Re: trouble setting up Chroot'd CVS Server: "no such user"

[Mark]

I tryed that chroot setup and encountered the same problems. I am
not sure what the chroot jail would/could buy you but grief, if you
do not want to run cvs as root.

Here's what I setup for a non-root pserver.

One account, cvspserv, in one group, cvsadm. That account has no
password and no login shell. I don't know if this setup helps with
anything, but a password and login are not needed for the server
account.

No users should belong to the cvsadm group. This is the group that
owns the CVS repository. (Also have a CM cvsadm account in the
cvsadm group, all CM dirs, builds, files, etc. outside the
repository are chmod go-w and owned by the cvsadm account)

/etc/services are setup the as normal, but the /etc/inetd.conf file
has this line instead of the normal one (of course you could use
the normal line from the manual replacing the root account with
cvspserv):
cvspserver stream  tcp  nowait  cvspserv /home/cvsadm/bin/run-cvs
run-cvs

run-cvs is a c program that calls cvs pserver after reading in a
config file for --allowroot options. This allows me to
create/move/delete respositories dynamically without having to
change inetd.conf.

the cvs repositories are located at some place like /cvs/roots/.
there is one password file owned by cvsadm account and all the
CVSROOT/passwd files are symlinked to it. Access to each project
repository is managed by the CVSROOT/writers file.

Since only 2 accounts are in the cvsadm group, all access to the
repositories must be through pserver, even users on the local
machine. (except of course, the cvsadm account)

If you are looking for NORAD level security, search the posts for
the last fews months. It's a well discussed topic.

hope something here helps.

Mark

--- Rob Eso <address@hidden> wrote:
> Hey everyone
> 
> I have been trying to setup a chroot cvs server for a while now,
> but keep
> running into the same problem.  I have created a user cvs to run
> the
> server under, and have chroot'd the server to /home/cvs/jail/
> 
> i have followed the instructions in a few howtos on setting up a
> Chroot
> CVS Server, but always run into this problem:
> 
> I am able to login and authenticate with the pserver alright, but
> when
> I try to import a new project into the respository I get :
> 
> address@hidden myproj]$ cvs -d $CVSROOT import myproj v1 r1
> Fatal error, aborting.
> cvs: no such user
> cvs import: authorization failed: server vader rejected access to
> /cvsroot
> for user rob
> 
> The respository is setup in /home/cvs/jail/cvsroot
> 
> the CVSROOT/passwd file contains:
> 
> rob::cvs
> billy::cvs
> susy::cvs
> 
> the CVSROOT/readers file contains:
> 
> susy
> 
> the CVSROOT/writers file contains:
> rob
> billy
> 
> (Just using sample names )
> 
> But each time I get the no such user error.
> 
> I have gone seaching though the cvs-info mailing list archive,
> and found
> no other mention of this problem.  I am curious though, is a
> chroot jail
> necessary?  In one thread about the chroot patch for 1.10,
> someone posted
> that it was easy for a malicious user to execute a script and
> escape from
> the chroot jail, which makes me wonder what is the point then of
> a chroot
> jail?
> 
> Oh yes, i am running Red Hat 7.1 with
> CVS 1.11 ( cvs-1.10.8-8.i386.rpm )
> 
> Thanks
> 
>  -------------------------
> < Rob                     >
> < address@hidden >
>  -------------------------
>         \   ^__^
>          \  (**)\_______
>             (__)\       )\/\
>              U  ||----w |
>                 ||     ||
> 
> 
> 
> _______________________________________________
> Info-cvs mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/info-cvs


__________________________________________________
Do You Yahoo!?
Spot the hottest trends in music, movies, and more.
http://buzz.yahoo.com/