cvsuser/cvsuserd release 0.10-beta
These are release notes for cvsuser/cvsuserd version 0.10-beta. Read them carefully as they'll provide much useful information on how to install and use the current release of cvsuser/cvsuserd.
WHAT IS CVSUSER ?
cvsuser is a command line tool which allows CVS password files, CVS readers files and CVS writers files to be readily modified and managed. The cvsuser utility can either operate on a CVS archive stored on the same machine, or, in conjunction with cvsuserd, manage a CVS archive's access permissions on a remote system.
cvsuser supports many different command line switches and many variants of each command line switch to provide maximum user flexibility.
WHAT IS CVSUSERD ?
cvsuserd is a daemon intended to be used to allow remote cvsuser clients to manage permissions on a CVS archive remotely. The cvsuserd daemon must run on the same server that the CVS archive is located on. Access rights for each user may be independently controlled, allowing users to be given readonly or read/write access to the archive as well as rights to modify the CVS passwords and permissions files.
Communication between the cvsuser client and the cvsuserd server is lightly encrypted to prevent accidental or intentional snooping (the CVS pserver uses a trivial encryption so a strong encryption algorithm such as SSL or PgP is pretty much pointless). The encryption can use server specific private keys, or may use the default key.
ON WHAT OS DOES CVSUSER/CVSUSERD RUN ON ?
cvsuser/cvsuserd was developed on Linux but should port readily to other Unixlike operating systems as well as Windows using Cygwin.
INSTALLATION
The current incarnation of cvsuser/cvsuserd is built using the autotools and therefore follows the standard build procedure. To build cvsuser/cvsuserd from sources, download the sources from an available site and decompress them, if needed.
From within the cvsuser directory, type in the following sequence of commands:
$ ./configure --prefix=/usr --mandir=/usr/share/man
$ make
$ su -c "make install"
Enter the root user's password when prompted. Note that the above ./configure command line is recommended for SuSE Linux and Mandrake Linux and should also work for RedHat Linux (but has not yet been tested).
USING CVSUSER
cvsuser supports four (4) basic commands:
cvsuser add <user> Adds a user to the CVS password file. Also updates
the permission files as needed.
cvsuser remove <user> Removes a user from the CVS password file. Also
updates the permission files as needed.
cvsuser change <user> Changes a user's password in the CVS password file.
No changes are made to the user's permissions.
cvsuser list Generates a list of users along with their access
rights and rights to modify other's access to the CVS
archive.
cvsuser help Displays helpful text and version data, then exits.
All other switches are ignored.
These commands have a number of options which are discussed below:
cvsuser add <user> [ readonly | writable ]
[ developer | administrator ]
[ account <system account> ]
[ password <password> | nopassword ]
[ cvsroot <cvsroot string> [ login <login password ] |
[ port <port> ] | local <archive path> ]
cvsuser remove <user> [ cvsroot <cvsroot string> [ login <login password ] |
[ port <port> ] | local <archive path> ]
cvsuser change <user> [ password <password> | nopassword ]
[ cvsroot <cvsroot string> [ login <login password ] |
[ port <port> ] | local <archive path> ]
cvsuser list [ cvsroot <cvsroot string> [ login <login password ]
[ port <port> ] | local <archive path> ]
readonly Indicates that this user is to have read-only
access to the CVS archive.
writable Indicates that this user is to have write access
to the CVS archive.
developer Indicates that this user is to have developer
rights. Developer rights allows a user to change
his/her account password only. Most individuals
who contribute to a CVS archive would want this
level of access rights.
administrator Indicates that this user is to have administrator
rights. Administrator rights allows a user to
freely modify other user's account data, add users,
remove users, etc.
account <system account> Specifies the system account to use for this CVS
user. This option allows fine control of access
rights for each CVS user by associating that CVS
user with a specific system account.
password <password> Specifies the password to assign to this user or
to set for this user. If this switch and the
"nopassword" switch below is not specified, cvsuser
will prompt for a password.
nopassword Indicates that this user should not require a
password to gain access to the CVS archive. For
security purposes, this switch can only be used
when modifying a local CVS archive. Mostly used
when setting up an anonymous account.
cvsroot <cvsroot string> By default, cvsuser will use the $CVSROOT
environment variable to locate a remote cvsuserd
server. This switch allows the CVSROOT path to
be specified on the command line. The format of
the cvsroot string is:
:pserver:<user>@<server>:<directory>
example:
:pserver:joe@hackerworld:/home/cvs
login <login password> When logging into a remote cvsuserd server, this
switch allows the login password to be specified
on the command line. If excluded, cvsuser will
prompt for the login password.
port <port> By default, cvsuser communicates with a remote
cvsuserd daemon using port 2402. This switch
allows the default port to be changed.
local <archive path> Tells cvsuser to modify a local CVS archive. The
archive path should point to the top level
directory in the CVS archive.
Other switches:
cvsuser supports at least two forms of each switch shown (in some cases
cvsuser will support 4 or 5 forms of a switch). Refer to the man page
for cvsuser for information on the different switch variants. Note that
all switches have single character variants if desired.
Note that switches/commands can be placed in any order on the command line. This allows the cvsuser command to be alias'd in the user's .bashrc file to include optional login switches, cvsroot switches, or local switches if desired.
- Examples
-
To add an administrator account for the user admin to a local archive with the password Pizza, you would use the following command:
$ cvsuser add admin password Pizza administrator writable account cvsadmin local /home/cvs
Change the current password for Tom on the server pointed to by the current $CVSROOT environment variable, the command would be:
$ cvsuser change Tom
For user admin with password "Underpants" to remove user "Ralph" from a CVS archive at hackerworld with a CVS directory set to /home/cvs, the command would be:
$ cvsuser remove Ralph cvsroot :pserver:admin@hackerworld:/home/cvs login Underpants
Access Rights:
If a cvsuserd server defines a private key, then the key must be included
in the key file ".cvsuser" in the user's home directory. The format of
the key file is:
# A comment
<cvsroot string> <key>
For example:
#
# Ralph's key file for CVS server hackerworld:
#
:pserver:Ralph@hackerworld:/home/cvs This is the key for hackerworld
Be careful when setting up a .cvsuser key file as the key will include any trailing whitespace. The key starts with the first non-whitespace character following the cvsroot string.
USING CVSUSERD
cvsuserd is setup to support operation either as a stand-alone daemon, or as a service started by inetd/xinetd. cvsuserd can handle multiple concurrent sessions if needed.
Note that cvsuser can not perform local access on the same archive that a cvsuserd daemon is running on. For this reason, be sure to setup an administrator account using cvsuser local access before starting the cvsuserd daemon. Without an administrator account, the CVS archive's user access can not be modified remotely using the daemon.
Be sure to chmod the daemon suid and chown/chgrp the cvsuserd daemon such that its username aligns with the permissions setup for the CVS archive. For security reasons, its not recommended to leave the cvsuserd daemon's user as root.
cvsuserd supports the following command line switches:
--allow_access <path> This switch is requires in most cases as it specifies
the directory where the CVS archive is located. The
current default is /home/cvs. This directory is
checked against the supplied cvsroot string sent by
the client.
--console Indicates that log data should be sent to stdout
instead of /var/log/cvsuserd.log.
--help Displays a help screen and exists. All other switches
are ignored.
--keep_alive Indicates that the cvsuserd daemon should not
terminate after a period of inactivity.
--message <message> Specifies the welcome message to be displayed by
remote cvsuser clients when the connect.
--name <server> If specified, the name of the server specified in
the cvsroot string sent by the client is checked
against this server name.
--port <port> Specifies the port to connect to. The default port
is 2402.
--time <idle time> Time to remain active with no activity. Default is
30 seconds. A value of 0 is identical to the
--keep_alive switch in functionality. Useful when
cvsuserd is started by inetd/xinetd.
--verbose Indicates that verbose logging should be used.