[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


Hello group,

today I tried to run a cvs pserver from xinetd / tcpwrapper as non root.
Like this:

service cvspserver
        flags       = NAMEINARGS
        socket_type = stream
        protocol    = tcp
        wait        = no
        user        = cvs
        server      = /usr/sbin/tcpd
        server_args = /usr/sbin/cvs-pserver 

Also, I would like to have a site-global authentication method that does
not use login passwords (for obvious security-not-my-problem-reasons of
cvs) - so PAM should be the right choice. I set up a postgresql based
authentication that already works well for other services.

However, pserver does not. When I cvs login with the CORRECT password, I
get a

PAM account error: Authentication service cannot retrieve authentication

which is strange because libpam-pgsql claims that authentication
succeeded. Even more strange is that I get a different message when the
password was wrong:

PAM authenticate error: Authentication failure

So I guess authentication did work after all. This problem remains with
regular unix authentication. The problem can be "solved" by running cvs
pserver as root - pam auth works fine than. Only I don't want pserver to
be run that way.

However, thats not all. When using per-repository authentication with
CVSROOT/passwd, I can login also if pserver is run as restricted user
(no complaints, ~/.cvspass written). Problem is I cannot c/o anything:

$ cvs -d :pserver:... co ...
setgid failed: Operation not permitted

AFAICS, the cvs user is the owner of and has rwX access to the
Repository and all files within. Also, I set u+s in case that isn't
implied by being the owner. I (the user I work with) have full access to
my working directory but (of course) not to the repository. Again,
thinks work with a "root" pserver.

Hm, so something is quite wrong there. Anyone succeeded to run pserver
restricted? Can't be that hard after all...

My system is debian/sid, CVS 1:1.12.9-14

Any ideas appreciated,

Reply to: