Re: downloading from CVS

To: Bruce Sass <bsass@freenet.edmonton.ab.ca>
Cc: debian-boot@lists.debian.org
Cc: debian-admin@lists.debian.org
Subject: Re: downloading from CVS
From: karlheg@bittersweet.inetarena.com (Karl M. Hegbloom)
Date: 02 Feb 2000 20:05:35 -0800
Message-id: <[🔎] 87aeljj5gw.fsf@bittersweet.intra>
In-reply-to: Bruce Sass's message of "Wed, 2 Feb 2000 12:53:44 -0700 (MST)"
References: <[🔎] Pine.A41.3.95.1000202123545.19932A-100000@fn2.freenet.edmonton.ab.ca>

>>>>> "Bruce" == Bruce Sass <bsass@freenet.edmonton.ab.ca> writes:

    Bruce> This is what I get when I try to download from
    Bruce> cvs.debian.org/cgi-bin/cvsweb/

    Bruce> -----
    Bruce> Alert!: HTTP/1.1 500 Internal Error
    Bruce> -----

    Bruce> then this message:

    Bruce> -----
    Bruce> Error

    Bruce> Error:Unexpected output from cvs co: cvscheckout: Sorry, you don't
    Bruce> have read/write access to the history file cvs [checkout aborted].
    Bruce> /cvs/debian-boot/CVSROOT/history: Permission denied

    Bruce> Check whether the directory /cvs/debian-boot/CVSROOT exists and the
    Bruce> script has write-access to the CVSROOT/history file if it exists.
    Bruce> The script needs to place lock files in the directory the file is in
    Bruce> as well.
    Bruce> -----

 This is a known problem.  It is due to the fact that the web server
 and the CGI script `cvsweb' run as user `www-data', and `www-data'
 does not have write access to the "history" file.  I have offered a
 solution, but it has not yet been implemented.  See below.  All of
 the features of `cvsweb' work except for "download" and "annotate".

 Anonymous client/server CVS ought to work fine.

    Bruce> Adam had given me:
    Bruce> http://cvs.debian.org/cgi-bin/cvsweb/debian-boot/boot-floppies/
    Bruce> that URL now generates a "404 Not Found" error

    Bruce> http://cvs.debian.org/cgi-bin/cvsweb/boot-floppies/
    Bruce> is valid

 The second URL will remain valid.

    Bruce> Does this mean that non-developers can not access CVS anymore,
    Bruce> or did someone mess up the cvsweb config?

 Non-developers may still access it...  The `cvsweb' config is basicly
 correct.  The download and annotate features will not work for anyone
 until the system is properly configured to allow it.

 The following ought to be documented in the `cvsweb' package.

 In order for it to work, there needs to be a group added called
 `cvslock'.  `www-data' and all developers who will have access to the
 repository must belong to this group.  A set of directories needs to
 be created for cvs locking, in /var/lock/cvs/$REPOSITORY, group
 writeable and sgid `cvslock'.  Each repository must have
 "LockDir=/var/lock/cvs/$REPOSITORY" added to the "config" file in
 $CVSROOT/CVSROOT.  Then, in each repository, the
 $CVSROOT/CVSROOT/{history,val-tag} files must be touched and made
 group owned and writeable by `cvslock'.

 The web server and CGI will NOT have full writes to the repository,
 but only writes to files group owned and writeable by `cvslock'.
 This means the "history" and "val-tags" files, and the
 /var/lock/cvs/$REPOSITORY directory tree.  It will then be able to
 offer the "download" and "annotate" features.  It won't have full
 writes because each repository is owned and group owned by OTHER than
 `cvslock' or `www-data'.  I believe this configuration and `cvsweb'
 itself are both quite secure.

 I think that by using PAM and /etc/security/group.conf, it will be
 possible to automaticly give group `cvslock' to all developers with
 :ext: (via ssh) access.

 Karl M. Hegbloom <karlheg@debian.org>

Reply to:

References:
- downloading from CVS
  - From: Bruce Sass <bsass@freenet.edmonton.ab.ca>

Prev by Date: Bug#56821: POSSIBLE GRAVE SECURITY HOLD]
Next by Date: Re: PPOTATO: Boot-Disk sucks...
Previous by thread: downloading from CVS
Next by thread: PPOTATO: Boot-Disk sucks...
Index(es):
- Date
- Thread