Kerberized CVS

Organization: W S Rupprecht Computer Consulting, Fremont CA
From: Wolfgang Rupprecht <wolfgang@dailyplanet.wsrcc.com>
To: kerberos@MIT.EDU
Subject: cvs with krb5 support
Date: 17 Jul 1997 14:35:31 -0700
 

I'd like to announce the availability of a version of the current cvs
(1.9.10) with krb5 support.  Ftp from: 

 ftp.wsrcc.com:/pub/wolfgang/krb5-cvs-1_1.tar.gz
- -wolfgang


File:     README-KRB5
Author:   Wolfgang Rupprecht <wolfgang@capsicum.wsrcc.com>
Created:  Thu Jul 17 13:13:38 PDT 1997
Contents: readme file for my krb5 hacks to cvs
$Id: README-KRB5,v 1.1 1997/07/17 21:14:49 wolfgang Exp $

This program is a replacement cvs that is capable of using a kerberos kdc to authenticate a user.

New features:

A true CVS server mode.

* The user's home directory is never referenced. (A big bonus for NFS-ed
  home dirs if the NFS is slow.)

* The user does not need an account on the Unix machine that is
  hosting the CVSROOT.

* The cvs repository is owned by user CVS group CVS and need not be
  writable by anyone else.

* Only the users listed in CVSROOT/cvs.acl have access to the cvs server.

Lineage

This program is really just a minor hack that combines the latest cvs 1.9.10 with some sample code from the sample server of krb5-1.0pl1.

Compilation

This code has been tested on SunOS 4.1.4 and NetBSD (current 7/15/97).

To compile and install: 

 ./configure
 make
 make install
or: 
 mkdir obj.<yourostype>
 cd obj.<yourostype>
 ../configure
 gmake
 gmake install
The latter requires a make like gnu make that understands VPATH.

Check the output of configure and/or the Makefile to make sure that
configure found krb5.
You should see something like: 

LIBS = -lcrypt - -L/usr/local/lib -lkrb5 -lcrypto -lcom_err

Installation

add a user cvs to/etc/password 
 cvs:*:10:10:CVS pseudo-user:/usr/cvsroot:/sbin/nologin
add a group cvs to /etc/groups 
 cvs:*:10:
add a cvs port number to /etc/services 
 cvs     1999/tcp      # unofficial cvs port
add a cvs config line to /etc/inetd.conf 
 cvs      stream  tcp    nowait  root  /usr/local/bin/cvs  kserver -b /usr/local/bin kserver
Add this as a single line.

Send inetd a SIGHUP. (or reboot) 

 mkdir /usr/cvsroot 
 chown cvs.cvs /usr/cvsroot 
 su cvs 
 cd /usr/cvsroot 
 cvs -d /usr/cvsroot init
Read the info pages about checking out the CVSROOT psuedo-module. (A good place to check CVSROOT out is in /tmp or /usr/tmp .)

Add the file CVSROOT/cvs.acl containing all the krb5 principals that should have access to the cvs repository.

edit the file CVSROOT/checkoutlist to include the newly added file above.  eg. add this line: 

 cvs.acl  "Can't checkout cvs.acl"
commit the CVSROOT module and you should be done.  You may 'cvs release' it now.
 exit the su, returning to your normal uid.
 set your CVSROOT env variable to: 
:kserver:YOURHOST.YOURDOMAIN:/usr/cvsroot
and export it.  e.g., 
 export CVSROOT=":kserver:cvsroot.YOURDOMAIN:/usr/cvsroot"
(This of course assumes you have a machine called "cvsroot" in your domain.  Adjust for local conditions.)
[csh users: you will have to type "bash" or "sh" first.]
Errors are logged to syslog.  Check the daemon.info and daemon.notice logs in case of difficulty.

Now you are ready to import a directory and play with a true server-mode cvs.  No more worrying about users fumble-fingering (or hacking) the RCS files directly.  They don't have write access.  If you really want to be fascist, you can run the CVSROOT machine without user login access.  This might help in situations where user's home directories are NFS mounted over a slow WAN link and one doesn't want anything slowing down the cvs server.  The latter was the original motivation for me writing this hack.  Slow NFS links were contributing to skyrocketing load averages on the cvsroot machine.

Security

Don't give cvs a real shell.

Don't give cvs any power to write to any file other than in /usr/cvsroot .

Be careful that you assign unique UID and GID numbers to user and group cvs.

Don't give anyone other than user cvs write permission for any file in or under /usr/cvsroot (including /usr/cvsroot).

Legal stuff

I'm releasing this code under the following BSD-style copyright.
 
You are still obliged to obey the other copyrights found elsewhere in this package.

Copyright (c) 1996, 1997 Wolfgang S. Rupprecht.

Redistribution and use in source and binary forms are permitted
provided that the above copyright notice and this paragraph are
duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use
acknowledge that the software contains code developed by the
Wolfgang S. Rupprecht.
 
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

More legal stuff

This package does not contain or reference any encryption routines.