Recipe 18.14. Building an Anonymous Read-Only CVS Repository with Pserver

18.14.1 Problem

In the spirit of "many eyes make all bugs shallow," you want to set up a public CVS repository, so that random users can download your nightly builds (or whatever you've stored there—your Great Collaborative Anime, World's Best Arugula Recipes, Finest Unheard Songs, etc.). Your anonymous users will be allowed to only check out files; they won't be able to do checkins.

18.14.2 Solution

Set up a CVS Pserver. You'll need cvsd, a functioning CVS server, and OpenSSH set up and running on the CVS server in daemon mode. cvsd is an add-on for running CVS in Pserver mode, tucked away in a nice chroot jail.

cvsd is available in Debian Testing and Unstable, and in a source tarball. When this was written, the only available RPMs were quite old (Version .6-2). This recipe was written for Version 1.0.2, so if you can't find a current RPM, you should install from sources. Sources (as well as .debs) are available from the cvsd home page (http://tiefighter.et.tude.nl/~arthur/cvsd).

This is how to install from sources:

$ ./configure —prefix=/usr —sysconfdir=/etc

$ make

# make install

Create a cvsd user and group:

# groupadd cvsd

# useradd -d /cvs/home -s /bin/false -c "cvs pserver daemon" -g cvsd -u 110 cvsd

Then create your repository root directory and chroot jail. This must be a subdirectory of an empty directory, so that the chroot jail will work:

# mkdir /cvs

# cd /cvs

# cvsd-buildroot /cvs

Change ownership to the cvsd user and group, and set permissions:

# chown -R cvsd:cvsd /cvs

# chmod 775 /cvs

Next, initialize your new cvsd repository, and create the root directory for the repository. Put this in a subdirectory:

# cvs -d /cvs/home init

Now edit /etc/cvsd/cvsd.conf as follows:

• The UID and GID should be cvsd and cvsd.

• Umask should be 027.

• RootJail must correspond to the root of your CVS repository (in this example, /cvs).

• Edit one of the Repos entries to name the new root directory of your repository (in this example, /home).

Next, add anonymous access to your repository. As root, create a sandbox directory somewhere, then check out the CVSROOT directory:

# mkdir /sandbox

# cd /sandbox

# cvs -d /cvs/home checkout CVSROOT

# cd CVSROOT

Create a CVSROOT/readers file, adding a guest user. There should be just one line of text in this file, the word "guest". Be sure to end the file with a couple of blank lines. Then use the add and update commands to add it to the repository:

# cvs -d /cvs/home update

# cvs -d /cvs/home add readers

# cd /sandbox

# cvs -d /cvs/home commit -m 'pserver guest access' CVSROOT/readers

Finally, give guest a null password:

# cvsd-passwd /cvs/home guest

Don't create a password; just hit Enter until it goes away. Now fire up cvsd, and connect as an ordinary user:

# /etc/init.d/cvsd start

$ cvs -d:pserver:guest:@localhost:/home login

Logging in to :pserver:guest@localhost:2401/home

If you type a colon after "guest", it won't prompt you for the empty password. Mind your filepaths: use /home, not /cvs/home.

18.14.3 Discussion

It is important to follow all the steps in order, to get the file permissions correct. You want the chroot filesystem in /cvs to be owned by cvsd, but not the CVSROOT directory.

Populate your new public repository in the usual manner. Add authorized users to the cvsd group. They can then import project files locally, or over SSH.

Do not use the CVS Pserver for anything but anonymous public access, and never allow checkins via Pserver. Its authentication methods are wide-open cleartext, as you saw when you created the readers and passwd files. For extra insurance, to prevent write access via Pserver, create an empty CVSROOT/writers file.

Users connecting over the Internet must use the full domain name:

$ cvs -d:pserver:guest:@cvsserver.test.net:/home login

You'll have to post explicit instructions to tell them how to connect to your repository. Users can also go directly to checkout:

$ cvs -d :pserver:guest:@cvsserver.test.net:/home checkout .

OpenSSH is for your authorized users who will be maintaining the files in the repository. (They will use the access methods described in Recipe 18.11.) It is best to keep your public repository separate from your private, working repository, and to update it nightly via rsync-over-ssh. If someone manages to compromise your Pserver, you don't want to provide an easy path to your working CVS server.

18.14.4 See Also

• The Readme and the FAQ in the source tarball, which contain bales of essential information—you should get this even if you install cvsd from packages

• cvsd home page (http://tiefighter.et.tudelft.nl/~arthur/cvsd)

• CVS home page (https://www.cvshome.org)