2
Frequently Asked Questions for cvsd
3
===================================
5
the latest version of this FAQ can be found at
6
http://tiefighter.et.tudelft.nl/~arthur/cvsd/faq.html
8
In no particular order:
10
2. How does one use cvs over ssh?
11
3. cvs checkout . fails
12
4. setgid failed: Operation not permitted
13
5. setgroups: Operation not permitted
15
7. Is cvs required for running cvsd?
16
8. What should I put in the chroot directory?
17
9. How can I run commands from loginfo/commitinfo/...?
18
10. How do I add extra debugging?
19
11. What about running cvs pserver as root?
20
12. How do I file a bugreport?
21
13. Should I start the cvsd program as the cvsd user?
22
14. How about logging?
23
15. Why are tcp wrappers not working?
24
16. Why can't I combine some Listen options?
25
17. How do I enable syslog inside the chroot jail?
27
1. How secure is cvsd?
28
The only security cvsd adds to a cvs pserver is in the fact that
29
possible exploits and misconfigurations in the server will most
30
likely not result in the compromise of the machine (don't forget
31
the disclaimer though). cvsd does not improve the inherent
32
weaknesses of the pserver protocol such as cleartext passwords,
33
use cvs over ssh for that.
34
2. How does one use cvs over ssh?
35
Not really anything to do with cvsd but here goes:
37
% cvs -d remotehost:repositorypath <whatever cvscommand>
38
You need a ssh account on the remotehost and access to the
39
repositorypath. This setup is particularly useful for secure
40
authenticated development access, while cvsd is more useful for
41
public read-only access.
42
3. 'cvs -d ... checkout .' fails with something like "Assertion
43
`*short_repos++ == '/'' failed." but other checkouts work fine,
45
Older versions of cvs (at least 1.10.7 but 1.11.1p1 is fixed) have
46
a bug where the repository is a direct descendant of the root
47
directory. You should probably upgrade cvs on the server side.
48
4. cvs login works but cvs checkout or other commands fail with
49
"setgid failed: Operation not permitted"
50
This can happen when you run cvsd as non-root (which is
51
recommended) and didn't set up your repository passwd file
52
(CVSROOT/passwd) correctly. The repository passwd files should
53
contain mappings of cvs users to the user you specified in
54
cvsd.conf. If no mapping is present cvs tries to become the
55
"original" user and fail because it's not running as root. Your
56
repository passwd files should look like:
57
anonymous:XGPg1ub8xh70U:cvsd
58
5. cvs login works but cvs checkout or other commands fail with
59
"setgroups: Operation not permitted"
60
Also see the previous question.
61
Setgroups is called to change the supplemental groups the user is
62
in. This can happen when /etc/groups exists inside the chroot jail
63
and the cvsd user is member of some groups.
64
6. cvs login works but cvs checkout or other commands fail with
66
The cvs pserver maps users found in the repository passwd file
67
(CVSROOT/passwd) to users in the system passwd file. Since cvs is
68
running in a chroot environment the system passwd file is located
69
in /var/lib/cvsd/etc/passwd (depending on what you set your
70
RootJail to). If you set up user mappings correctly there should
71
be a cvsd user in the passwd file.
72
cvsd-buildroot checks the chroot jail's /etc/passwd file and adds
73
users from the system /etc/passwd if needed (and generates
74
warnings for missing users).
75
If you need ldap or similar methods to provide user id information
76
you need to set up the proper ldap configuration inside the chroot
78
7. Is cvs required for running cvsd?
79
Yes. cvsd is just a wrapper for running cvs in pserver mode. It
80
runs cvs in a chroot jail and possibly sets resource limitations.
81
The complete protocol handling is done by cvs although there are
82
some plans to do some protocol checking in cvsd.
83
8. What should I put in the chroot directory?
84
cvsd-buildroot can be used to create a chroot environment on most
85
systems. There are however a few things that might also be needed.
86
cvsd-buildroot uses ldd to find the libraries that are required
87
but it doesn't always find all the needed libraries (for example
88
libnsl.so and libnss_compat.so for most Linux systems, ld-elf.so
89
for FreeBSD). If your system requires more libraries you can
90
probably find out with strace (see usage of strace below).
91
You can also put things in the /var/lib/cvsd/bin directory and
92
rerun cvsd-buildroot to fetch the appropriate libraries. Note that
93
if you want shell scripts there you should also copy /bin/sh to
95
9. How can I run commands from CVSROOT/{loginfo,commitinfo,...}?
96
If you want to run commands from files in your CVSROOT directory
97
(e.g. mail a notice on commit) you need to have a shell inside the
98
chroot jail. You can just do:
99
# cp -p /bin/sh /var/lib/cvsd/bin/sh
100
# cvsd-buildroot /var/lib/cvsd
101
and you should be good to go. Instead of /bin/sh you could
102
alternatively copy some other bourne shell to /var/lib/cvsd/bin/sh
104
Note that this may be a security problem since an attacker that
105
exploits your cvs pserver now may have access to a shell on your
106
system (inside a chroot jail and not as root, but a shell none the
108
10. Something is not working, how do I add extra debugging?
109
You can start cvsd with the -d option to print extra debugging
110
information to stderr. See the manual page for details.
111
Some more information can be produced by using the -t option to
112
cvs on the client side, e.g.:
113
% cvs -d cvs -t -d :pserver:anonymous@localhost:/myrepos login
114
To check if the network connection can be made you could use
115
telnet to connect to the pserver, e.g.:
116
% telnet localhost 2401
117
If this produces "Connection refused" or something similar cvsd is
118
not listening on the specified port. Check the logfiles for the
120
Rerunning cvsd-buildroot may also fix or bring to light some
121
configuration problems.
122
A "last resort tool" is strace (or truss or ptrace depending on
123
your os). strace logs all system calls (opening files, changing
124
uid, etc) and can provide useful information. Especially if you
125
suspect that some files are missing from the chroot environment.
127
% strace -f -o /tmp/logfile cvsd -d
128
Then try to use cvs and see what errors are reported. On some
129
occasions you may need to add -F to strace since cvs may use
131
You can also build a debug-enabled cvsd binary by specifying
132
'--enable-debug' with ./configure. This currently adds some
133
debugging information to the pserver session.
134
11. What about running cvs pserver as root?
135
You may need to run cvs pserver as root when you need user
136
mappings to other users than cvsd (for example if you need to have
137
access to the repository under different system users). You can
138
instruct cvsd to run as root by setting 'Uid root' and 'Gid root'
139
to /etc/cvsd/cvsd.conf (or wherever it's located).
140
You should set up your CVSROOT/passwd files in your repositories
141
to map to the needed system users. cvsd-buildroot can be used to
142
check if all the required system users are known in the chroot
144
12. How do I file a bugreport?
145
If you find any bugs or missing features please send email to
146
arthur@tiefighter.et.tudelft.nl. If you are using the debian
147
package from the debian servers (not the one on my personal page)
148
you can use the Debian bug tracking system.
149
Please include as much information as possible (platform, output
150
of configure if compilation fails, output of the failure, syslog
151
messages, etc). You may also include your cvsd.conf configuration
152
and any information on your setup (passwd files, output from
153
syslog, etc) if needed. For providing more useful information also
154
see the question on debugging above.
155
If you send passwd files, do yourself a favor an replace the
156
cytpted data with something like '**CRYPT**'.
157
13. Should I start the cvsd program as the cvsd user?
158
No. If the pserver is set up to be run in a chroot jail the cvsd
159
program needs to be started as root. After the chroot() call cvsd
160
changes uid to the one specified in the configuration file
162
14. How about logging?
163
Logging is configurable from the cvsd.conf configfile. See the
164
cvsd.conf manual page for details.
165
Logging can be done to syslog through the daemon facility or to a
166
specified file. The loglevels used are debug (debugging
167
information), info (starting, stopping, connections, etc), error
168
(wrong configfile, execute failures, socket failures, etc) and
169
critical (malloc() failures).
170
If you can't find the log messages you may need to add
171
daemon.*<tab>-/var/log/daemon.log
172
to your /etc/syslog.conf file and/or specify a different loglevel
174
Also cvsd can be started with the -d option to print debugging
175
information to stderr.
176
15. Why are tcp wrappers not working?
177
You currently have to enable tcp wrappers during configure time
178
using the --with-libwrap option during configure. You can
179
optionally specify the prefix for where the tcp wrapper libraries
181
Some versions of tcp wrappers have problems with hosts that
182
support IPv6 connections. Try to get a patched version of tcp
183
wrappers or replace the 'Listen * 2401' statement in cvsd.conf
184
with 'Listen 0.0.0.0 2401'.
185
Don't forget that the hosts.allow and hosts.deny need to be
186
located inside the chroot jail to be effective.
187
16. Why can't I combine some Listen options?
188
Some operating systems do not fully support listening for
189
connections on the same port with different protocols. E.g.
190
specifying 'Listen 127.0.0.1 2401' together with 'Listen :: 2401'
191
does not work on Linux (at least 2.4.20).
192
You have to play around a bit to get the right combination of
193
listen options to get a working solution.
194
17. How do I enable syslog inside the chroot jail?
195
If you want to have logging in programs from within your chroot
196
jail you have to tell syslogd to listen in the chroot jail also.
197
With most versions of syslogd you can add '-a
198
/var/lib/cvsd/dev/log' to your syslogd invocation (of cource
199
replace /var/lib/cvsd with the location of your chroot jail).
200
On debian systems you should edit /etc/init.d/sysklogd and modify
201
the 'SYSLOGD=""' line to read:
202
SYSLOGD="-a /var/lib/cvsd/dev/log"
203
You may have to check the manual page fof syslogd on your system
206
If you have any questions or remarks about cvsd please mail me at
207
arthur@tiefighter.et.tudelft.nl.