# Setting up a CVS pserver/xinetd step by step+security issues

## dreambox

Hello,

Sorry if it looks a duplicate post. This post is a personal effort and contains also security issues using pserver connections  :Smile: 

Three days ago, I had to set up a secure cvs pserver. After spending many hour reading the doc at the excellent site www.cvshome.org, I successfully set it up running it with inetd.

I know that the most secure is to use SSH connection since in pserver authentication passwords are sent in clear, but i tried to focus on the state of art of doing it. Today, I tried to set it up with xinetd but some security issues raised that i didn't solve it yet, but this setting should work very fine if u're not paranoid with security  :Laughing: 

Here are the steps I used to setup my cvs server :

1) Login as root and create a user/group cvs/cvs. Note: The repository is inside the user's home and not the user's home, this would allow you later to create many repositories as u want in the user's home ( Easier to manage )

```

    # groupadd cvs

    # mkdir -p /var/home/cvs

    # useradd -d /var/home/cvs -g cvs -s /bin/bash -p <cvs_passwd> cvs

    # chown -R cvs:cvs /var/home/cvs

    # su - cvs

    /> cvs -d /var/home/cvs/repository init

    /> chmod g+rwx /var/home/cvs/repository

    /> exit

```

2) Create users anoncvs and usercvs. anoncvs will be allowed to read repository but cannot write. usercvs will be allowed to read/write in repository

```

    # useradd -d /var/home/cvs -g cvs -s /bin/false usercvs

    # usermod -L usercvs        ( Lock user password )

    # useradd -d /var/home/cvs -g cvs -s /bin/false anoncvs

    # usermod -L anoncvs       ( Lock user password )

```

3) We want to use pserver authentication and don't want cvs to fallback to system authentication when user doesn't exist. Doing this, we are trying to secure at maximum access to cvs  :Smile: . Here are the steps:

    We have to store users and encrypted passwords in /var/home/cvs/repository/CVSROOT/passwd

Using ur favourite editor, add entries of this form in /var/home/cvs/repository/CVSROOT/passwd:

<cvs_user>:<encrypted_password>:<unix_user>

We encrypt cvs user's password using this well known perl script:

```

#!/usr/bin/perl

  

srand (time());

my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";

my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);

my $plaintext = shift;

my $crypttext = crypt ($plaintext, $salt);

  

print "${crypttext}\n";

```

You can create for example a bin directory in cvs home, copy and paste the script to file cryptout in that directory. Then chmod +x cryptout and add $HOME/bin to PATH variable in file .bash_profile. Syntax of cryptout is:

cryptout <clear_text_password>

it'll produce an encrypted password as the ones stored in /etc/passwd.

Here an example of passwd file:

james:qPd3FRr4r3ln2:usercvs

dreambox:AGJaHG3LxpYoA:usercvs

anoncvs::anoncvs

Typical scenario, users james and dreambox would have read/write access to the repository, and anoncvs would have only read access without having to enter a password.

Note: In practice james and dreambox don't exist in the system as unix users, they are virtual cvs users.

To disable cvs to fallback into system authentication when user doesn't exist we have to modify the file under /var/home/cvs/CVSROOT/config.

To set read/write permissions in repository we have to create 2 files ( readers and writers ) also under /var/home/cvs/CVSROOT. Users in readers file are only allowed to read repository. Users in writers are allowed to read/write in repository. 

config, readers, writers have to be versionned, so first we checkout module CVSROOT :

```

/> cvs -d /var/home/cvs/repository co CVSROOT

cvs server: Updating CVSROOT

U CVSROOT/checkoutlist

U CVSROOT/commitinfo

U CVSROOT/config

U CVSROOT/cvswrappers

U CVSROOT/editinfo

U CVSROOT/loginfo

U CVSROOT/modules

U CVSROOT/notify

U CVSROOT/rcsinfo

U CVSROOT/taginfo

U CVSROOT/verifymsg

```

Uncomment line #SystemAuth=no . This will inform cvs to not check in /etc/passwd when user doesn't exist in CVSROOT/passwd

```

/> echo james > writers

/> echo dreambox >> writers

/> echo >> writers        ( We have to add new line after adding last user )

/> echo anoncvs > readers

/> echo >> readers       ( We have to add new line after adding last user )

/> cvs -d /var/home/cvs/repository add readers writers

cvs server: scheduling file `readers' for addition

cvs server: scheduling file `writers' for addition

cvs server: use 'cvs commit' to add these files permanently

/> cvs -d /var/home/cvs/repository ci -m "Updated administration files"

cvs commit: Examining .

Checking in config;

/var/home/cvs/repo/CVSROOT/config,v  <--  config

new revision: 1.2; previous revision: 1.1

done

RCS file: /var/home/cvs/repo/CVSROOT/readers,v

done

Checking in readers;

/var/home/cvs/repo/CVSROOT/readers,v  <--  readers

initial revision: 1.1

done

RCS file: /var/home/cvs/repo/CVSROOT/writers,v

done

Checking in writers;

/var/home/cvs/repo/CVSROOT/writers,v  <--  writers

initial revision: 1.1

done

cvs commit: Rebuilding administrative file database

```

Now, we setup xinetd :

Edit as root file /etc/xinetd.d/cvspserver. Mine looks like this :

```

service cvspserver

{

        disable            = no

        socket_type        = stream

        wait               = no

        user               = root

        log_type           = FILE /var/log/cvspserver

        protocol           = tcp

        env                = '$HOME=/var/home/cvs'

        log_on_failure     += USERID

        port               = 2401

        server             = /usr/bin/cvs

        server_args        = -f --allow-root=/var/home/cvs/repository pserver

}

```

Save modification to file end execute the following to start xinetd at boot time ( If it is not set yet ):  

```

# rc-update add xinetd boot

```

Congratulations if u arrived here  :Very Happy:  , now it should work fine after a reboot or ( /etc/init.d/xinetd start  for those who are in a hurry to test ) :

Your can start testing security by trying to import a directory as anoncvs  for example ( cvs will not allow u ) :

```

/> mkdir project

/> cd project

/> touch dreambox

/> cvs -d :pserver:anoncvs@localhost/var/home/cvs/repository login  ( Press return when asked a password )

/> cvs -d :pserver:anoncvs@localhost/var/home/cvs/repository import -m "Trying to import" myproject vendor start

```

You should see something like this on ur screen :

```

cvs server: cannot open /var/home/cvs/repository/CVSROOT/readers: Permission denied

cvs [server aborted]: "import" requires write access to the repository

```

OK, know, I'd like to discuss another security issue which is giving me headaches :

The files CVSROOT/*info can be used to execute programs such as sendmail to notify some users of an update, commit,... The thing is that one malicious guy ( such as james or dreambox ) who has write access to repository can checkout CVSROOT and add entries in that files to execute a malicious program and gain access to private ressources in the system !!!  :Twisted Evil: . So, I decided to re-enforce security by creating another unix group ( admincvs ). All users in that group and only that users have read/write access to CVSROOT ( Of course these users should be trustable in their intentions  :Rolling Eyes:   ). Users in the group admincvs should only read and update CVSROOT module. Allowing them to import other modules that are intented to be shared would forbid other users ( running as usercvs ) to update those modules...

OK, here it is:

We create admincvs group and admincvs user :

```

# groupadd admincvs

# useradd -d /var/home/cvs -g cvs -s /bin/false admincvs

# usermod -L admincvs        ( Lock user password )

```

We change the group owner of CVSROOT directory and disable 

read/write/exec access to that directory to other users

```

# cd /var/home/cvs/cvsrepository

# chgrp -R admincvs CVSROOT

# chmod o-rwx CVSROOT

```

add the following entry to CVSROOT/passwd ( using bin/cryptout perl program to crypt password ):

```

admincvs:<crypted_passwd>:admincvs

```

Lets test it. Try to checkout CVSROOT as a normal user who has read/write access to repository but not to CVSROOT :

```

/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository login  ( Enter password when asked )

/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository co CVSROOT

```

You should get the following message:

```

Cannot access /var/home/cvs/repo/CVSROOT

Permission denied

```

Now try with admincvs:

```

/> cvs -d :pserver:admincvs@localhost/var/home/cvs/repository login  ( Enter password when asked )

/> cvs -d :pserver:admincvs@localhost/var/home/cvs/repository co CVSROOT

```

You should get this:

```

cvs server: Updating CVSROOT

U CVSROOT/checkoutlist

U CVSROOT/commitinfo

U CVSROOT/config

U CVSROOT/cvswrappers

U CVSROOT/editinfo

U CVSROOT/loginfo

U CVSROOT/modules

U CVSROOT/notify

U CVSROOT/rcsinfo

U CVSROOT/readers

U CVSROOT/taginfo

U CVSROOT/verifymsg

U CVSROOT/writers

```

Then, you would ask me: What's ur problem dreambox, everything is working fine  :Laughing: , but then I would ask u to try to import a directory as user who has read/write access to repository ( james o dreambox ) :

```

/> mkdir test

/> cd test

/> touch test.file

/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository login  ( Enter password when asked )

/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository import -m "I want to import" test vendor start

```

You should get the following:

```

Cannot access /var/home/cvs/repo/CVSROOT

Permission denied

```

Now, I would ask what the hell I did wrong ?

```

/> ls -l repository

drwxrwx---    3 cvs      admincvs     1224 May 22 20:21 CVSROOT

```

Something I don't understand : xinetd is running as root. When xinetd receives a login request it creates a cvs process with usercvs uid, right?

Since usercvs user is the owner of CVSROOT, it should normally have access to that directory!

Thanks for reading all this  :Very Happy: , I know, It was long and maybe redundunt  :Embarassed: 

I would appreciate any feedback  :Idea: 

Regards

dreambox

----------

## mog

great post ... thumbs up ...   :Laughing: 

maybe you could add how to run cvs over ssh   :Wink: 

----------

## MrPyro

dreambox said:

 *Quote:*   

> 
> 
> Now, I would ask what the hell I did wrong ? 
> 
> ```
> ...

 

I think the problem is that to import a new module, you need to write to CVSROOT, to add the new module to the modules file. In your setup, therefore, only admincvs can import a new module, but james or dreambox should be able to commit changes.

----------

## mog

I have followed your post pretty much as you said except for the fact that my repsitory is under /data/cvs/mog/ and the CVSROOT directory under /data/cvs/mog/CVSROOT/, however when I try to connect using either

```
cvs -d :pserver:guest@localhost/data/cvs/mog login
```

or

```
cvs -d :pserver:guest@localhost/mog login
```

it fist prompts me for a password (I just press enter cause guest maps to anoncvs) and then it tells me 

```
/path/to/repository/ : no such repository
```

----------

## MrPyro

I don't know if it's just a typo you've written on here, but there should be a colon between localhost and the path in that cvsroot definition

```

cvs -d :pserver:guest@localhost:/data/cvs/mog login

```

----------

## EvilCHELU

mog:

check if you have the following in your /etc/xinetd.d/cvspserver file

```

server_args        = -f --allow-root=/data/cvs/mog pserver

```

mrpyro:

i found that it works without to column too, even tho the command syntax says it should be there

----------

## mog

well I am not entirely sure as to what exactly happened, but I went through the procedure again ... and now ... I can logon ... weird ... but thx anyway 

however, what I did now is that I created a new directory in the repository and tried to check it out while I am logged in ... but I get the following error

setuid failed: Operation not permitted

any idea where that could come from ... ???

----------

## orb9

to dreambox:    :Laughing:  superb post  :Wink: 

to mog:I had some similiar problem. I got:

setgid failed: Operation not permitted

I found the source of trouble in /etc/xinet.d/cvspserver. Mine looked like this (watch user and group. in dreambox initial post user is root. mine was cvs)

```

service cvspserver

{

   disable      = no

   socket_type   = stream

   wait      = no

   user      = cvs

   group      = cvs

   log_type   = FILE /var/log/cvspserver

   protocol   = tcp

   env      = '$HOME=/home/cvs'

   log_on_failure   += USERID

   port      = 2401

   server      = /usr/bin/cvs

   server_args   = -f --allow-root=/home/cvs/repository pserver

}

```

So i changed user and group to root, restarted xinetd and was done   :Laughing: 

But i wanted to know, why this doesn't work with user cvs. Checked all permissions, they are all correct, everything in /home/cvs/ (i used this dir) belongs to cvs/cvs and all flags are set correctly. 

So.. why it doesn't work with user cvs ?

----------

## dreambox

Sorry for being late to reply guys/gals. When I first posted this how-to, I used to check every day feedbacks but for some period nothing   :Embarassed:  , and today by luck I was checking my posts and were very happy u liked it    :Very Happy: . 

These last days I was reinstalling the whole gentoo, I'm gonna try cvs again but also subversion which they say is better... If someone succeed with cvs + ssh let me know please.

----------

## Thiemo

Hi,

thanks for post. I have a question regarding this perl script generating encrypted text.

 *dreambox wrote:*   

> 
> 
> ```
> 
> #!/usr/bin/perl
> ...

 

I have seen this snipped in a book and tried it out. However, feeding it with the very same term, I don't get the same output:

```
cvs@limbo  $ cryptout.pl test

jvvAuD7bpZwY2

cvs@limbo  $ cryptout.pl test

CiJOVUFmt6GEM

cvs@limbo  $ cryptout.pl test

ZBdG38ICoBHYo

cvs@limbo  $ cryptout.pl test

vuplQw/0Rp0dU

cvs@limbo  $ cryptout.pl test

vuplQw/0Rp0dU

cvs@limbo  $ cryptout.pl test

SNOUEr6lAxJJg

cvs@limbo  $ cryptout.pl test

SNOUEr6lAxJJg

cvs@limbo  $ cryptout.pl test

PgV8Kjke7flWE

cvs@limbo  $ cat bin/cryptout.pl

#!/usr/bin/perl

srand (time());

my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";

my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);

my $plaintext = shift;

my $crypttext = crypt ($plaintext, $salt);

print "${crypttext}\n";

```

I cannot imagine, if the output is not reproducable, that it can be used to make passwords. Am I wrong?

Cheers

Thiemo

----------

## dreambox

I got the perl script from internet. This algorithm is the same to generate /etc/passwd, but i still don't know how user password is checked to validate it... If someone could give us some light   :Rolling Eyes: 

----------

## Thiemo

Hm, I checked with the command 

```
passwd <passwordcheckuser>
```

 and the entries in /etc/shadow also vary!  :Shocked: 

I only can immagine that for password checks the encrypted password (as in /etc/shadow) gets "unencrypted" by some means and the different encrypted solutions to one password result always in the original. That seemed to me rather questionable.  :Embarassed: 

Another possibility would be that there is some cool algorith and applying it on the different encrypted "versions" as well as on the original text results always in the very same "check sum".  :Rolling Eyes: 

----------

## ocbMaurice

Hello,

I also have some problems setting up the cvs server. I'm also stuck at the "setgid/stuid error" which is quite strange and more annoying is that cvs doesn't show exactly what it wants to setgid !?? So far I found out that it has to do with the passwd/group file under the chroot jail. I was able to convert a "setgid" error to a "setuid" error ... but I defenately do not want to run cvs as root !

Anyway, I think I can answer you question according to the password. If I'm not wrong, the crypted password contains the salt as clear-text, so when it wants to match a given string, it will be crypted with the same salt and then the end-strings should be the same (hope that's correct). If I'm not wrong the salt consists of two letters.

Maurice

----------

## dreambox

rand(26) = a random integer between 0 and 26

rand(1) = 0 or 1

In my opinion ( Don't flame my ignorance   :Rolling Eyes:   ),  It seems that we can obtain 27 * 2 = 54 possible encryptions of the same passwd. The crypt function probably uses a hash function like MD5. I beleive that we can't find out the text clear password, the algorith compares hash results.

Anyway these are my 2 cents theories, if someone knows what's going behind the scene, let us know...   :Very Happy: 

regards

----------

## ocbMaurice

I think you understood me wrong ! I'm now 99% sure it is the way I meant :

I'll give a simple example :

```
$ perl -e 'print crypt("password", "sa"), "\n"'

sa3tHJ3/KuYvI

$ perl -e 'print crypt("password", "sn"), "\n"'

snf3JLX29OeF6

$ perl -e 'print crypt("password", "xyz"), "\n"'

xyAjYtmfRYx/.
```

So the salt that is used to encrypt the string is included as clear-text in the encrypted string. Therefore we later can do the same encryption. I personally often calculate the salt from the given password and cut the first two chars away from the encrypted string (that works just with my software, not on linux in general!). But not sure if it is more secure. The salt of course can also be randomly created.

Anyway, back to the cvsd setup. I actually managed to get it working quite easily with gentoo 1.4. I will summarize what I did :

```
emerge -u cvsd
```

* note: this will install cvs and cvsd plus a few tools we'll need later. This way we do not need xinetd. It also creates a system user cvsd and a config file under /etc/cvsd/cvsd.conf. I'll do the rest so it fits the default configuration. You simply _should_ be able to adjust the paths properly.

```
$ cvsd-buildroot /var/lib/cvsd/

$ mkdir /var/lib/cvsd/rep

$ cvs -d /var/lib/cvsd/rep init

$ chown cvsd. /var/lib/cvsd -R
```

Now we need to tell the cvsd config what repositories we use (the directories we created and inited, remember that cvs-server will run in a chroot-jail and therefore we need to reference from this root-point).

```
$ echo "Repos /rep" >> /etc/cvsd/cvsd.conf
```

Setting up the users for cvs can be done in two ways. You simply could edit etc/passwd, etc/group and maybe etc/shadow within the chroot-jail to get the users working. I recommend to only use the virtual user file and to disable the system-users for cvs completely. Altough one could say it doesn't make much difference in a chroot-jail where the /etc/passwd file is kept to a mimimum anyway. Anyway, IMHO this approach is much cleaner. To do it that way :

```
$ nano -w /var/lib/cvsd/rep/CVSROOT/config
```

There you should uncomment the second line (thxs to 

dreambox for this info), so it does look like

```
SystemAuth=no
```

To manage the users for your cvs-repository you should use the cvsd-passwd utility (which hopefully has been installed by cvsd too) :

```
$ cvsd-passwd /var/lib/cvsd/rep/ +maurice +anoncvs +cvs
```

At this stage it seems that every user you created so far has read/write access. To setup the proper security model, we will create/edit the readers and writers file within the CVSROOT of our repository.

```
$ echo "cvs" >> /var/lib/cvsd/rep/CVSROOT/readers

$ echo "anoncvs" >> /var/lib/cvsd/rep/CVSROOT/readers

$ echo "maurice" >> /var/lib/cvsd/rep/CVSROOT/writers
```

You should of course change the username maurice to your own  :Smile:  Also feel free to add more users, it should be clear how to do this (add passwd and add to readers or writers). You should know, that it is a bad idea to have a username in writers and in readers. Seems you'll then just get read permission !

To test your newly configured server I recommend to start cvsd in debug mode once, to do so enter

```
$ cvsd -d
```

On a different console/pc you then can try to login :

```
$ cvs -d :pserver:maurice@localhost:/rep login

Logging in to :pserver:maurice@localhost:2401/rep

CVS password: **********

cvs login: warning: skipping invalid entry in password file at line 1
```

The only last "problem" is the last warning which really seems just a warning as the rest seems to work as it should. Now you simply need to install the cvsd rc-script (use rc-update) to get your cvs server started at boot time. Hope you also got that far and if yes, or no, let us know ! I'll now have a look at ssh logins ...

MauriceLast edited by ocbMaurice on Mon Jan 12, 2004 5:55 pm; edited 1 time in total

----------

## dreambox

 *ocbMaurice wrote:*   

> Hello,
> 
> I also have some problems setting up the cvs server. I'm also stuck at the "setgid/stuid error" which is quite strange and more annoying is that cvs doesn't show exactly what it wants to setgid !?? So far I found out that it has to do with the passwd/group file under the chroot jail. I was able to convert a "setgid" error to a "setuid" error ... but I defenately do not want to run cvs as root !
> 
> Maurice

 

Try this

```

service cvspserver

{

        disable            = no

        socket_type    = stream

        wait                = no

        user                = cvs

        group              = cvs

        log_type          = FILE /var/log/cvspserver

        protocol          = tcp

        log_on_failure  += USERID

        port                = 2401

        server             = /usr/bin/cvs

        server_args     = -f --allow-root=/home/cvsroot pserver

}

```

```

chmod 2755 /usr/bin/cvs

```

The chmod gives the application set gid permissions

Hope it helps

----------

## sankeld

Using CVS with SSH is much easier than using it with a pserver.  As long as you have a ssh deamon running[1], a remote user may simply do:

export CVS_RSH='ssh'

export CVSROOT='ext:user@someplace.net:/home/cvsroot'

And that's it!  All the cvs commands should work as expected.

One can free up the coder from typing passwords all the time using ssh-agent and ssh-add with public/private keys[2].  If it works with ssh itself, it will work with cvs.

  A great resource on CVS can be found at 

http://av.stanford.edu/books/cvsbook/

  A great resource in general is

http://www.freeprogrammingresources.com/miscbook.html

[1] Check to see that 'ps aux | grep sshd' shows a process called /usr/sbin/sshd.  If it doesn't, do a `emerge ssh` and a `rc-update add sshd default`.  To start the daemon without a reboot do a `/etc/init.d/sshd start`.

[2] More information on that can be found here:

https://forums.gentoo.org/viewtopic.php?t=115096

----------

## Squinky86

 *dreambox wrote:*   

> 
> 
> ```
> 
> chmod 2755 /usr/bin/cvs
> ...

 

Then wouldn't

```

chmod 4755 /usr/bin/cvs

```

solve the set uid problems?

----------

## discostu

I followed your instructions and was able to login, but I got an error when doing an import

```
$ cvs import -m "My initial project message" testproj mycompany start

cvs import: cannot make path to /var/cvsroot/testproj: Permission denied

cvs import: Importing /var/cvsroot/testproj/testproj

cvs import: ERROR: cannot mkdir /var/cvsroot/testproj/testproj -- not added: No such file or directory

 

No conflicts created by this import

```

Thanks  :Smile: 

----------

## NiklasH

 *sankeld wrote:*   

> Using CVS with SSH is much easier than using it with a pserver.  As long as you have a ssh deamon running[1], a remote user may simply do:
> 
> export CVS_RSH='ssh'
> 
> export CVSROOT='ext:user@someplace.net:/home/cvsroot'
> ...

 

Yes, ssh is a piece of cake to set up (well, almost... )

I was beginning to feel I was missing something, since I didn't have those kinds of trouble setting up our ssh CVS server...

But your post calmed me!   :Laughing: 

----------

## daoist

 *dreambox wrote:*   

> I got the perl script from internet. This algorithm is the same to generate /etc/passwd, but i still don't know how user password is checked to validate it... If someone could give us some light  

 Two things go into the password, the cleartext and the salt. when you make the password in the first place it randomly chooses a salt, and it stores the salt as the first two characters of the password.

To check passwords the system takes the password the user typed, encrypts it using the salt from the encryped password stored on disk, and they should match. If so, that's a success, if not, that's a failure.

Note that at no time during this procedure is the password stored in the file ever decrypted. It's really really hard to decrypt.

----------

## hw-tph

 *ocbMaurice wrote:*   

> 
> 
> ```
> $ cvs -d :pserver:maurice@localhost:/rep login
> 
> ...

 

To resolv this error message simply check out the passwd file and add a blank line after the last entry (so the file ends with a blank line), save the file and commit. Done.  :Smile: 

Håkan

----------

## crafteh

I followed the tutorial but I can not access the cvs from another computer. I'm trying to view a list of projects in eclipse but it says Socket Exception: Connection reset. I started up xinetd... what else do I need to do to get it to work over a network?

----------

