Setting up a CVS server (pserver)

[rsk]

NOTE: This was done with Gentoo 1.4rc3 and 1.4rc4, YMMV

Hey guys,
I was wondering how to do this about 3 days ago and hunted through the forums and got it working by combining a lot of feedback from a lot of good people (this thread in particular: http://forums.gentoo.org/viewtopic.php? ... cvs+server) and I just wanted to summarize for the people out there that didn't have the time to go hunting. Please note that I am summarizing the way I setup CVS, but I think there is just a hair more than 10e6 ways to do it :)

This setup is for using pserver with CVS. No ssh stuff yet, I haven't figured that out yet :)

1) emerge xinetd (this guy is in charge of listening for CVS service requests and waking up a cvs process to take care of the user)
2) emerge CVS (here is the big guy himself)
3) OPTIONAL: emerge superadduser (this is just a damn handy util to have around)

Ok that's it for emerging, now we just have to change configurations and all that jazz.

NOTE: I did all of this while logged in as root, so adjust your plan of attack accordingly.

NOTE 2: Whenever I name something, like a group name, or user name, or directory name... feel free to use something different, just be consistent.

3) create a new "cvs" group with our friend groupadd (groupadd cvs).

4) create a new user (using superadduser or useradd) with the name "cvs" and make their initial (and ONLY) group "cvs". So don't stick them in users or something. Also make sure their shell points to "/bin/false" so someone can't use that account to login (assuming you gave it some easy to guess name.). And lastly make their home directory "/home/cvsroot"

Ok so now you have the software installed, and the user created. Now we need to tie these two things together so they play nice.

5) go into your /etc dir
6) edit the xinetd.conf file, and remove the first line "only_from". It probably says something like only_from localhost. This will limit logins to only localhost, or only whatever IP you put there. If you WANT this kind of security, then change it. NOTE: I don't know how you specify multiple hosts (commas, spaces, whatever) sorry.

Ok we should be done with this file.

7) Go into your /etc/xinetd.d directory

8) type "ls" and look at all the pretty files. These all represent services that xident can start for you and do stuff with. "Stuff" more specifically meaning 'i don't know'.

9) edit the cvspserver file

Now just peruse this file, take a look at the field names. Notice in this file that user/group are already "cvs", you see that? I'm psychic.

Some people have throw security to the wind and changed the user to "root", although I suppose that is about as safe as sticking your face into a bee hive.

anyway...

10) Look at the first line "disable yes", change that to a "no". By default all xinetd services are disabled, so the user can enable what he/she wants. Or atleast this is good practice, and cvs seems to be cooperating with that.

You should be done with that file, unless you want to change the port or something.

Ok so now we need to make sure the repository is setup alright.

11) type "cvs -d /home/cvsroot init" to init the repository.

Now keep in mind though that you just did that as root, so now you need to give the files back to user "cvs" so he won't cry

12) cd /home
chown cvs:cvs -R cvsroot

you should be in good shape now, make sure that cvs/cvs owns that dir as well as every file and dir under it (right now should just be CVSROOT). If you have some shell config files in there (.bashrc, .bash_profile) go ahead and erase them, the user can't ever login to use them anyway.


ok to recap we have:
* user and group "cvs"
* software "xinetd" and "cvs" installed
* software "xinetd" configured to enable cvspserver service for the user cvs/cvs using the dir /home/cvsroot
* we've inited the repository
* we've fixed the permissions

what's left? Nothing right? WRONG!

This one had me stumped for about an hour.

Now we need to create/edit the /home/cvsroot/CVSROOT/passwd file. This file is used by CVS to either provide name/pass pairs, or loginName/systemName mappings. So for example, we want to tell cvs "Hey, I'm going to allow a login called "cvs", but I want you to map it to my local system user "cvs"". Let me clarify.

You created a system account called "cvs" in a group called "cvs". You told xinetd that the cvspserver service is allowed to play only with users named "cvs" in the group "cvs". But now you have to tell CVS what login names (just names, not accounts) are allowed to use CVS. So you could have 10 cvs logins (bob, frank, john, marry, etc. etc.) all mapped to the "cvs" account. That way when "frank" logs in, CVS goes "oh ok, frank is really the CVS account, so I'll have to validate against the system password for that account". You can of course specify passwords in the passwd file and not do mappings if you wish, but I prefer to map them to accounts.

so now the format of this passwd file is:

cvsLoginName:optionalCvsPassword:optionalSystemAccountMapping

so for our purposes, we want to put this in the passwd file:

13) cvs::cvs

So here you see I've mapped CVS login name "cvs" to our system user "cvs". So i'll have to use the system user's password when I login using cvs.

Ok we are getting close, I think that's pretty much it, just make sure to restart xinetd or else all of this was for naught:

14) /etc/init.d/xinetd restart

Ok now try to login to the cvs repository:

15) cvs -d :pserver:cvs@myDomainName.com:/home/cvsroot login
// enter your password

walla!

If that didn't work, I'm sorry I must have missed a step. post your problem here and hopefully I can ammend the post to address it (or someone else can correct me). I'm only 3-days new to this anyway...

NOTE: Some people have mentioned that changing the ownership of the cvs executable has helped them with permission denied problems, but I don't necessarily think this is a good idea.

Ok that's it for now, I hope this helped all 2 of you that wnated to setup CVS :)

[pjp]

Moved from Portage & Programming.

[rsk]

woops sorry

[sessionID]

Very nice tutorial, thanks!

A few notes:

I had to copy /usr/portage/dev-util/cvs/files/cvspserver.xinetd.d to /etc/xinet.d (there was no cvspserver file).
The other thing that was not clear for me, is that you have to use encrypted passwords in the passwd file

[rsk]

no problem I'm glad it helped!

That cvspserver thing is strange, what ver of gentoo are you using?

And yes your absolutely right, encrypted passwords! Thx for the refinement.

[iplayfast]

I've just set up a pserver cvs as well. I didn't use your tutorial, but I wish I'd seen it.

I've still got one niggling little problem. If I check something out locally the owner chnages to me (ok) but the group is root.

Anyone know what would cause that, and how to make it something sensible (cvsadmin).

Thanks in advance.

PS. Your tut should be submitted as one of the docs.

[charlieg]

A similar tutorial for setting up CVS over SSH instead of pserver would be nice.

[sessionID]

That cvspserver thing is strange, what ver of gentoo are you using?

It's installed from the 1.4_rc1 live cd, cvs is 1.11.2. I never updated it, so maybe the ebuild is old.

[sessionID]

A similar tutorial for setting up CVS over SSH instead of pserver would be nice.

I still don't quite understand how it works , but a few good links:
http://ccvs.cvshome.org/fom//cache/9.html
http://freegis.org/grass/howto_grass-sshcvs.en.html
http://www.kitenet.net/~joey/sshcvs/
+

[Stalione]

Now we need to create/edit the /home/cvsroot/CVSROOT/passwd file. This file is used by CVS to either provide name/pass pairs, or loginName/systemName mappings. So for example, we want to tell cvs "Hey, I'm going to allow a login called "cvs", but I want you to map it to my local system user "cvs"". Let me clarify.

If you created a new passwd file, make sure after make the changes to it the permissions are set to the cvs user and cvs group
chown cvs.cvs passwd

[logic]

nice, worked great for me..

only one thing
# emerge CVS

should be :
# emerge cvs

[S_aIN_t]

thanks it worked just fine for me. i did the same thing with fbsd a long time ago.. and didn't remember. the guide helped.

[rsk]

thanks guys for the positive feedback... maybe one of these days (now that its summer) I should sit down and write a much better structured guide, including all the refinements and info I find on the forums, and include SSH setup and submit it to gentoo docs...

[mikepb78]

Why not use SSH and CVS. It is easier to install and manage. And as a bonus it more secure.

1) emerge cvs ssh
2) cvs -d /cvs init (as non root)
3) add users and create ssh keys.

Once the have added there keys then then can access the cvs repository

[adrenalin]

Thanks too

your guide saved me some hours, but are you sure about that one in the passwd file ?

13) cvs::cvs

So here you see I've mapped CVS login name "cvs" to our system user "cvs". So i'll have to use the system user's password when I login using cvs.

did you ever try logging in without/with different password ?

...

CVS can also fall back to use system authentication. When
authenticating a password, the server first checks for the user in the
`$CVSROOT/CVSROOT/passwd' file. If it finds the user, it will use that
entry for authentication as described above. But if it does not find
the user, or if the CVS `passwd' file does not exist, then the server
can try to authenticate the username and password using the operating
system's user-lookup routines (this "fallback" behavior can be disabled
by setting `SystemAuth=no' in the CVS `config' file, *note config:: ).

...

[rsk]

Oh shit, you're right! I just tried logging in by hitting "enter" on an account that has a password, and it logged in fine

Thanks so much for pointing this out. Then I suppose the "correct" way around this is to copy the encoded password out of the /etc/passwd file into the CVSROOT/passwd file into the middle place holder. I had read this is the way to set passwords before, but I think I misinterpreted it mean "another" way you could do passwords instead of the "WAY" to do passwords...

Wow that's a big oversight on my part. Thanks again!

[adrenalin]

uh, did you read my whole post ?

If yes, then i guess you didnt get it right.

If you want to use system auth, then you should remove the user from CVSROOT/passwd. However you should avoid using system account passwords through pserver anyway, because they are sent cleartext. Use different passwords for pserver or even better use ssh instead of pserver. As far as i understand, pserver should only be used for anonymous read only access. If you need any type of auth, then use ssh fex instead and read the docs again . If you insist on using auth trough pserver, then DONT use system account passwords

[phunni]

OK - I have file permissions problems. I can only import a new project as root, and I can only check out the CVSROOT module

How do I use this setup to allow me to import a project as a non root user and then be able to check it out?

Edit the specific error I am getting is:

cvs server: Updating ConygreProject
cvs server: failed to create lock directory for `/home/cvsroot/ConygreProject' (/home/cvsroot/ConygreProject/#cvs.lock): Permission denied
cvs server: failed to obtain dir lock in repository `/home/cvsroot/ConygreProject'
cvs [server aborted]: read lock failed - giving up

[adrenalin]

OK - I have file permissions problems.
...

Right you are. While this matter is not pserver specific, the repository maintainer is in fact required to set up an appropriate ownership/permission model inside the repository for users that should have access to it. Your specific problem results from the fact, that cvs creates lock files while operating on modules inside the repostitory. Thus whoever (in the setup described here this should be a user called cvs) executes the cvs commands locally, is required to have write permissions inside the specific module directory. You can specify another temp dir if you dont want that for some reason.

[TAF]

You have a little error, more or less reported about the passwd file.

The correct way to do it is:

1.put the user name followed by ':'

Eg.

teste:

2.get some program that generates DES keys. in CVS's site it's available one:

http://ccvs.cvshome.org/fom//cache/168.html

3. generate the password for the user and copy it to the passwd file

4. do step 1 until not necessary

[vulcan_]

the CVS guide at http://cvsbook.red-bean.com/cvsbook.htm ... ing_Server
shows how to use this script:

Code: Select all

#!/usr/bin/perl

srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);

print "${crypttext}\n";

used this way

I keep the preceding script in /usr/local/bin/cryptout.pl:

floss$ ls -l /usr/local/bin/cryptout.pl

-rwxr-xr-x 1 root root 265 Jun 14 20:41 /usr/local/bin/cryptout.pl
floss$ cryptout.pl "some text"
sB3A79YDX5L4s

there is also a good discussion of CVS issues in this post
http://forums.gentoo.org/viewtopic.php? ... =cvs+setup

hope this helps

[mog]

your tutorial is great ... thx a buch ...

there is only one question remaining ... how can I create a repository and add things to it?
I know it may be a stupid question, but I have searched a long time and found no answer ...

[MrPyro]

To create the repository

Code: Select all

cvs -d /your/CVS/ROOT init

The CVSROOT can be pretty much any directory on your system: most people use /home/cvs. This command sets up the directory as a repository.

To add a new module, enter the directory containing the code you want to add, and

Code: Select all

cvs -d /your/CVS/ROOT import REPOSITORY VENDORTAG RELEASETAG

REPOSITORY is what you want the module to be called. VENDORTAG and RELEASETAG are to do with what version the existing code is. I personally just make these up.

CVS over ssh

Once the repository is set up, no additional work needs to be done to access over ssh. No xinetd files or anything. When checking out from the repository, use ext instead of pserver in the CVSROOT definition, like this

Code: Select all

cvs -d :ext:MrPyro@nekrodomos.net:/home/cvs checkout MyCode