This area is an archive and is no longer actively maintained. Information found on this page is likely to be extremely out of date and therefore highly inaccurate.

CVS Security

There are several ways to make a CVS connection across a network while providing a high level of resistance to security attacks:

  • CVS can make its connection across any program which behaves like the rsh (remote shell) program. For example, one can use the rsh replacements supplied with Kerberos or SSH. For details, look up :ext: in the index of the Cederqvist manual.
  • CVS can use SSH's port forwarding feature. To do this, connect using CVS's pserver protocol. This is because pserver requires only a single network connection, unlike the traditional (port 514) version of rsh, which will be unable to create its multiple connections with SSH's port forwarding.
  • The CVS 1.10 source distribution contains a kerberized version of CVS for use with Kerberos version 4 or the GSS-API interface used by Kerberos version 5.

To access CVS through a firewall depends on the firewall and security policies in place. Typically, you will supply an rsh replacement which makes the connection.

There are a large variety of network security schemes and setups out there. If terms like SASL, SOCKS and the like mean anything to you, and you want to know whether anyone is working on supporting them for CVS, see the Information Page on Networking.

For controlling access once users have made it past the network, CVS features like the "cvsadmin" group and the commitinfo administrative file may help (see the Cederqvist for information on those, or the Information Page on Access Control). In particular, take a look at what that page has to say about exactly what kinds of protection each feature provides (or does not provide).

Some aspects of CVS security are discussed in the Cederqvist manual. For more information on getting this manual, see our Cederqvist manual page.

Non-CVS-specific computer security information

  • Kerberos allows networked applications to obtain a high level of resistance to security attacks such as eavesdropping on the network. It is the leading freely redistributable package of this kind.
  • The SSL library is a library to offer similar levels of security (however, it is just a library, not a full package like Kerberos or SSH).
  • If you are responsible for the security of web servers, one useful reference is the book Web Security: A Step-by-Step Reference Guide by Lincoln Stein.
  • If you are looking for an online resource, see the World Wide Web Security FAQ by the Lincoln Stein.
  • Most operating system vendors have sites containing security alerts for the packages included in their system: OpenBSD FreeBSD NetBSD Debian RedHat
  • The CERT Coordination Center writes and publishes security alerts, especially for unix.

Other information on CVS security

Whether this is best for you depends on your own security policies and preferences, but one popular technique is to run the CVS server in a chroot'd environment. For details see the pages from OpenBSD, Samba, or Chris Black.

If you are running pserver, there are a variety of tools for manipulating the encrypted passwords in CVSROOT/passwd, but cvspwd from GlassFish is one of them.

Tim TimeWaster's page about how to set up CVS via SSH, and give people access to CVS and not login access on the machine (note: this is subject to the usual disclaimers about how giving people read/write access to CVS does allow them to circumvent any measures designed to prevent them from executing arbitrary commands on the server).

We expect to update this page with future CVS security announcements as they are made.

Derek Price, CVS developer and technical editor of Essential CVS (Essentials line from O'Reilly Press) , and others offer consulting services and training through Ximbiot.