Permitting anonymous read-only access to your CVS repository
Posted by Steve on Thu 14 Jul 2005 at 14:19
Previously we've described how to run a secure CVS server using OpenSSH, but that didn't allow anonymous users to use the repository to checkout code in a read-only fashion. Here we'll correct that ommision.
The process of setting up a secure CVS server with OpenSSH is ideal for small groups of users who all need to make changes, and the issue of anonymous remote users wasn't discussed.
Updating the server setup to permit anonymous checkouts is very simple though.
If you've got the CVS server up and running then you only need to make a few small additions:
- Allow the CVS server process to run via inetd/xinetd
- Create a new "anonymous" user.
- Setup the anonymous user so that CVS will regard it as a read-only user.
If you've got the CVS package installed already you should be up and running in no time. If not you'll first need to install it with:
apt-get install cvs
When you install the server you'll be asked where you would like your CVS repository to be located, or given the chance to point it at an existing one. Choose whichever option you need.
Finally you'll be offered the chance to run the "CVS Peserver", to this question say yes. (If you have previously installed CVS and wish to change your options you may run "dpkg-reconfigure cvs")
Once you have the CVS server up and running you need to add a new system account with no shell for the anonymous user.
The following command will do that:
useradd -s /bin/false anonymous
The next step is to configure the anonymous user to be a valid user with no password for CVS logins. This involves adding a line to a file passwd beneath your CVSROOT directory.
My CVS repository is located in /home/cvs, so for me the command is:
echo "anonymous:" >> /home/cvs/CVSROOT/passwd
Then to make sure this is only used for read-only access add the anonymous user to the file readers in the same directory:
echo "anonymous" >> /home/cvs/CVSROOT/readers
This should be sufficient to allow the anonymous user to login and checkout code without being able to modify anything.
The syntax for the client would be:
skx@mystery:/tmp$ cvs -d :pserver:anonymous@hostname:/home/cvs login Logging in to :pserver:anonymous@hostname:2401/home/cvs CVS password: [Enter here = blank password] skx@mystery:/tmp$ cvs -d :pserver:anonymous@hostname:/home/cvs co module
The anonymous client will now be able to keep up to date with the codebase and not be able to modify anything upon the server. Attempting to commit a local change will result in the following error message:
cvs [server aborted]: "commit" requires write access to the repository cvs commit: saving log message in /tmp/cvsXXX
The code which runs this site is available online, and can now be checked out anonymously if you wish:
cvs -d :pserver:anonymous@cvsrepository.org:/home/cvs login cvs -d :pserver:anonymous@cvsrepository.org:/home/cvs co yawns
/etc/pam.d/ssh
auth required pam_unix.so nullok
/etc/shadow
anoncvs::12375:0:99999:7:::
/etc/passwd
anoncvs:x:1003:1003::/data/home/anoncvs:/usr/local/bin/rcvssh
where rcvssh is a neat tool that shows a friendly message that interactive login is not allowed, while cvs is. Optionally you can enable sftp. I wasn't able to enable scp. You'll find the sources in my cvs if you google for rccvssh.c
Marcus.
and
[ Parent | Reply to this comment ]