I'd like to announce the availability of a version of the current cvs
(1.9.10) with krb5 support. Ftp from:
ftp.wsrcc.com:/pub/wolfgang/krb5-cvs-1_1.tar.gz- -wolfgang
* The user's home directory is never referenced. (A big bonus for NFS-ed
home dirs if the NFS is slow.)
* The user does not need an account on the Unix machine that is
hosting the CVSROOT.
* The cvs repository is owned by user CVS group CVS and need not be
writable by anyone else.
* Only the users listed in CVSROOT/cvs.acl have access to the cvs server.
To compile and install:
./configure make make installor:
mkdir obj.<yourostype> cd obj.<yourostype> ../configure gmake gmake installThe latter requires a make like gnu make that understands VPATH.
Check the output of configure and/or the Makefile to make
sure that
configure found krb5.
You should see something like:
LIBS = -lcrypt - -L/usr/local/lib -lkrb5 -lcrypto -lcom_err
cvs:*:10:10:CVS pseudo-user:/usr/cvsroot:/sbin/nologinadd a group cvs to /etc/groups
cvs:*:10:add a cvs port number to /etc/services
cvs 1999/tcp # unofficial cvs portadd a cvs config line to /etc/inetd.conf
cvs stream tcp nowait root /usr/local/bin/cvs kserver -b /usr/local/bin kserverAdd this as a single line.
Send inetd a SIGHUP. (or reboot)
mkdir /usr/cvsroot chown cvs.cvs /usr/cvsroot su cvs cd /usr/cvsroot cvs -d /usr/cvsroot initRead the info pages about checking out the CVSROOT psuedo-module. (A good place to check CVSROOT out is in /tmp or /usr/tmp .)
Add the file CVSROOT/cvs.acl containing all the krb5 principals that should have access to the cvs repository.
edit the file CVSROOT/checkoutlist to include the newly added file above. eg. add this line:
cvs.acl "Can't checkout cvs.acl"commit the CVSROOT module and you should be done. You may 'cvs release' it now.
:kserver:YOURHOST.YOURDOMAIN:/usr/cvsrootand export it. e.g.,
export CVSROOT=":kserver:cvsroot.YOURDOMAIN:/usr/cvsroot"(This of course assumes you have a machine called "cvsroot" in your domain. Adjust for local conditions.)
Now you are ready to import a directory and play with a true server-mode cvs. No more worrying about users fumble-fingering (or hacking) the RCS files directly. They don't have write access. If you really want to be fascist, you can run the CVSROOT machine without user login access. This might help in situations where user's home directories are NFS mounted over a slow WAN link and one doesn't want anything slowing down the cvs server. The latter was the original motivation for me writing this hack. Slow NFS links were contributing to skyrocketing load averages on the cvsroot machine.
Don't give cvs any power to write to any file other than in /usr/cvsroot .
Be careful that you assign unique UID and GID numbers to user and group cvs.
Don't give anyone other than user cvs write permission for any file in or under /usr/cvsroot (including /usr/cvsroot).
Copyright (c) 1996, 1997 Wolfgang S. Rupprecht.
Redistribution and use in source and binary forms are permitted
provided that the above copyright notice and this paragraph are
duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and
use
acknowledge that the software contains code developed by the
Wolfgang S. Rupprecht.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.