Strict Access Control for CVS pserver-mode
a.k.a. Connecting CVS to LDAP

This page also describes the option to automatically generate Access Control Lists via a cron job, by querying an LDAP server, and then distributing the ACLs to the production CVS-servers.

• you can use static ACLs to control access to CVS
• LDAP connectivity is optional

• you can generate the ACLs automatically with LDAP queries

I used to maintain the internal CVS server at Netscape, which had approximately 3000 internal users, many of them all over the world.

We used LDAP to feed NIS, so that people authenticate against LDAP when they log in - at some point in time it became necessary to restrict CVS access to certain people only - rather than everybody with an LDAP entry.

CVS has no way to really restrict access to only a limited list of users. One could restrict access to directories within the repository through UNIX groups - but at that point, a user would have already established a connection with the CVS server via pserver-protocol. And the readers/writers mechanism is not sophisticated enough - it defaults to "everybody with a UNIX account" - a very broad list of users if you are in an internationally operating company.

So one day, inspired by PANIC!, I patched the CVS 1.10.8 source code, to check if a user who tried to connect via pserver-protocol, is indeed on an Access Control List. If s/he's not on that ACL, the user will get a "permission denied" and will not be able to access ANYTHING in the repository.

To automatically update the CVS ACL, I also wrote a PERL / perLDAP script which is run by cron, and which queries LDAP to update the above mentioned ACL, it then adds some people from an exception list to the ACL, and checks the ACL in to RCS for bookkeeping (yes, locally!), then it creates an MD5sum of the ACL, to check if something on the production CVS-servers changed, and finally it distributes the ACL to all the production CVS-servers via SSH -- it's quite elaborate and does a lot of PARANOYA checking -- please do read the script for more info/details. Well, it's just an example - you need to modify it for your specific needs.

This is of course a bit of a half-hearted job, compared to implementing live LDAP connectivity for CVS .. but it was much much faster to implement static ACLs which are updated via cron.. and it works like a charm in a large production environment.

Only two source files needed to be modified: cvs.h and server.c.

Download

• download the CVS source code (preferably cvs-1.10.8) and merge-in the two source files mentioned above, or
• download the pre-compiled ACL-enhanced CVS 1.10.8 for one of the following platforms:
  • Solaris 2.6 and higher with md5sum 4d2a698dd492bf025d6a6af5e28cede8
  • HP/UX 11:00 with md5sum ea97bbe03047011cc0006ae7b2ef802a
  • Alpha OSF 4.0 with md5sum df7d375abced54ef5b265b3cb039422b
  • LINUX 2.2.12 with md5sum 7baa3e70a173569b951bdb614c0e042c

• download an example Perl/perLDAP script to automatically pull certain users from LDAP and create ACLs - updating the CVS-server on the fly - see the section Lock Mechanism on how this is done..

CVS ACL HOWTO

# mkdir /opt/admin
# chmod 755 /opt/admin

# mkdir /opt/admin/bin
# chmod 755 /opt/admin/bin
# cp cvs-1.10.8-acl /opt/admin/bin
# chmod 555 /opt/admin/bin/cvs-1.10.8-acl

Create the following directory structure, and ACL-file, all owned by root, and with access restrictions as follows:

# su - root

# mkdir /opt/admin
# chmod 755 /opt/admin

# mkdir /opt/admin/etc
# chmod 755 /opt/admin/etc

# touch /opt/admin/etc/valid_cvs_users
# chmod 644 /opt/admin/etc/valid_cvs_users

Remove the lock-file immediately after updating the ACL.

Maintainer: Tilo Sloboda unixNOSPAM@unixgods.org last update: 23 October 2002