Running CVS as Non-Root User

Discussion:

e***@barclayscapital.com

2011-01-20 20:26:01 UTC

Is there any definitive documentation on running CVS as a non-root user?

Among the questions the answers to which concern us are the following:

* Who owns the repo disk files when running as a non-root user;
* When hooks are invoked by the server when running as a non-root user, as which user are they invoked?
* What authentication methods are available to CVS running as a non-root user?

Thanks for any feedback you can provide in the way of links or info.

Eric

_______________________________________________

This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Barclays. Any views or opinions presented are solely those of the author and do not necessarily represent those of Barclays. This e-mail is subject to terms available at the following link: www.barcap.com/emaildisclaimer. By messaging with Barclays you consent to the foregoing. Barclays Capital is the investment banking division of Barclays Bank PLC, a company registered in England (number 1026167) with its registered office at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent from other members of the Barclays Group.
_______________________________________________

Arthur Barrett

2011-01-21 20:51:04 UTC

Permalink

Eric,

What version of CVS? What operating system? You've asked what
authentication schemes are possible as non-root, but let me ask you: do
you require a particular authentication (PAM, SystemAuth etc) or
protocol (ssh, pserver etc)?

I know with CVSNT (yes it runs on linux/unix) that you can use a chroot
jail if you are worried about the effects of running the process as
root. The server process quickly drops privileges to the rights of the
client user (or runas user, or alias user) once the authentication is
complete. Since the server drops privileges as soon as authentication
is complete then the ownership of the RCS files is unrelated to the
server process running as root.

If you are happy to run CVS/CVSNT on unix/linux and require SSH access
only then the server doesn't ever run as root (since sshd is running as
root).

This highlights my primary concern about your question - you are perhaps
implying that it is BAD to run cvs server as root - but you are probably
more than happy to run sshd as root - they are both free/open source
software, they are both running on the same server - I think you should
trust CVS/CVSNT to do its job and concentrate on security and access
control, including the use of a chroot jail, ownership and access
control of the RCS repository, ownership and access control within
branches (cvs chacl etc).

I run a one day course on CM Design and CVSNT Administration for
customers ;)

Regards,

Arthur Barrett
Product Manager
CVS Suite and CVSNT
March Hare Software

> -----Original Message-----
> From:
> info-cvs-bounces+arthur.barrett=march-***@nongnu.org
> [mailto:info-cvs-bounces+arthur.barrett=march-***@nongnu.
> org] On Behalf Of ***@barclayscapital.com
> Sent: Friday, 21 January 2011 7:26 AM
> To: info-***@nongnu.org
> Subject: Running CVS as Non-Root User
>
>
> Is there any definitive documentation on running CVS as a
> non-root user?
>
> Among the questions the answers to which concern us are the following:
>
> * Who owns the repo disk files when running as a non-root user;
> * When hooks are invoked by the server when running as a
> non-root user, as which user are they invoked?
> * What authentication methods are available to CVS running
> as a non-root user?
>
> Thanks for any feedback you can provide in the way of links or info.
>
> Eric
>
> _______________________________________________
>
> This e-mail may contain information that is confidential,
> privileged or otherwise protected from disclosure. If you are
> not an intended recipient of this e-mail, do not duplicate or
> redistribute it by any means. Please delete it and any
> attachments and notify the sender that you have received it
> in error. Unless specifically indicated, this e-mail is not
> an offer to buy or sell or a solicitation to buy or sell any
> securities, investment products or other financial product or
> service, an official confirmation of any transaction, or an
> official statement of Barclays. Any views or opinions
> presented are solely those of the author and do not
> necessarily represent those of Barclays. This e-mail is
> subject to terms available at the following link:
> www.barcap.com/emaildisclaimer. By messaging with Barclays
> you consent to the foregoing. Barclays Capital is the
> investment banking division of Barclays Bank PLC, a company
> registered in England (number 1026167) with its registered
> office at 1 Churchill Place, London, E14 5HP. This email may
> relate to or be sent from other members of the Barclays Group.
> _______________________________________________
>
>

e***@barclayscapital.com

2011-01-24 15:45:15 UTC

Permalink

Arthur,

I believe we'll be running with the latest cvs (1.11.23) on RHEL 5.5 (or so) (Kernel ~2.6.18)

We would like to authenticate via pserver and against the underlying system authentication system or maybe an AD service.

Running as root is fine with me. Negotiating the beaurocracy here to get someone else involved -- especially with something that includes root acces...hooo! (PITA) I believe that we may be able to convince our Sas to set up up to run from (x)inetd, but probably not as root. :(

Essentially, our organization has retired all CVS services, but we're so heavily invested, both in terms of systems that rely on it as well as for all of our code validations and deployments based on CVS hook files, that we need to take over running it on our own. The move to SVN is just too much of an investment at this point as we're far too tighly coupled to CVS.

Eric

> -----Original Message-----
> From: Arthur Barrett [mailto:***@march-hare.com]
> Sent: Friday, January 21, 2011 3:51 PM
> To: Berg, Eric: IT (NYK); info-***@nongnu.org
> Subject: RE: Running CVS as Non-Root User
>
> Eric,
>
> What version of CVS? What operating system? You've asked what
> authentication schemes are possible as non-root, but let me
> ask you: do
> you require a particular authentication (PAM, SystemAuth etc) or
> protocol (ssh, pserver etc)?
>
> I know with CVSNT (yes it runs on linux/unix) that you can
> use a chroot
> jail if you are worried about the effects of running the process as
> root. The server process quickly drops privileges to the
> rights of the
> client user (or runas user, or alias user) once the authentication is
> complete. Since the server drops privileges as soon as authentication
> is complete then the ownership of the RCS files is unrelated to the
> server process running as root.
>
> If you are happy to run CVS/CVSNT on unix/linux and require SSH access
> only then the server doesn't ever run as root (since sshd is
> running as root).
>
> This highlights my primary concern about your question - you
> are perhaps
> implying that it is BAD to run cvs server as root - but you
> are probably
> more than happy to run sshd as root - they are both free/open source
> software, they are both running on the same server - I think
> you should
> trust CVS/CVSNT to do its job and concentrate on security and access
> control, including the use of a chroot jail, ownership and access
> control of the RCS repository, ownership and access control within
> branches (cvs chacl etc).
>
> I run a one day course on CM Design and CVSNT Administration for
> customers ;)
>
> Regards,
>
>
>
> Arthur Barrett
> Product Manager
> CVS Suite and CVSNT
> March Hare Software
>
>
> > -----Original Message-----
> > From:
> > info-cvs-bounces+arthur.barrett=march-***@nongnu.org
> > [mailto:info-cvs-bounces+arthur.barrett=march-***@nongnu.
> > org] On Behalf Of ***@barclayscapital.com
> > Sent: Friday, 21 January 2011 7:26 AM
> > To: info-***@nongnu.org
> > Subject: Running CVS as Non-Root User
> >
> >
> > Is there any definitive documentation on running CVS as a
> > non-root user?
> >
> > Among the questions the answers to which concern us are the
> following:
> >
> > * Who owns the repo disk files when running as a non-root user;
> > * When hooks are invoked by the server when running as a
> > non-root user, as which user are they invoked?
> > * What authentication methods are available to CVS running
> > as a non-root user?
> >
> > Thanks for any feedback you can provide in the way of links or info.
> >
> > Eric
> >
> > _______________________________________________
> >
> > This e-mail may contain information that is confidential,
> > privileged or otherwise protected from disclosure. If you are
> > not an intended recipient of this e-mail, do not duplicate or
> > redistribute it by any means. Please delete it and any
> > attachments and notify the sender that you have received it
> > in error. Unless specifically indicated, this e-mail is not
> > an offer to buy or sell or a solicitation to buy or sell any
> > securities, investment products or other financial product or
> > service, an official confirmation of any transaction, or an
> > official statement of Barclays. Any views or opinions
> > presented are solely those of the author and do not
> > necessarily represent those of Barclays. This e-mail is
> > subject to terms available at the following link:
> > www.barcap.com/emaildisclaimer. By messaging with Barclays
> > you consent to the foregoing. Barclays Capital is the
> > investment banking division of Barclays Bank PLC, a company
> > registered in England (number 1026167) with its registered
> > office at 1 Churchill Place, London, E14 5HP. This email may
> > relate to or be sent from other members of the Barclays Group.
> > _______________________________________________
> >
> >
>

Larry Jones

2011-01-24 16:34:15 UTC

Permalink

***@barclayscapital.com writes:
>
> Is there any definitive documentation on running CVS as a non-root user?

CVS should never be run as root. The only exception is pserver, which
only runs as root long enough to authenticate the user; once the user
has been authenticated, it switches user and runs as the user instead.
The usual advice is to avoid pserver if at all possible; it's much
better to use ssh for remote access (CVS was never designed to run as
root and thus has a number of security concerns; ssh was).

> Among the questions the answers to which concern us are the following:
>
> * Who owns the repo disk files when running as a non-root user;

The last user to modify the file owns it, regardless.

> * When hooks are invoked by the server when running as a non-root
> user, as which user are they invoked?

Again, CVS only runs as root long enough to authenticate, so hooks are
always run as the actual user.

> * What authentication methods are available to CVS running as a
> non-root user?

CVS shouldn't be used for authentication unless you have no alternative
(or are very trusting of your users).
--
Larry Jones

OK, there IS a middle ground, but it's for sissy weasels. -- Calvin

e***@barclayscapital.com

2011-01-24 17:02:51 UTC

Permalink

> -----Original Message-----
> From: Larry Jones [mailto:***@siemens.com]
> Sent: Monday, January 24, 2011 11:34 AM
> To: Berg, Eric: IT (NYK)
> Cc: info-***@nongnu.org
> Subject: Re: Running CVS as Non-Root User
>
> ***@barclayscapital.com writes:
> >
> > Is there any definitive documentation on running CVS as a non-root user?
>
> CVS should never be run as root. The only exception is pserver, which
> only runs as root long enough to authenticate the user; once the user
> has been authenticated, it switches user and runs as the user
> instead.
> The usual advice is to avoid pserver if at all possible; it's much
> better to use ssh for remote access (CVS was never designed to run as
> root and thus has a number of security concerns; ssh was).

Right...I was more thinking of starting it in a root-oriented way, not necessarily running it as root. By that I mean that I've not found any way for me as a non-root user to actually run a CVS server without some kind of root intervention to update the inetd/xinetd config. I was hoping that I could at least test with something like 'cvs -d' to daemonize it, but I haven't found any way to do that at this point.

Hey...in looking around a bit, it appears that you don't actually have to set up a cvs "server" if you use SSH. Is that correct?

>
> > Among the questions the answers to which concern us are the
> following:
> >
> > * Who owns the repo disk files when running as a non-root user;
>
> The last user to modify the file owns it, regardless.

Great. Got it.

> > * When hooks are invoked by the server when running as a non-root
> > user, as which user are they invoked?
>
> Again, CVS only runs as root long enough to authenticate, so hooks are
> always run as the actual user.
>
> > * What authentication methods are available to CVS running as a
> > non-root user?
>
> CVS shouldn't be used for authentication unless you have no
> alternative (or are very trusting of your users).

Looks like SSH is the preferred way to go. Just have to figure out how that will work for those of us developing on windows.

> --
> Larry Jones
>
> OK, there IS a middle ground, but it's for sissy weasels. -- Calvin
>
_______________________________________________

This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Barclays. Any views or opinions presented are solely those of the author and do not necessarily represent those of Barclays. This e-mail is subject to terms available at the following link: www.barcap.com/emaildisclaimer. By messaging with Barclays you consent to the foregoing. Barclays Capital is the investment banking division of Barclays Bank PLC, a company registered in England (number 1026167) with its registered office at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent from other members of the Barclays Group.
_______________________________________________

Bulgrien, Kevin

2011-01-24 18:52:35 UTC

Permalink

> Right...I was more thinking of starting it in a root-oriented
> way, not necessarily running it as root. By that I mean that
> I've not found any way for me as a non-root user to actually
> run a CVS server without some kind of root intervention to
> update the inetd/xinetd config. I was hoping that I could at
> least test with something like 'cvs -d' to daemonize it, but
> I haven't found any way to do that at this point.
>
> Hey...in looking around a bit, it appears that you don't
> actually have to set up a cvs "server" if you use SSH. Is
> that correct?

Yes.

> Looks like SSH is the preferred way to go. Just have to
> figure out how that will work for those of us developing on windows.

The MinGW MSYS environment + MSYS DTK on Windows provides a cvs client
and ssh support and many GNU tools without the overhead of installing
something like Cygwin (and it is much, much lighter in terms of disk
usage). It is used extensively in my work environment. If you do not
mind running an older MSYS setup, there is actually an installer-based
setup that is very easy to get set up. I'm not talking about MinGW,
but rather the MinGW Minimal SYStem (MSYS). The nice thing about the
installer is that it allows everyone to be set up the same way. It
avoids the complication of having server functions (it is a client
environment only).

When we tried to use cygwin years and years ago, besides some of the
cygwin oddities and general hugeness, you never really had any
assurance that everyone was working in the same environment, so when
something went wrong it was hard to figure out. And then, you also
had to deal with mirroring the cygwin installer stuff because of
restrictions on accessing outside software sources in a tightly
controlled IT environment... It was relatively easy to get the
installer approved, where getting open access to a huge OSS
mirror of stuff including server functionality was a can of
worms begging not to be opened.

This is a shell environment and not some GUI... and it might not
be compatible with someone expecting a "windows-like" environment.
For a command-line guy, though, the environment is amazing and its
not that hard to make scripts that can run both in Windows and from
a *nix shell. For example, I have scripts that can auto-switch
between use of say, msxsl.exe and *nix XSLT processors without the
user ever knowing or caring which OS the script is running under.

Example MSYS setup. Now bear in mind that since this installer was
build in '04, the cvs client is a bit old. If that's a problem, it
is possible to update stuff by simply unpacking tarballs over the
installation. Don't know if I should include the details right off,
but what they hay, why not. Here's what we do:

HOWTO install the MinGW MSYS base environment

Download and execute the MSYS-1.0.11-2004.04.30-1.exe Windows installer

Setup - Do you wish to continue
Yes
Welcome to the "Minimal SYStem" Setup Wizard
Next >
License Agreement
Yes
Information
Next >
Select Destination Directory
C:\msys\1.0
Next >
Select Components
Installation for i386 based CPUs
Next >
Select Start Menu Folder
MinGW
Next >
Ready to Install
Install
Installing
...
Do you wish to continue with the post install? [yn ]
y
<Return>
Do you have MinGW installed? [yn ]
n
<Return>
Press ENTER to continue
<Return>
Press ENTER to continue
<Return>
Press any key to continue . . .
<Return>
Setup has finished installing "Minimal SYStem" on your computer
Welcome to MSYS
Uncheck
README
Uncheck
Finish

HOWTO install the MinGW MSYS Developers Tool Kit

NOTE: Always install MSYS before the DTK.

Download and execute the msysDTK-1.0.1.exe Windows installer

Setup - Do you wish to continue
Yes
Welcome to the "MSYS Developer Tool Kit" Setup Wizard
Next >
License Agreement
Yes
Select Destination Directory
C:\msys\1.0
Next >
Select Components
Installation for i386 based CPUs
Next >
Ready to Install
Install
Installing
...
Information
Next >
Setup has finished installing MSYS Developer Tool Kit on your computer.
Finish

At this point you have a fully functional cvs and ssh client, along with
a nice bash scripting environment. We do a little more environment
tweaking for our own purposes, but, aside from creating a tmp directory
in your user folder and setting up a .profile that does things like:

export CVS_RSH="ssh"
export EDITOR="/usr/bin/vim"

the other tweaking we do doesn't really affect use as a cvs client. The
tmp directory is critical to the cvs client.

---
Kevin R. Bulgrien
Design and Development Engineer

This message and/or attachments may include information subject to GD Corporate Policy 07-105 and is intended to be accessed only by authorized personnel of General Dynamics and approved service providers. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message.

Larry Jones

2011-01-24 17:06:15 UTC

Permalink

***@barclayscapital.com writes:
>
> Hey...in looking around a bit, it appears that you don't actually have
> to set up a cvs "server" if you use SSH. Is that correct?

Exactly!

> Looks like SSH is the preferred way to go. Just have to figure out
> how that will work for those of us developing on windows.

If you're using WinCVS or Eclipse, they both have ssh clients built in.
And ssh is available for Windows, too.
--
Larry Jones

Oh, now don't YOU start on me. -- Calvin

Arthur Barrett

2011-01-24 23:55:13 UTC

Permalink

Larry/Eric,

> If you're using WinCVS or Eclipse, they both have ssh clients
> built in.

CVS Suite Studio, WinCVS and TortoiseCVS all bundle the CVSNT client
which does have Putty ssh client built in, ie:

cvs -d :ssh:host:/repo rls

Eric: *shameless plug* -- longer term you may be interested in our CM
Suite solution (based on CVSNT 3.x) - you can migrate a CVS/CVSNT
repository and gain CVS, SVN, Web and Team System client access - ie: a
single repository and multiple clients. We've had this available for a
couple of years now but we're still looking for a 'key customer' to help
us mature the technology - please drop me a note if you'd like to
discuss this option.

Regards,

Arthur Barrett