25 pm Post subject: |
|
|
| dreambox wrote: |
| Code: |
chmod 2755 /usr/bin/cvs
|
The chmod gives the application set gid permissions
|
Then wouldn't
| Code: |
chmod 4755 /usr/bin/cvs
|
solve the set uid problems?
_________________
Me |
|
| Back to top |
|
|
discostu
Guru
Joined: 01 Nov 2002
Posts: 333
|
| Posted: Tue Jan 13, 2004 10:54 pm Post subject: |
|
|
I followed your instructions and was able to login, but I got an error when doing an import
| Code: | $ cvs import -m "My initial project message" testproj mycompany start
cvs import: cannot make path to /var/cvsroot/testproj: Permission denied
cvs import: Importing /var/cvsroot/testproj/testproj
cvs import: ERROR: cannot mkdir /var/cvsroot/testproj/testproj -- not added: No such file or directory
No conflicts created by this import
|
Thanks
_________________
"Disco Stu doesn't advertise." |
|
| Back to top |
|
|
NiklasH
Apprentice
Joined: 30 Aug 2002
Posts: 211
Location: On top of something
|
| Posted: Tue Jan 13, 2004 11:01 pm Post subject: Re: cvs+ssh |
|
|
| sankeld wrote: | Using CVS with SSH is much easier than using it with a pserver. As long as you have a ssh deamon running[1], a remote user may simply do:
export CVS_RSH='ssh'
export CVSROOT='ext:user@someplace.net:/home/cvsroot'
And that's it! All the cvs commands should work as expected.
One can free up the coder from typing passwords all the time using ssh-agent and ssh-add with public/private keys[2]. If it works with ssh itself, it will work with cvs.
A great resource on CVS can be found at
http://av.stanford.edu/books/cvsbook/
A great resource in general is
http://www.freeprogrammingresources.com/miscbook.html
[1] Check to see that 'ps aux | grep sshd' shows a process called /usr/sbin/sshd. If it doesn't, do a `emerge ssh` and a `rc-update add sshd default`. To start the daemon without a reboot do a `/etc/init.d/sshd start`.
[2] More information on that can be found here:
https://forums.gentoo.org/viewtopic.php?t=115096 |
Yes, ssh is a piece of cake to set up (well, almost... )
I was beginning to feel I was missing something, since I didn't have those kinds of trouble setting up our ssh CVS server...
But your post calmed me!
_________________
Banana Republic |
|
| Back to top |
|
|
daoist
n00b
Joined: 14 May 2003
Posts: 28
|
| Posted: Sun Feb 29, 2004 4:22 am Post subject: |
|
|
| dreambox wrote: | | I got the perl script from internet. This algorithm is the same to generate /etc/passwd, but i still don't know how user password is checked to validate it... If someone could give us some light |
Two things go into the password, the cleartext and the salt. when you make the password in the first place it randomly chooses a salt, and it stores the salt as the first two characters of the password.
To check passwords the system takes the password the user typed, encrypts it using the salt from the encryped password stored on disk, and they should match. If so, that's a success, if not, that's a failure.
Note that at no time during this procedure is the password stored in the file ever decrypted. It's really really hard to decrypt. |
|
| Back to top |
|
|
hw-tph
l33t
Joined: 08 Jan 2004
Posts: 768
Location: Uppsala, Sweden
|
| Posted: Sat May 15, 2004 11:16 am Post subject: |
|
|
| ocbMaurice wrote: | | Code: | $ cvs -d :pserver:maurice@localhost:/rep login
Logging in to :pserver:maurice@localhost:2401/rep
CVS password: **********
cvs login: warning: skipping invalid entry in password file at line 1 |
The only last "problem" is the last warning which really seems just a warning as the rest seems to work as it should. |
To resolv this error message simply check out the passwd file and add a blank line after the last entry (so the file ends with a blank line), save the file and commit. Done.
Håkan |
|
| Back to top |
|
|
crafteh
n00b
Joined: 30 Mar 2004
Posts: 29
|
| Posted: Thu Feb 10, 2005 6:07 am Post subject: |
|
|
| I followed the tutorial but I can not access the cvs from another computer. I'm trying to view a list of projects in eclipse but it says Socket Exception: Connection reset. I started up xinetd... what else do I need to do to get it to work over a network? |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
