LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Setting up the tools

3. Setting up the tools

Now that CVS and cvsd are built, let's set them up.

3.1. Creating the CVS Repository

Before we begin, I strongly recommend you read the CVS manual that was installed with the rest of CVS. If the stand-alone info browser or the texinfo package is installed on your system, you can see this manual by typing the command info cvs at your shell.

First, plan out where you want your repository. Debian defaults to /var/lib/cvs. My repository is under the directory /cvs/root, and is on its own small partition. What you do depends on your needs and can vary widely.

Important

Make sure that the repository is a subdirectory of an empty directory! For example, if you are installing it into /var/lib/cvs, put the repository in /var/lib/cvs/root (or whatever you want for the last directory). This is because we create a chroot jail for the Pserver!

After you have planned where you want to put your repository, made the necessary partitions, if desired, and run the following command (we assume that it will be at /cvs/root):


$ cvs -d /cvs/root init
  

That will initialize your repository and set up the necessary CVSROOT files.

3.2. Setting up the jail

Now that we have the CVSROOT set up, we need to copy the appropriate libraries and files for cvsd, which runs the Pserver in the chroot jail.

3.2.1. Transferring the necessary files

Note

If you installed cvsd from a package management system like RPM, this may already be done for you. If that is the case, skip ahead to the next step.

Change your directory to /cvs (or whatever the directory before your root is) and enter the following commands:


$ cvsd-buildroot /cvs
$ mkdir -p var/lock
$ adduser cvsd
$ addgroup cvsd
   

Thankfully, cvsd comes with the script cvsd-buildroot, so we don't have to do all the necessary copying by hand. However, you should edit the /cvs/etc/passwd file, and remove the entry for "root," as it's unneeded.

3.2.2. Configuring cvsd

The defaults in /etc/cvsd/cvsd.conf are okay, but can be less than desirable. Make sure that RootJail is set to wherever the chroot jail you built is, and the repository is the directory where the repository is relative to the chroot jail. Set maxconnections to whatever you desire, and make sure that Uid and Gid are set to cvsd. If you are lacking an already-built cvsd.conf file, here is mine:

Example 1. My cvsd.conf


Uid cvsd
Gid cvsd
PidFile /var/run/cvsd.pid
RootJail /cvs
MaxConnections 10
Nice 1
Listen * 2401
Repos /root
Limit coredumpsize 0
    

3.3. Adding anonymous access

It's back to configuring CVS, but don't worry, we are almost there! We have to edit a couple of necessary files to allow for anonymous access. First, making sure you aren't in the CVS directory, check out the CVSROOT module:


# cvs -d /cvs/root checkout CVSROOT
# cd CVSROOT
  

Now edit the file READERS. Create it if it isn't there, and add a line that reads "anonymous".

Important

You NEED to have an extra line at the end of the file!

The file READERS is a list of users who have read-only access to the CVS repository. People with write access are listed in the file WRITERS. Read the cvs manual [1] for more information on these files.

Now commit the repository with the command below. We assume that your current working directory is CVSROOT. If it isn't, forget the cd step.


# cd ../
# cvs -d /cvs/root commit
  

You should now get a message that says something like Re-building administrative files, which means that it was successful.

One last step and we're all done! Run the following command, and when prompted for a password, just press ENTER:


# cvsd-passwd /cvs/root anonymous
  

Congratulations! You now have secure, anonymous CVS Pserver access to the repository!

3.4. Not quite done yet! Changing lock file locations

There is one small feature here that is really beyond the scope of this Mini-HOWTO but is worth noting nonetheless. It is the ability to change the directory where the Pserver will place lock files.

Normally the Pserver will place lock files in the same directory as the files that you are trying to check out, but this can cause permissions mayhem. Step back to when we built the chroot jail for cvsd; we also created the directory var/lock. This is where we will place the lockfiles instead.

So use the following example, replacing /cvs with wherever your chroot environment is, and var with wherever the locks are going to be placed. Mine are placed in var/lock, and there is nothing else under var, so a chown -R is safe. Also, replace the cvsd user and group ids with the user and group ids that cvsd runs as.


# cd /cvs
# chown -R cvsd:cvsd var
# chmod -R 775 var
# cd
# cvs -d /cvs/root checkout CVSROOT
# cd CVSROOT
  

Now we want to edit the file config. Change lock dir to the directory you want the locks to be placed, in our case /var/lock.

Important

Note that this applies to the Pserver AS WELL AS THE NON-CHROOT SSH LOGIN METHOD! Ensure that this directory is not only in existence, but that you can write to it as well, relative to your root directory. This is why I have chosen /var/lock, because it satisfies those conditions.

Now commit the changes:


# cd ../
# cvs -d /cvs/root commit
  

And that's it!

Notes

[1]

info cvs, if you have the stand-alone info viewer installed on your system

    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Google Releases Open Source Tool for Testing Web App Security Scanners
Most Targeted Attacks Exploit Privileged Accounts
NotCompable sets new standards for mobile botnet sophistication
Hands on with Caine Linux: Pentesting and UEFI compatible
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.