CVS Security

I need to allow certain users the ability to read and write some modules in CVS, while being restricted from reading the rest, or certain others.

Does anyone know of a way to accomplish this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

One was is to set the CVS daemon (part of xinetd) to require a PAM authenticated password, meaning they have to be a user on the system before being added as a CVS user in the cvs.allow files. In this way, you can assign different un*x style groups in the server settings, use CHMOD to attribute the source trees, and if they try to check out a module they don't belong with, then they will get permissions denied errors from CVS.

I found WinCVS handy in this respect as it inherently supported mapping multiple users.

Let me know if this helps you.

Highest regards,

~K Black
Irvine, Ca.
ChireruAuthor Commented:
That's an idea, however, I'd like to try to keep it on the pserver protocol.  If I were to implement that, I would use CVS over SSH, which would force the authentication.

I may end up going that way, but I've also found this, which allows ACLs to be set:

I'm still looking for ideas though, the easier to maintain and implement, the better.
ChireruAuthor Commented:
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Can't you just add a line in the config file of the CVSROOT dir like


And then use 'passwd' flatfile auth within the CVS Tree (somewhat like .htaccess)?

[root@mail CVSROOT]# ls
checkoutlist    config,v       Emptydir/  modules,v  rcsinfo,v  verifymsg,v
checkoutlist,v  cvswrappers    history    notify     taginfo
commitinfo      cvswrappers,v  loginfo    notify,v   taginfo,v
commitinfo,v    editinfo       loginfo,v  passwd     val-tags
config          editinfo,v     modules    rcsinfo    verifymsg

[root@mail CVSROOT]# cat passwd
[root@mail CVSROOT]#

The cvs passwd file knows crypt and md5 passwords I get from the
/etc/shadow file.


~K Black
Irvine, Ca.
ChireruAuthor Commented:
It looks like the passwd file would be per-repository, which means that I can't restrict it per-module..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.