CVS and PAM
today I tried to run a cvs pserver from xinetd / tcpwrapper as non root.
flags = NAMEINARGS
socket_type = stream
protocol = tcp
wait = no
user = cvs
server = /usr/sbin/tcpd
server_args = /usr/sbin/cvs-pserver
Also, I would like to have a site-global authentication method that does
not use login passwords (for obvious security-not-my-problem-reasons of
cvs) - so PAM should be the right choice. I set up a postgresql based
authentication that already works well for other services.
However, pserver does not. When I cvs login with the CORRECT password, I
PAM account error: Authentication service cannot retrieve authentication
which is strange because libpam-pgsql claims that authentication
succeeded. Even more strange is that I get a different message when the
password was wrong:
PAM authenticate error: Authentication failure
So I guess authentication did work after all. This problem remains with
regular unix authentication. The problem can be "solved" by running cvs
pserver as root - pam auth works fine than. Only I don't want pserver to
be run that way.
However, thats not all. When using per-repository authentication with
CVSROOT/passwd, I can login also if pserver is run as restricted user
(no complaints, ~/.cvspass written). Problem is I cannot c/o anything:
$ cvs -d :pserver:... co ...
setgid failed: Operation not permitted
AFAICS, the cvs user is the owner of and has rwX access to the
Repository and all files within. Also, I set u+s in case that isn't
implied by being the owner. I (the user I work with) have full access to
my working directory but (of course) not to the repository. Again,
thinks work with a "root" pserver.
Hm, so something is quite wrong there. Anyone succeeded to run pserver
restricted? Can't be that hard after all...
My system is debian/sid, CVS 1:1.12.9-14
Any ideas appreciated,