Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

cvspserver, user=root and security
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
green_buddy
Tux's lil' helper
Tux's lil' helper


Joined: 08 Jan 2003
Posts: 115
Location: Bay Area, CA
PostPosted: Thu Feb 20, 2003 12:48 am    Post subject: cvspserver, user=root and security Reply with quote
Hi everyone,

I've been thinking that setting up cvspserver to use the root user probably isn't the best idea in terms of providing for a secure system... even through an ssh tunnel. Are there any other suggestions for what the xinetd's user value should be?

Thanks,
-green
Back to top
View user's profile Send private message
eLWedgo
n00b
n00b


Joined: 18 Nov 2002
Posts: 32
PostPosted: Thu Feb 20, 2003 11:05 am    Post subject: My setup Reply with quote
Hi,

I've set up a cvsserver with pserver myself and you're absolutely right: the root user in the inetd.conf looks kind of suspicious ;-)

The solution was to add a group "cvsusers" and a "nobody"-style user "cvspserver" in that group.
His /etc/passwd entry looks like this:
Code:
cvspserver:x:1053:1051:CVS owner:/home/cvspserver/:/bin/false

The home directory is empty (I only added it for testing), so I guess /dev/null should be fine. Group number 1051 is of course cvsusers.

Now when you set up your cvs repository somewhere (e.g. /usr/local/cvshome) make sure that the CVSROOT directory and its content are owned by "cvspserver.cvsusers". Privileges rwx------ should be ok for the files (I'm guessing here, so you might want to play around).
To clarify it a bit : (let's assume there's a already set up repository in /usr/local/cvshome)
Code:

chown cvspserver.cvsusers /usr/local/cvshome
chmod 770 /usr/local/cvshome
chown cvspserver.cvsusers /usr/local/cvshome/CVSROOT -R
chmod 700 /usr/local/cvshome/CVSROOT -R


Now you can use the "cvspserver" user in the inetd.conf (that user needs access to the CVSROOT/* files).

To enhance security a bit I've also added a dummy user (in group "cvsusers") for each project in the repository and used the aliasing mechanism of CVS (see Cederqvist 2.9.3.1) to administrate the project-members. The respective directories are chowned to those users (obviously they all have no login shells and no home directories) and have their access-rights set to rwx------.

The group "cvsusers" is not necessary here but I think things look more clean this way.

I hope that helped a little :-)
Good luck,
Peter
Back to top
View user's profile Send private message
green_buddy
Tux's lil' helper
Tux's lil' helper


Joined: 08 Jan 2003
Posts: 115
Location: Bay Area, CA
PostPosted: Fri Feb 21, 2003 12:10 am    Post subject: Reply with quote
Yeah that sounds great!

Thanks :!: :D
-green
Back to top
View user's profile Send private message
ajaygautam
Apprentice
Apprentice


Joined: 23 Jan 2003
Posts: 205
Location: London Below
PostPosted: Thu Mar 13, 2003 4:13 pm    Post subject: Reply with quote
Thanks for the detailed steps. That was great.

Just for the sake of completeness: I got the following error message at the client end:

setgid failed: Operation not permitted

A quick search at google led me to: http://tiefighter.et.tudelft.nl/~arthur/cvsd/faq.html

which (FAQ 4) says:
Quote:

#4 cvs login works but cvs checkout or other commands fail with "setgid failed: Operation not permitted"

This can happen when you run cvsd as non-root (which is recommended) and didn't set up your repository passwd file (CVSROOT/passwd) correctly. The repository passwd files should contain mappings of cvs users to the user you specified in cvsd.conf. If no mapping is present cvs tries to become the "original" user and fail because it's not running as root. Your repository passwd files should look like:
anonymous:XGPg1ub8xh70U:cvsd


Thanks
Back to top
View user's profile Send private message
wolfblade
n00b
n00b


Joined: 16 Oct 2003
Posts: 22
Location: Oklahoma
PostPosted: Fri Dec 05, 2003 10:28 pm    Post subject: Completeness Reply with quote
Just for the sake of completeness to this thread I thought I would add what I found. If you are running cvspserver as a non-root user make sure your CVSROOT\passwd file in your repository is of the format below.

I am assuming your id is "user" and the non-root user running cvspserver is "cvs"

Code:
user::cvs
user2::cvs


Do this for each one of your users that need access to cvs and you will alleviate the setgid problems when connecting to to your pserver.

Hope this helps someone.
_________________
--
Jeff
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy