CVS Security

One was is to set the CVS daemon (part of xinetd) to require a PAM authenticated password, meaning they have to be a user on the system before being added as a CVS user in the cvs.allow files. In this way, you can assign different un*x style groups in the server settings, use CHMOD to attribute the source trees, and if they try to check out a module they don't belong with, then they will get permissions denied errors from CVS.

I found WinCVS handy in this respect as it inherently supported mapping multiple users. http://www.wincvs.org/

Let me know if this helps you.

Highest regards,

~K Black
Irvine, Ca.

That's an idea, however, I'd like to try to keep it on the pserver protocol.  If I were to implement that, I would use CVS over SSH, which would force the authentication.

I may end up going that way, but I've also found this, which allows ACLs to be set:
http://cvsacl.sourceforge.net/

I'm still looking for ideas though, the easier to maintain and implement, the better.

and http://cvs-accesslist.sourceforge.net/

Can't you just add a line in the config file of the CVSROOT dir like

SystemAuth=no

And then use 'passwd' flatfile auth within the CVS Tree (somewhat like .htaccess)?

[root@mail CVSROOT]# ls
checkoutlist    config,v       Emptydir/  modules,v  rcsinfo,v  verifymsg,v
checkoutlist,v  cvswrappers    history    notify     taginfo
commitinfo      cvswrappers,v  loginfo    notify,v   taginfo,v
commitinfo,v    editinfo       loginfo,v  passwd     val-tags
config          editinfo,v     modules    rcsinfo    verifymsg

[root@mail CVSROOT]# cat passwd
dkwan:ZPpGYyHjL/Jpk:dkwan
sangam:XTzBWBOINS1Tc:sangam
admin:OLFbiCvHcxFe6:admin
sunlux:BD.QTI/uLaaP2:sunlux
[root@mail CVSROOT]#

The cvs passwd file knows crypt and md5 passwords I get from the
/etc/shadow file.

Regards,

~K Black
Irvine, Ca.

It looks like the passwd file would be per-repository, which means that I can't restrict it per-module..