Re: downloading from CVS
>>>>> "Bruce" == Bruce Sass <bsass@freenet.edmonton.ab.ca> writes:
Bruce> This is what I get when I try to download from
Bruce> cvs.debian.org/cgi-bin/cvsweb/
Bruce> -----
Bruce> Alert!: HTTP/1.1 500 Internal Error
Bruce> -----
Bruce> then this message:
Bruce> -----
Bruce> Error
Bruce> Error:Unexpected output from cvs co: cvscheckout: Sorry, you don't
Bruce> have read/write access to the history file cvs [checkout aborted].
Bruce> /cvs/debian-boot/CVSROOT/history: Permission denied
Bruce> Check whether the directory /cvs/debian-boot/CVSROOT exists and the
Bruce> script has write-access to the CVSROOT/history file if it exists.
Bruce> The script needs to place lock files in the directory the file is in
Bruce> as well.
Bruce> -----
This is a known problem. It is due to the fact that the web server
and the CGI script `cvsweb' run as user `www-data', and `www-data'
does not have write access to the "history" file. I have offered a
solution, but it has not yet been implemented. See below. All of
the features of `cvsweb' work except for "download" and "annotate".
Anonymous client/server CVS ought to work fine.
Bruce> Adam had given me:
Bruce> http://cvs.debian.org/cgi-bin/cvsweb/debian-boot/boot-floppies/
Bruce> that URL now generates a "404 Not Found" error
Bruce> http://cvs.debian.org/cgi-bin/cvsweb/boot-floppies/
Bruce> is valid
The second URL will remain valid.
Bruce> Does this mean that non-developers can not access CVS anymore,
Bruce> or did someone mess up the cvsweb config?
Non-developers may still access it... The `cvsweb' config is basicly
correct. The download and annotate features will not work for anyone
until the system is properly configured to allow it.
The following ought to be documented in the `cvsweb' package.
In order for it to work, there needs to be a group added called
`cvslock'. `www-data' and all developers who will have access to the
repository must belong to this group. A set of directories needs to
be created for cvs locking, in /var/lock/cvs/$REPOSITORY, group
writeable and sgid `cvslock'. Each repository must have
"LockDir=/var/lock/cvs/$REPOSITORY" added to the "config" file in
$CVSROOT/CVSROOT. Then, in each repository, the
$CVSROOT/CVSROOT/{history,val-tag} files must be touched and made
group owned and writeable by `cvslock'.
The web server and CGI will NOT have full writes to the repository,
but only writes to files group owned and writeable by `cvslock'.
This means the "history" and "val-tags" files, and the
/var/lock/cvs/$REPOSITORY directory tree. It will then be able to
offer the "download" and "annotate" features. It won't have full
writes because each repository is owned and group owned by OTHER than
`cvslock' or `www-data'. I believe this configuration and `cvsweb'
itself are both quite secure.
I think that by using PAM and /etc/security/group.conf, it will be
possible to automaticly give group `cvslock' to all developers with
:ext: (via ssh) access.
Karl M. Hegbloom <karlheg@debian.org>
Reply to: