826 lines
12 KiB
HTML
826 lines
12 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Setting up the tools</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Secure CVS Pserver Mini-HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Getting the tools"
|
|
HREF="gettools.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Alternatives to the Pserver"
|
|
HREF="pserveralternatives.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Secure CVS Pserver Mini-HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="gettools.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="pserveralternatives.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="setuptools"
|
|
></A
|
|
>3. Setting up the tools</H1
|
|
><P
|
|
> Now that CVS and cvsd are built, let's set them up.
|
|
</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="createrepository"
|
|
></A
|
|
>3.1. Creating the CVS Repository</H2
|
|
><P
|
|
> Before we begin, I strongly recommend you read the CVS manual that
|
|
was installed with the rest of CVS. If the stand-alone info browser
|
|
or the texinfo package is installed on your system, you can see
|
|
this manual by typing the command <B
|
|
CLASS="command"
|
|
>info cvs</B
|
|
> at your shell.
|
|
</P
|
|
><P
|
|
> First, plan out where you want your repository. Debian defaults to
|
|
<TT
|
|
CLASS="filename"
|
|
>/var/lib/cvs</TT
|
|
>. My repository
|
|
is under the directory <TT
|
|
CLASS="filename"
|
|
>/cvs/root</TT
|
|
>,
|
|
and is on its own small partition. What you do depends on your needs
|
|
and can vary widely.
|
|
<DIV
|
|
CLASS="important"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="important"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/important.gif"
|
|
HSPACE="5"
|
|
ALT="Important"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
> Make sure that the repository is a subdirectory of an empty directory! For example, if you are installing it into <TT
|
|
CLASS="filename"
|
|
>/var/lib/cvs</TT
|
|
>, put the repository in <TT
|
|
CLASS="filename"
|
|
>/var/lib/cvs/root</TT
|
|
> (or whatever you want for the last directory). This is because we create a chroot jail for the Pserver!
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
>
|
|
</P
|
|
><P
|
|
> After you have planned where you want to put your repository,
|
|
made the necessary partitions, if desired, and run the following command
|
|
(we assume that it will be at <TT
|
|
CLASS="filename"
|
|
>/cvs/root</TT
|
|
>):
|
|
</P
|
|
><DIV
|
|
CLASS="informalexample"
|
|
><A
|
|
NAME="AEN103"
|
|
></A
|
|
><P
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> <TT
|
|
CLASS="prompt"
|
|
>$</TT
|
|
> cvs -d /cvs/root init
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><P
|
|
> That will initialize your repository and set up the necessary
|
|
<TT
|
|
CLASS="envar"
|
|
>CVSROOT</TT
|
|
> files.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="setupjail"
|
|
></A
|
|
>3.2. Setting up the jail</H2
|
|
><P
|
|
> Now that we have the <TT
|
|
CLASS="envar"
|
|
>CVSROOT</TT
|
|
> set up, we need to copy the
|
|
appropriate libraries and files for cvsd, which runs the
|
|
Pserver in the chroot jail.
|
|
</P
|
|
><DIV
|
|
CLASS="sect3"
|
|
><H3
|
|
CLASS="sect3"
|
|
><A
|
|
NAME="copyfiles"
|
|
></A
|
|
>3.2.1. Transferring the necessary files</H3
|
|
><P
|
|
> <DIV
|
|
CLASS="note"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="note"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/note.gif"
|
|
HSPACE="5"
|
|
ALT="Note"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>If you installed cvsd from a package management system like
|
|
RPM, this may already be done for you. If that is the case,
|
|
skip ahead to the next step.</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
>
|
|
Change your directory to <TT
|
|
CLASS="filename"
|
|
>/cvs</TT
|
|
> (or whatever the directory before your root is) and enter the following commands:
|
|
</P
|
|
><DIV
|
|
CLASS="informalexample"
|
|
><A
|
|
NAME="AEN118"
|
|
></A
|
|
><P
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> <TT
|
|
CLASS="prompt"
|
|
>$</TT
|
|
> cvsd-buildroot /cvs
|
|
<TT
|
|
CLASS="prompt"
|
|
>$</TT
|
|
> mkdir -p var/lock
|
|
<TT
|
|
CLASS="prompt"
|
|
>$</TT
|
|
> adduser cvsd
|
|
<TT
|
|
CLASS="prompt"
|
|
>$</TT
|
|
> addgroup cvsd
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><P
|
|
> Thankfully, cvsd comes with the script <B
|
|
CLASS="command"
|
|
>cvsd-buildroot</B
|
|
>, so we don't have to do all the necessary copying by hand. However, you should edit the <TT
|
|
CLASS="filename"
|
|
>/cvs/etc/passwd</TT
|
|
> file, and remove the entry for <SPAN
|
|
CLASS="QUOTE"
|
|
>"root,"</SPAN
|
|
> as it's unneeded.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect3"
|
|
><H3
|
|
CLASS="sect3"
|
|
><A
|
|
NAME="configcvsd"
|
|
></A
|
|
>3.2.2. Configuring cvsd</H3
|
|
><P
|
|
> The defaults in <TT
|
|
CLASS="filename"
|
|
>/etc/cvsd/cvsd.conf</TT
|
|
> are okay, but can be less than desirable. Make sure that <TT
|
|
CLASS="envar"
|
|
>RootJail</TT
|
|
> is set to wherever the chroot jail you built is, and the repository is the directory where the repository is <EM
|
|
>relative to the chroot jail</EM
|
|
>. Set <TT
|
|
CLASS="varname"
|
|
>maxconnections</TT
|
|
> to whatever you desire, and make sure that Uid and Gid are set to cvsd. If you are lacking an already-built <TT
|
|
CLASS="filename"
|
|
>cvsd.conf</TT
|
|
> file, here is mine:
|
|
</P
|
|
><DIV
|
|
CLASS="example"
|
|
><A
|
|
NAME="AEN136"
|
|
></A
|
|
><P
|
|
><B
|
|
>Example 1. My <TT
|
|
CLASS="filename"
|
|
>cvsd.conf</TT
|
|
></B
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> Uid cvsd
|
|
Gid cvsd
|
|
PidFile /var/run/cvsd.pid
|
|
RootJail /cvs
|
|
MaxConnections 10
|
|
Nice 1
|
|
Listen * 2401
|
|
Repos /root
|
|
Limit coredumpsize 0
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="addanonaccess"
|
|
></A
|
|
>3.3. Adding anonymous access</H2
|
|
><P
|
|
> It's back to configuring CVS, but don't worry, we are almost
|
|
there! We have to edit a couple of necessary files to allow for
|
|
anonymous access. First, making sure you aren't in the CVS directory,
|
|
check out the CVSROOT module:
|
|
</P
|
|
><DIV
|
|
CLASS="informalexample"
|
|
><A
|
|
NAME="AEN143"
|
|
></A
|
|
><P
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> <TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cvs -d /cvs/root checkout CVSROOT
|
|
<TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cd CVSROOT
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><P
|
|
> Now edit the file <TT
|
|
CLASS="filename"
|
|
>READERS</TT
|
|
>. Create it if it isn't there, and add a line that reads <SPAN
|
|
CLASS="QUOTE"
|
|
>"anonymous"</SPAN
|
|
>.
|
|
<DIV
|
|
CLASS="important"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="important"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/important.gif"
|
|
HSPACE="5"
|
|
ALT="Important"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>You NEED to have an extra line at the end of the file!</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
>
|
|
The file <TT
|
|
CLASS="filename"
|
|
>READERS</TT
|
|
> is a list of users who have
|
|
read-only access to the CVS repository. People with write access
|
|
are listed in the file <TT
|
|
CLASS="filename"
|
|
>WRITERS</TT
|
|
>. Read the cvs
|
|
manual <A
|
|
NAME="AEN154"
|
|
HREF="#FTN.AEN154"
|
|
><SPAN
|
|
CLASS="footnote"
|
|
>[1]</SPAN
|
|
></A
|
|
>
|
|
for more information on these files.
|
|
</P
|
|
><P
|
|
> Now commit the repository with the command below. We assume
|
|
that your current working directory is <TT
|
|
CLASS="envar"
|
|
>CVSROOT</TT
|
|
>. If it
|
|
isn't, forget the <B
|
|
CLASS="command"
|
|
>cd</B
|
|
> step.
|
|
</P
|
|
><DIV
|
|
CLASS="informalexample"
|
|
><A
|
|
NAME="AEN160"
|
|
></A
|
|
><P
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> <TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cd ../
|
|
<TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cvs -d /cvs/root commit
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><P
|
|
> You should now get a message that says something like <TT
|
|
CLASS="computeroutput"
|
|
>Re-building administrative files</TT
|
|
>, which means that it was successful.
|
|
</P
|
|
><P
|
|
> One last step and we're all done! Run the following command,
|
|
and when prompted for a password, just press <B
|
|
CLASS="keycap"
|
|
>ENTER</B
|
|
>:
|
|
</P
|
|
><DIV
|
|
CLASS="informalexample"
|
|
><A
|
|
NAME="AEN168"
|
|
></A
|
|
><P
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> <TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cvsd-passwd /cvs/root anonymous
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><P
|
|
> Congratulations! You now have secure, anonymous CVS Pserver access
|
|
to the repository!
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="lockfilelocation"
|
|
></A
|
|
>3.4. Not quite done yet! Changing lock file locations</H2
|
|
><P
|
|
> There is one small feature here that is really beyond the scope
|
|
of this Mini-HOWTO but is worth noting nonetheless. It is the
|
|
ability to change the directory where the Pserver will place lock files.
|
|
</P
|
|
><P
|
|
> Normally the Pserver will place lock files in the same directory
|
|
as the files that you are trying to check out, but this can cause
|
|
permissions mayhem. Step back to when we built the chroot
|
|
jail for cvsd; we also created the directory <TT
|
|
CLASS="filename"
|
|
>var/lock</TT
|
|
>. This is where we will place the lockfiles instead.
|
|
</P
|
|
><P
|
|
> So use the following example, replacing <TT
|
|
CLASS="filename"
|
|
>/cvs</TT
|
|
> with wherever your <TT
|
|
CLASS="envar"
|
|
>chroot</TT
|
|
> environment is, and <TT
|
|
CLASS="filename"
|
|
>var</TT
|
|
> with wherever the locks are going to be placed. Mine are placed in <TT
|
|
CLASS="filename"
|
|
>var/lock</TT
|
|
>, and there is nothing else under <TT
|
|
CLASS="filename"
|
|
>var</TT
|
|
>, so a <B
|
|
CLASS="command"
|
|
>chown -R</B
|
|
> is safe. Also, replace the cvsd user and group ids with the user and group ids that cvsd runs as.
|
|
</P
|
|
><DIV
|
|
CLASS="informalexample"
|
|
><A
|
|
NAME="AEN184"
|
|
></A
|
|
><P
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> <TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cd /cvs
|
|
<TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> chown -R cvsd:cvsd var
|
|
<TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> chmod -R 775 var
|
|
<TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cd
|
|
<TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cvs -d /cvs/root checkout CVSROOT
|
|
<TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cd CVSROOT
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><P
|
|
> Now we want to edit the file <TT
|
|
CLASS="filename"
|
|
>config</TT
|
|
>. Change
|
|
lock dir to the directory you want the locks to be placed, in our
|
|
case <TT
|
|
CLASS="filename"
|
|
>/var/lock</TT
|
|
>.
|
|
<DIV
|
|
CLASS="important"
|
|
><P
|
|
></P
|
|
><TABLE
|
|
CLASS="important"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="25"
|
|
ALIGN="CENTER"
|
|
VALIGN="TOP"
|
|
><IMG
|
|
SRC="../images/important.gif"
|
|
HSPACE="5"
|
|
ALT="Important"></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><P
|
|
>Note that this applies to the Pserver <EM
|
|
> AS WELL AS THE NON-CHROOT SSH LOGIN METHOD!</EM
|
|
>
|
|
Ensure that this directory is not only in existence, but that you can
|
|
write to it as well, relative to your root directory. This is why I have
|
|
chosen <TT
|
|
CLASS="filename"
|
|
>/var/lock</TT
|
|
>, because it satisfies those conditions.</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
>
|
|
Now commit the changes:
|
|
</P
|
|
><DIV
|
|
CLASS="informalexample"
|
|
><A
|
|
NAME="AEN199"
|
|
></A
|
|
><P
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> <TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cd ../
|
|
<TT
|
|
CLASS="prompt"
|
|
>#</TT
|
|
> cvs -d /cvs/root commit
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
></P
|
|
></DIV
|
|
><P
|
|
> And that's it!
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><H3
|
|
CLASS="FOOTNOTES"
|
|
>Notes</H3
|
|
><TABLE
|
|
BORDER="0"
|
|
CLASS="FOOTNOTES"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="5%"
|
|
><A
|
|
NAME="FTN.AEN154"
|
|
HREF="setuptools.html#AEN154"
|
|
><SPAN
|
|
CLASS="footnote"
|
|
>[1]</SPAN
|
|
></A
|
|
></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="95%"
|
|
><P
|
|
>info cvs, if you have the stand-alone
|
|
<B
|
|
CLASS="command"
|
|
>info</B
|
|
> viewer installed on your system</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="gettools.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="pserveralternatives.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Getting the tools</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Alternatives to the Pserver</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |