[clue-admin] CVS pserver access

Jed S. Baer thag at frii.com
Tue Mar 15 18:13:48 MST 2005 

On Tue, 15 Mar 2005 15:45:32 -0700
Jeff Cann wrote:

> > Well, I'm preparing to set up the CVS pserver, because it seems a
> > reasonable thing to do to provide anonymous read-only access to the
> > CVS repository. The reason being that if there's prospects for
> > CLUEbies to review site developments, but without providing SSH and
> > commit access, I would like for that to be possible. And, at the
> > moment, I need to do a little studying to figure out how to allow
> > commit access to the development area without allowing commit to
> > production anyway, but that's a tangent.
> 
> After learning about this for a project at work, I decided to use the
> 'cvs export' command to build 'production' releases.  The advantage is
> that the export is not a cvs sandbox and thus no one could commit
> changes to it.

Not sure what you're getting at there. Regardless of whether the end user
does a 'cvs checkout' or a 'cvs export', they still need read access to
the repository. It'll be tough for me to solicit comments on code people
can't read. I'm not even trying to solve the commit access problem, except
that access to the repository via the "anonymous" username isn't able to.

> > The only reason I get slightly hesitant about doing this is that it
> > involves firing up the inetd service, and I figure that the fewer
> > services running, the fewer exploits there are to worry about. But the
> > pserver requires inetd, so there's no way around it
> 
> Didn't you mean xinetd?  If not, then CVS does run via xinetd and I
> believe xinetd service is used for sshd, so I think it's already
> running.

Yeah, I'm being a sloppy typist. Xinetd isn't currently running (or
shouldn't be). I didn't configure it to start, since we had no need for it
at the time I did the install. sshd is running as a standalone daemon.
But, we do need it for pserver, if that needs doing, and I'm open to other
methods of exposing the repository to readonly access.

I did get pserver running properly, after I remembered to open up the
firewall on port 2401. But I ran into permission problems, which I'll
relate, except I'm late getting out the door right now.

Right now, I'm regarding CVS as a PITA. That might change if I can get my
hands on better dox than a Postrcript version of the Cederqvist. (But I
have no money for buying books right now.)

jed
-- 
http://s88369986.onlinehome.us/freedomsight/
Key fingerprint = B027 FEFB 4281 CC72 67D1  4237 F2D0 D356 077A A30E
... it is poor civic hygiene to install technologies that could someday
facilitate a police state. -- Bruce Schneier

More information about the clue-admin mailing list