Setting up a CVS pserver/xinetd step by step+security issues

[dreambox]

Hello,

Sorry if it looks a duplicate post. This post is a personal effort and contains also security issues using pserver connections

Three days ago, I had to set up a secure cvs pserver. After spending many hour reading the doc at the excellent site www.cvshome.org, I successfully set it up running it with inetd.

I know that the most secure is to use SSH connection since in pserver authentication passwords are sent in clear, but i tried to focus on the state of art of doing it. Today, I tried to set it up with xinetd but some security issues raised that i didn't solve it yet, but this setting should work very fine if u're not paranoid with security

Here are the steps I used to setup my cvs server :

1) Login as root and create a user/group cvs/cvs. Note: The repository is inside the user's home and not the user's home, this would allow you later to create many repositories as u want in the user's home ( Easier to manage )

Code: Select all

    # groupadd cvs
    # mkdir -p /var/home/cvs
    # useradd -d /var/home/cvs -g cvs -s /bin/bash -p <cvs_passwd> cvs
    # chown -R cvs:cvs /var/home/cvs
    # su - cvs
    /> cvs -d /var/home/cvs/repository init
    /> chmod g+rwx /var/home/cvs/repository
    /> exit

2) Create users anoncvs and usercvs. anoncvs will be allowed to read repository but cannot write. usercvs will be allowed to read/write in repository

Code: Select all

    # useradd -d /var/home/cvs -g cvs -s /bin/false usercvs
    # usermod -L usercvs        ( Lock user password )
    # useradd -d /var/home/cvs -g cvs -s /bin/false anoncvs
    # usermod -L anoncvs       ( Lock user password )

3) We want to use pserver authentication and don't want cvs to fallback to system authentication when user doesn't exist. Doing this, we are trying to secure at maximum access to cvs . Here are the steps:

We have to store users and encrypted passwords in /var/home/cvs/repository/CVSROOT/passwd

Using ur favourite editor, add entries of this form in /var/home/cvs/repository/CVSROOT/passwd:

<cvs_user>:<encrypted_password>:<unix_user>

We encrypt cvs user's password using this well known perl script:

Code: Select all

#!/usr/bin/perl
  
srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);
  
print "${crypttext}\n";

You can create for example a bin directory in cvs home, copy and paste the script to file cryptout in that directory. Then chmod +x cryptout and add $HOME/bin to PATH variable in file .bash_profile. Syntax of cryptout is:

cryptout <clear_text_password>

it'll produce an encrypted password as the ones stored in /etc/passwd.

Here an example of passwd file:


james:qPd3FRr4r3ln2:usercvs
dreambox:AGJaHG3LxpYoA:usercvs
anoncvs::anoncvs


Typical scenario, users james and dreambox would have read/write access to the repository, and anoncvs would have only read access without having to enter a password.

Note: In practice james and dreambox don't exist in the system as unix users, they are virtual cvs users.

To disable cvs to fallback into system authentication when user doesn't exist we have to modify the file under /var/home/cvs/CVSROOT/config.

To set read/write permissions in repository we have to create 2 files ( readers and writers ) also under /var/home/cvs/CVSROOT. Users in readers file are only allowed to read repository. Users in writers are allowed to read/write in repository.

config, readers, writers have to be versionned, so first we checkout module CVSROOT :

Code: Select all

/> cvs -d /var/home/cvs/repository co CVSROOT

cvs server: Updating CVSROOT
U CVSROOT/checkoutlist
U CVSROOT/commitinfo
U CVSROOT/config
U CVSROOT/cvswrappers
U CVSROOT/editinfo
U CVSROOT/loginfo
U CVSROOT/modules
U CVSROOT/notify
U CVSROOT/rcsinfo
U CVSROOT/taginfo
U CVSROOT/verifymsg

Uncomment line #SystemAuth=no . This will inform cvs to not check in /etc/passwd when user doesn't exist in CVSROOT/passwd

Code: Select all

/> echo james > writers
/> echo dreambox >> writers
/> echo >> writers        ( We have to add new line after adding last user )

/> echo anoncvs > readers
/> echo >> readers       ( We have to add new line after adding last user )

/> cvs -d /var/home/cvs/repository add readers writers
cvs server: scheduling file `readers' for addition
cvs server: scheduling file `writers' for addition
cvs server: use 'cvs commit' to add these files permanently

/> cvs -d /var/home/cvs/repository ci -m "Updated administration files"
cvs commit: Examining .
Checking in config;
/var/home/cvs/repo/CVSROOT/config,v  <--  config
new revision: 1.2; previous revision: 1.1
done
RCS file: /var/home/cvs/repo/CVSROOT/readers,v
done
Checking in readers;
/var/home/cvs/repo/CVSROOT/readers,v  <--  readers
initial revision: 1.1
done
RCS file: /var/home/cvs/repo/CVSROOT/writers,v
done
Checking in writers;
/var/home/cvs/repo/CVSROOT/writers,v  <--  writers
initial revision: 1.1
done
cvs commit: Rebuilding administrative file database

Now, we setup xinetd :

Edit as root file /etc/xinetd.d/cvspserver. Mine looks like this :

Code: Select all

service cvspserver
{
        disable         	= no
        socket_type     	= stream
        wait            	= no
        user            	= root
        log_type        	= FILE /var/log/cvspserver
        protocol        	= tcp
        env             	= '$HOME=/var/home/cvs'
        log_on_failure  	+= USERID
        port            	= 2401
        server          	= /usr/bin/cvs
        server_args     	= -f --allow-root=/var/home/cvs/repository pserver
}

Save modification to file end execute the following to start xinetd at boot time ( If it is not set yet ):

Code: Select all

# rc-update add xinetd boot

Congratulations if u arrived here , now it should work fine after a reboot or ( /etc/init.d/xinetd start for those who are in a hurry to test ) :

Your can start testing security by trying to import a directory as anoncvs for example ( cvs will not allow u ) :

Code: Select all

/> mkdir project
/> cd project
/> touch dreambox
/> cvs -d :pserver:anoncvs@localhost/var/home/cvs/repository login  ( Press return when asked a password )
/> cvs -d :pserver:anoncvs@localhost/var/home/cvs/repository import -m "Trying to import" myproject vendor start

You should see something like this on ur screen :

Code: Select all

cvs server: cannot open /var/home/cvs/repository/CVSROOT/readers: Permission denied
cvs [server aborted]: "import" requires write access to the repository

OK, know, I'd like to discuss another security issue which is giving me headaches :

The files CVSROOT/*info can be used to execute programs such as sendmail to notify some users of an update, commit,... The thing is that one malicious guy ( such as james or dreambox ) who has write access to repository can checkout CVSROOT and add entries in that files to execute a malicious program and gain access to private ressources in the system !!! . So, I decided to re-enforce security by creating another unix group ( admincvs ). All users in that group and only that users have read/write access to CVSROOT ( Of course these users should be trustable in their intentions ). Users in the group admincvs should only read and update CVSROOT module. Allowing them to import other modules that are intented to be shared would forbid other users ( running as usercvs ) to update those modules...

OK, here it is:

We create admincvs group and admincvs user :

Code: Select all

# groupadd admincvs
# useradd -d /var/home/cvs -g cvs -s /bin/false admincvs
# usermod -L admincvs        ( Lock user password )

We change the group owner of CVSROOT directory and disable
read/write/exec access to that directory to other users

Code: Select all

# cd /var/home/cvs/cvsrepository
# chgrp -R admincvs CVSROOT
# chmod o-rwx CVSROOT

add the following entry to CVSROOT/passwd ( using bin/cryptout perl program to crypt password ):

Code: Select all

admincvs:<crypted_passwd>:admincvs

Lets test it. Try to checkout CVSROOT as a normal user who has read/write access to repository but not to CVSROOT :

Code: Select all

/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository login  ( Enter password when asked )
/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository co CVSROOT

You should get the following message:

Code: Select all

Cannot access /var/home/cvs/repo/CVSROOT
Permission denied

Now try with admincvs:

Code: Select all

/> cvs -d :pserver:admincvs@localhost/var/home/cvs/repository login  ( Enter password when asked )
/> cvs -d :pserver:admincvs@localhost/var/home/cvs/repository co CVSROOT

You should get this:

Code: Select all

cvs server: Updating CVSROOT
U CVSROOT/checkoutlist
U CVSROOT/commitinfo
U CVSROOT/config
U CVSROOT/cvswrappers
U CVSROOT/editinfo
U CVSROOT/loginfo
U CVSROOT/modules
U CVSROOT/notify
U CVSROOT/rcsinfo
U CVSROOT/readers
U CVSROOT/taginfo
U CVSROOT/verifymsg
U CVSROOT/writers

Then, you would ask me: What's ur problem dreambox, everything is working fine , but then I would ask u to try to import a directory as user who has read/write access to repository ( james o dreambox ) :

Code: Select all

/> mkdir test
/> cd test
/> touch test.file
/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository login  ( Enter password when asked )
/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository import -m "I want to import" test vendor start

You should get the following:

Code: Select all

Cannot access /var/home/cvs/repo/CVSROOT
Permission denied

Now, I would ask what the hell I did wrong ?

Code: Select all

/> ls -l repository
drwxrwx---    3 cvs      admincvs     1224 May 22 20:21 CVSROOT

Something I don't understand : xinetd is running as root. When xinetd receives a login request it creates a cvs process with usercvs uid, right?
Since usercvs user is the owner of CVSROOT, it should normally have access to that directory!


Thanks for reading all this , I know, It was long and maybe redundunt

I would appreciate any feedback

Regards
dreambox

[mog]

great post ... thumbs up ...

maybe you could add how to run cvs over ssh

[MrPyro]

dreambox said:

Now, I would ask what the hell I did wrong ?

Code: Select all

/> ls -l repository 
drwxrwx---    3 cvs      admincvs     1224 May 22 20:21 CVSROOT 

Something I don't understand : xinetd is running as root. When xinetd receives a login request it creates a cvs process with usercvs uid, right?
Since usercvs user is the owner of CVSROOT, it should normally have access to that directory!

I think the problem is that to import a new module, you need to write to CVSROOT, to add the new module to the modules file. In your setup, therefore, only admincvs can import a new module, but james or dreambox should be able to commit changes.

[mog]

I have followed your post pretty much as you said except for the fact that my repsitory is under /data/cvs/mog/ and the CVSROOT directory under /data/cvs/mog/CVSROOT/, however when I try to connect using either

Code: Select all

cvs -d :pserver:guest@localhost/data/cvs/mog login

or

Code: Select all

cvs -d :pserver:guest@localhost/mog login

it fist prompts me for a password (I just press enter cause guest maps to anoncvs) and then it tells me

Code: Select all

/path/to/repository/ : no such repository

[MrPyro]

I don't know if it's just a typo you've written on here, but there should be a colon between localhost and the path in that cvsroot definition

Code: Select all

cvs -d :pserver:guest@localhost:/data/cvs/mog login

[EvilCHELU]

mog:
check if you have the following in your /etc/xinetd.d/cvspserver file

Code: Select all

server_args        = -f --allow-root=/data/cvs/mog pserver

mrpyro:
i found that it works without to column too, even tho the command syntax says it should be there

[mog]

well I am not entirely sure as to what exactly happened, but I went through the procedure again ... and now ... I can logon ... weird ... but thx anyway

however, what I did now is that I created a new directory in the repository and tried to check it out while I am logged in ... but I get the following error

setuid failed: Operation not permitted

any idea where that could come from ... ???

[orb9]

to dreambox: superb post
to mog:I had some similiar problem. I got:
setgid failed: Operation not permitted

I found the source of trouble in /etc/xinet.d/cvspserver. Mine looked like this (watch user and group. in dreambox initial post user is root. mine was cvs)

Code: Select all

service cvspserver
{
	disable		= no
	socket_type	= stream
	wait		= no
	user		= cvs
	group		= cvs
	log_type	= FILE /var/log/cvspserver
	protocol	= tcp
	env		= '$HOME=/home/cvs'
	log_on_failure	+= USERID
	port		= 2401
	server		= /usr/bin/cvs
	server_args	= -f --allow-root=/home/cvs/repository pserver
}

So i changed user and group to root, restarted xinetd and was done

But i wanted to know, why this doesn't work with user cvs. Checked all permissions, they are all correct, everything in /home/cvs/ (i used this dir) belongs to cvs/cvs and all flags are set correctly.
So.. why it doesn't work with user cvs ?

[dreambox]

Sorry for being late to reply guys/gals. When I first posted this how-to, I used to check every day feedbacks but for some period nothing , and today by luck I was checking my posts and were very happy u liked it .

These last days I was reinstalling the whole gentoo, I'm gonna try cvs again but also subversion which they say is better... If someone succeed with cvs + ssh let me know please.

[Thiemo]

Hi,

thanks for post. I have a question regarding this perl script generating encrypted text.

Code: Select all

#!/usr/bin/perl
  
srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);
  
print "${crypttext}\n";

I have seen this snipped in a book and tried it out. However, feeding it with the very same term, I don't get the same output:

Code: Select all

cvs@limbo  $ cryptout.pl test
jvvAuD7bpZwY2
cvs@limbo  $ cryptout.pl test
CiJOVUFmt6GEM
cvs@limbo  $ cryptout.pl test
ZBdG38ICoBHYo
cvs@limbo  $ cryptout.pl test
vuplQw/0Rp0dU
cvs@limbo  $ cryptout.pl test
vuplQw/0Rp0dU
cvs@limbo  $ cryptout.pl test
SNOUEr6lAxJJg
cvs@limbo  $ cryptout.pl test
SNOUEr6lAxJJg
cvs@limbo  $ cryptout.pl test
PgV8Kjke7flWE
cvs@limbo  $ cat bin/cryptout.pl
#!/usr/bin/perl

srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);

print "${crypttext}\n";

I cannot imagine, if the output is not reproducable, that it can be used to make passwords. Am I wrong?

Cheers

Thiemo

[dreambox]

I got the perl script from internet. This algorithm is the same to generate /etc/passwd, but i still don't know how user password is checked to validate it... If someone could give us some light

[Thiemo]

Hm, I checked with the command

Code: Select all

passwd <passwordcheckuser>

and the entries in /etc/shadow also vary!

I only can immagine that for password checks the encrypted password (as in /etc/shadow) gets "unencrypted" by some means and the different encrypted solutions to one password result always in the original. That seemed to me rather questionable.

Another possibility would be that there is some cool algorith and applying it on the different encrypted "versions" as well as on the original text results always in the very same "check sum".

[ocbMaurice]

Hello,

I also have some problems setting up the cvs server. I'm also stuck at the "setgid/stuid error" which is quite strange and more annoying is that cvs doesn't show exactly what it wants to setgid !?? So far I found out that it has to do with the passwd/group file under the chroot jail. I was able to convert a "setgid" error to a "setuid" error ... but I defenately do not want to run cvs as root !

Anyway, I think I can answer you question according to the password. If I'm not wrong, the crypted password contains the salt as clear-text, so when it wants to match a given string, it will be crypted with the same salt and then the end-strings should be the same (hope that's correct). If I'm not wrong the salt consists of two letters.

Maurice

[dreambox]

rand(26) = a random integer between 0 and 26
rand(1) = 0 or 1

In my opinion ( Don't flame my ignorance ), It seems that we can obtain 27 * 2 = 54 possible encryptions of the same passwd. The crypt function probably uses a hash function like MD5. I beleive that we can't find out the text clear password, the algorith compares hash results.

Anyway these are my 2 cents theories, if someone knows what's going behind the scene, let us know...

regards

[ocbMaurice]

I think you understood me wrong ! I'm now 99% sure it is the way I meant :

I'll give a simple example :

Code: Select all

$ perl -e 'print crypt("password", "sa"), "\n"'
sa3tHJ3/KuYvI
$ perl -e 'print crypt("password", "sn"), "\n"'
snf3JLX29OeF6
$ perl -e 'print crypt("password", "xyz"), "\n"'
xyAjYtmfRYx/.

So the salt that is used to encrypt the string is included as clear-text in the encrypted string. Therefore we later can do the same encryption. I personally often calculate the salt from the given password and cut the first two chars away from the encrypted string (that works just with my software, not on linux in general!). But not sure if it is more secure. The salt of course can also be randomly created.

Anyway, back to the cvsd setup. I actually managed to get it working quite easily with gentoo 1.4. I will summarize what I did :

Code: Select all

emerge -u cvsd

* note: this will install cvs and cvsd plus a few tools we'll need later. This way we do not need xinetd. It also creates a system user cvsd and a config file under /etc/cvsd/cvsd.conf. I'll do the rest so it fits the default configuration. You simply _should_ be able to adjust the paths properly.

Code: Select all

$ cvsd-buildroot /var/lib/cvsd/
$ mkdir /var/lib/cvsd/rep
$ cvs -d /var/lib/cvsd/rep init
$ chown cvsd. /var/lib/cvsd -R

Now we need to tell the cvsd config what repositories we use (the directories we created and inited, remember that cvs-server will run in a chroot-jail and therefore we need to reference from this root-point).

Code: Select all

$ echo "Repos /rep" >> /etc/cvsd/cvsd.conf

Setting up the users for cvs can be done in two ways. You simply could edit etc/passwd, etc/group and maybe etc/shadow within the chroot-jail to get the users working. I recommend to only use the virtual user file and to disable the system-users for cvs completely. Altough one could say it doesn't make much difference in a chroot-jail where the /etc/passwd file is kept to a mimimum anyway. Anyway, IMHO this approach is much cleaner. To do it that way :

Code: Select all

$ nano -w /var/lib/cvsd/rep/CVSROOT/config

There you should uncomment the second line (thxs to
dreambox for this info), so it does look like

Code: Select all

SystemAuth=no

To manage the users for your cvs-repository you should use the cvsd-passwd utility (which hopefully has been installed by cvsd too) :

Code: Select all

$ cvsd-passwd /var/lib/cvsd/rep/ +maurice +anoncvs +cvs

At this stage it seems that every user you created so far has read/write access. To setup the proper security model, we will create/edit the readers and writers file within the CVSROOT of our repository.

Code: Select all

$ echo "cvs" >> /var/lib/cvsd/rep/CVSROOT/readers
$ echo "anoncvs" >> /var/lib/cvsd/rep/CVSROOT/readers

$ echo "maurice" >> /var/lib/cvsd/rep/CVSROOT/writers

You should of course change the username maurice to your own Also feel free to add more users, it should be clear how to do this (add passwd and add to readers or writers). You should know, that it is a bad idea to have a username in writers and in readers. Seems you'll then just get read permission !

To test your newly configured server I recommend to start cvsd in debug mode once, to do so enter

Code: Select all

$ cvsd -d

On a different console/pc you then can try to login :

Code: Select all

$ cvs -d :pserver:maurice@localhost:/rep login
Logging in to :pserver:maurice@localhost:2401/rep
CVS password: **********

cvs login: warning: skipping invalid entry in password file at line 1

The only last "problem" is the last warning which really seems just a warning as the rest seems to work as it should. Now you simply need to install the cvsd rc-script (use rc-update) to get your cvs server started at boot time. Hope you also got that far and if yes, or no, let us know ! I'll now have a look at ssh logins ...

Maurice

[dreambox]

Hello,

I also have some problems setting up the cvs server. I'm also stuck at the "setgid/stuid error" which is quite strange and more annoying is that cvs doesn't show exactly what it wants to setgid !?? So far I found out that it has to do with the passwd/group file under the chroot jail. I was able to convert a "setgid" error to a "setuid" error ... but I defenately do not want to run cvs as root !
Maurice

Try this

Code: Select all

service cvspserver
{
        disable            = no
        socket_type    = stream
        wait                = no
        user                = cvs
        group              = cvs
        log_type          = FILE /var/log/cvspserver
        protocol          = tcp
        log_on_failure  += USERID
        port                = 2401
        server             = /usr/bin/cvs
        server_args     = -f --allow-root=/home/cvsroot pserver
}

Code: Select all

chmod 2755 /usr/bin/cvs

The chmod gives the application set gid permissions

Hope it helps

[sankeld]

Using CVS with SSH is much easier than using it with a pserver. As long as you have a ssh deamon running[1], a remote user may simply do:

export CVS_RSH='ssh'
export CVSROOT='ext:user@someplace.net:/home/cvsroot'

And that's it! All the cvs commands should work as expected.

One can free up the coder from typing passwords all the time using ssh-agent and ssh-add with public/private keys[2]. If it works with ssh itself, it will work with cvs.

A great resource on CVS can be found at
http://av.stanford.edu/books/cvsbook/

A great resource in general is
http://www.freeprogrammingresources.com/miscbook.html

[1] Check to see that 'ps aux | grep sshd' shows a process called /usr/sbin/sshd. If it doesn't, do a `emerge ssh` and a `rc-update add sshd default`. To start the daemon without a reboot do a `/etc/init.d/sshd start`.

[2] More information on that can be found here:
http://forums.gentoo.org/viewtopic.php?t=115096

[Squinky86]

Code: Select all

chmod 2755 /usr/bin/cvs

The chmod gives the application set gid permissions

Then wouldn't

Code: Select all

chmod 4755 /usr/bin/cvs

solve the set uid problems?

[discostu]

I followed your instructions and was able to login, but I got an error when doing an import

Code: Select all

$ cvs import -m "My initial project message" testproj mycompany start
cvs import: cannot make path to /var/cvsroot/testproj: Permission denied
cvs import: Importing /var/cvsroot/testproj/testproj
cvs import: ERROR: cannot mkdir /var/cvsroot/testproj/testproj -- not added: No such file or directory
 
No conflicts created by this import

Thanks

[NiklasH]

Using CVS with SSH is much easier than using it with a pserver. As long as you have a ssh deamon running[1], a remote user may simply do:

export CVS_RSH='ssh'
export CVSROOT='ext:user@someplace.net:/home/cvsroot'

And that's it! All the cvs commands should work as expected.

One can free up the coder from typing passwords all the time using ssh-agent and ssh-add with public/private keys[2]. If it works with ssh itself, it will work with cvs.

A great resource on CVS can be found at
http://av.stanford.edu/books/cvsbook/

A great resource in general is
http://www.freeprogrammingresources.com/miscbook.html

[1] Check to see that 'ps aux | grep sshd' shows a process called /usr/sbin/sshd. If it doesn't, do a `emerge ssh` and a `rc-update add sshd default`. To start the daemon without a reboot do a `/etc/init.d/sshd start`.

[2] More information on that can be found here:
http://forums.gentoo.org/viewtopic.php?t=115096

Yes, ssh is a piece of cake to set up (well, almost... )
I was beginning to feel I was missing something, since I didn't have those kinds of trouble setting up our ssh CVS server...
But your post calmed me!

[daoist]

I got the perl script from internet. This algorithm is the same to generate /etc/passwd, but i still don't know how user password is checked to validate it... If someone could give us some light

Two things go into the password, the cleartext and the salt. when you make the password in the first place it randomly chooses a salt, and it stores the salt as the first two characters of the password.

To check passwords the system takes the password the user typed, encrypts it using the salt from the encryped password stored on disk, and they should match. If so, that's a success, if not, that's a failure.

Note that at no time during this procedure is the password stored in the file ever decrypted. It's really really hard to decrypt.

[hw-tph]

Code: Select all

$ cvs -d :pserver:maurice@localhost:/rep login
Logging in to :pserver:maurice@localhost:2401/rep
CVS password: **********

cvs login: warning: skipping invalid entry in password file at line 1

The only last "problem" is the last warning which really seems just a warning as the rest seems to work as it should.

To resolv this error message simply check out the passwd file and add a blank line after the last entry (so the file ends with a blank line), save the file and commit. Done.


Håkan

[crafteh]

I followed the tutorial but I can not access the cvs from another computer. I'm trying to view a list of projects in eclipse but it says Socket Exception: Connection reset. I started up xinetd... what else do I need to do to get it to work over a network?