diff options
author Zordrak <>2010-05-13 00:24:35 -0500
committer Robby Workman <>2010-05-16 22:24:30 -0500
commit6f2e5cf258f35192bcc15dfab06b69e12cc2a513 (patch)
parent60f9d60dbeb52aa781c52c0006d19bdfb29046c7 (diff)
development/cvsd: Added (wrapper for cvs in pserver mode).
6 files changed, 351 insertions, 0 deletions
diff --git a/development/cvsd/README b/development/cvsd/README
new file mode 100644
index 0000000000..248327f3cf
--- /dev/null
+++ b/development/cvsd/README
@@ -0,0 +1,27 @@
+cvsd is a wrapper program for cvs in pserver mode. it will run 'cvs pserver'
+under a special uid/gid in a chroot jail.
+cvsd is run as a daemon and is controlled through a configuration file. It is
+relatively easy to configure and provides tools for easy setting up a chroot
+This server can be useful if you want to run a public cvs pserver. You should
+however be aware of the security limitations of running a cvs pserver. If you
+want any kind of authentication you should really consider using secure shell
+as a secure authentication mechanism and transport. Passwords used in cvs
+pserver are transmitted in plain text.
+This wrapper adds a layer of security to the cvs server. cvs is a very
+powerful tool and is capable of running scripts and other things. Running cvs
+in a chroot jail it is possible to limit the amount of "damage" cvs can do if
+it is exploited. It is generally a good idea to run cvsd without any write
+permissions to any directory on the system.
+Features of cvsd include:
+ * running in chroot jail
+ * configuring chroot jail
+ * running under a non-root uid
+ * set a nice value
+ * limit resource usage
+ * limit number of connections
+ * relatively easy to set up
diff --git a/development/cvsd/README.SLACKWARE b/development/cvsd/README.SLACKWARE
new file mode 100644
index 0000000000..62d2e5bdba
--- /dev/null
+++ b/development/cvsd/README.SLACKWARE
@@ -0,0 +1,169 @@
+To have cvsd start at boot-time, you'll need to add the following lines
+to /etc/rc.d/rc.local:
+ # Start cvsd
+ if [ -x /etc/rc.d/rc.cvsd ]; then
+ /etc/rc.d/rc.cvsd start
+ fi
+You'll then need to add the following lines to /etc/rc.d/rc.local_shutdown:
+ # Stop cvsd
+ if [ -x /etc/rc.d/rc.cvsd ]; then
+ /etc/rc.d/rc.cvsd stop
+ fi
+The following is the configuration section from cvsd's own README
+(located in /usr/doc/cvsd-<version>), just modified a little for Slackware.
+You will need this for actually setting up a jail and repositories etc.
+cvsd is controlled through a configuration file in /etc/cvsd/cvsd.confi
+The default configuration file is fully commented and has a manual page
+(cvsd.conf(5)) which documents use of the configuration file.
+very quick setup guide
+The is just a series of commands to set up cvsd in a typical read-only setup.
+If you don't understand these steps or are looking for commands that work on
+your system you should look below for further details.
+ # cvsd-buildroot /srv/cvsd
+ # cvs -d /srv/cvsd/myrepos init
+ # cvsd-passwd /srv/cvsd/myrepos +anonymous
+ # touch /srv/cvsd/myrepos/CVSROOT/writers
+ edit /srv/cvsd/myrepos/CVSROOT/config
+ add "SystemAuth=no"
+ add "PamAuth=no"
+ add "LockDir=/tmp/myrepos"
+ # mkdir /srv/cvsd/tmp/myrepos
+ # chown cvsd:cvsd /srv/cvsd/tmp/myrepos
+ edit /etc/cvsd/cvsd.conf
+ set "Repos /myrepos"
+You should now be able to continue with the section "checking the
+configuration" below.
+setting up a chroot jail
+You can populate a chrooted file system with cvsd-buildroot. You should rerun
+this script if your cvs binary changes or the libraries that it depends upon.
+The place where you create the chroot file system should be specified in the
+configuration file as the 'RootJail'. It is possible (but not advisable) to
+run cvsd without a chrooted file system.
+If you plan to run stuff like the scripts from the contrib/ subdirectory in
+cvs, then you have to have all necessary binaries, libraries etc. etc. in the
+chrooted file system. You can just put the needed binaries in the 'bin'
+directory of the chroot jail and 'cvsd-buildroot' will install the needed
+libraries. Please note that this may require manual reconfiguring.
+Some systems may require extra libraries to be present in the chrooted file
+system than can not be automatically detected (using ldd). See the FAQ for
+disabling inetd pserver
+If inetd is configured to start cvs /etc/inetd.conf should contain a line
+like this:
+ cvspserver stream tcp nowait root /usr/bin/cvs --allow-root /home/cvs
+You should remove or comment out this line or tell cvsd to listen on a
+different port (use Listen option in cvsd.conf). If you change inetd.conf you
+should tell inetd to reload it's configuration by:
+ # kill -s HUP <pidofinetd>
+setting up a repository
+If you have configured the chroot jail and the user and group id bits you can
+start adding repositories to the chroot jail. There are a couple of ways you
+could do that.
+The first is creating an empty repository with something like:
+ # cvs -d /srv/cvsd/myrepos init
+(where /srv/cvsd is the location of the chroot jail and myrepos is the
+name of the new repository)
+Another way is copying an already existing repository to the chroot jail. It
+is also possible to do something smart with a tool like 'rsync'. Put this in
+a cronjob for extra effect.
+Symbolic linking a repository to the chroot jail is not possible since
+symbolic links will be evaluated within the chroot jail. Hard linking directories
+should be avoided (hard linking in general in my opinion). With Linux 2.4 (and
+probably other systems) it is possible to remount an existing directory
+within another directory. You can use mount:
+ # mount --bind /home/user/develrepos /srv/cvsd/userrepos
+or add something like this to /etc/fstab:
+ /home/user/develrepos /srv/cvsd/userrepos none bind 0 0
+(don't forget to create the /srv/cvsd/userrepos directory)
+After you have created or copied a repository into the chroot jail you should
+add it to the cvsd.conf configuration file so cvs can access it. Use the
+'Repos' option for this and remember to specify it relative to the chroot
+jail. So if your repository is /srv/cvsd/myrepos you should add 'Repos
+/myrepos' to the configuration file.
+The last step for making your repository accessible is to add a passwd file
+to the 'CVSROOT' directory of the repository. The cvsd-passwd tool will do
+this for you.
+ cvsd-passwd /srv/cvsd/myrepos anonymous
+This will add user 'anonymous' to the list of users that can access the
+repository. You will be prompted for a password which can optionally be
+Note that the cvsd user needs to have the correct permissions to the
+repository. The cvsd user probably should have read access to the repository
+but probably no write permission. You can add all users in the repository
+passwd file to a file named 'readers' in the 'CVSROOT' directory or create an
+empty 'writers' file. Without any of these files all users have write access!
+If you set up your repository so that the cvsd user only has read access to
+the files and directories in the repository (through unix file permissions)
+you need to take some extra provisions since cvs creates lockfiles when
+checking out files from the repository. The best way to do this is to create
+a directory for the cvsd user to write the lockfiles to (e.g.
+/srv/cvsd/tmp/myrepos) and add "LockDir=/tmp/myrepos" to the
+/srv/cvsd/myrepos/CVSROOT/config file. Be sure to create the directory
+and make it writable for the cvsd user. If your cvsd user has write access to
+the repository this should be no problem.
+It is also a good idea to put "SystemAuth=no" and maybe "PamAuth=no" in your
+CVSROOT/config file. This way password lookups will only be done to
+CVSROOT/config and not to /etc/passwd inside the chroot jail (that passwd
+file shouldn't contain any passwords) or PAM.
+See the "Password authentication server" section in the cvs texinfo document
+for more information about running a pserver and setting up repositories.
+If you have started cvsd with the provided init script:
+ # /etc/rc.d/rc.cvsd start
+and configured a repository (say myrepos) you should be able to access the
+server with something like:
+ % cvs -d :pserver:anonymous@localhost:/myrepos login
+ % cvs -d :pserver:anonymous@localhost:/myrepos checkout .
+For troubleshooting information see the FAQ on debugging.
+If you find any bugs or missing features please send email to
+Please include as much information as needed (platform, output of configure
+if compilation fails, output of the failure, etc). Most of the configuration
+information can be provided by running cvsd-buginfo. Patches are more than
diff --git a/development/cvsd/cvsd.SlackBuild b/development/cvsd/cvsd.SlackBuild
new file mode 100644
index 0000000000..953e4b7980
--- /dev/null
+++ b/development/cvsd/cvsd.SlackBuild
@@ -0,0 +1,103 @@
+# Generated by Alien's SlackBuild Toolkit:
+# Copyright 2009 Eric Hameleers <>, Eindhoven, Netherlands
+# Slackware build script for drbd
+# Written by Zordrak <>
+# Based on
+if [ "$ARCH" = "i486" ]; then
+ SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+elif [ "$ARCH" = "i686" ]; then
+ SLKCFLAGS="-O2 -march=i686 -mtune=i686"
+elif [ "$ARCH" = "x86_64" ]; then
+set -e # Exit on most errors
+# Bail out if user or group isn't valid on your system
+# For, assigned cvsd uid/gid are 233/233
+# See
+if ! grep ^cvsd: /etc/group 2>&1 > /dev/null; then
+ echo " You must have a \"cvsd\" group to run this script."
+ echo " # groupadd -g 233 cvsd"
+ exit 1
+elif ! grep ^cvsd: /etc/passwd 2>&1 > /dev/null; then
+ echo " You must have a \"cvsd\" user to run this script."
+ echo " # useradd -u 233 -g cvsd -d /srv/cvsd -s /bin/false cvsd"
+ exit 1
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+./configure \
+ --prefix=/usr \
+ --libdir=/usr/lib${LIBDIRSUFFIX} \
+ --sysconfdir=/etc \
+ --localstatedir=/var \
+ --mandir=/usr/man \
+ --docdir=/usr/doc/$PRGNAM-$VERSION \
+ --build=$ARCH-slackware-linux
+make install DESTDIR=$PKG
+find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
+ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
+( cd $PKG/usr/man
+ find . -type f -exec gzip -9 {} \;
+ for i in $( find . -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
+mkdir -p $PKG/etc/rc.d
+mv $PKG/etc/init.d/cvsd $PKG/etc/rc.d/
+rmdir $PKG/etc/init.d
+mv $PKG/etc/cvsd/cvsd.conf $PKG/etc/cvsd/
+sed -i 's/\/var\/lib\/cvsd/\/srv\/cvsd/g' $PKG/etc/cvsd/
+sed -i 's/^Repos/# Repos/g' $PKG/etc/cvsd/
+sed -i 's/^#Listen \* 2401/Listen 2401/g' $PKG/etc/cvsd/
+mkdir -p $PKG/srv/cvsd
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a \
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/ > $PKG/install/
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
diff --git a/development/cvsd/ b/development/cvsd/
new file mode 100644
index 0000000000..c8e0897f1f
--- /dev/null
+++ b/development/cvsd/
@@ -0,0 +1,10 @@
diff --git a/development/cvsd/ b/development/cvsd/
new file mode 100644
index 0000000000..52f4fdc866
--- /dev/null
+++ b/development/cvsd/
@@ -0,0 +1,23 @@
+config() {
+ NEW="$1"
+ OLD="$(dirname $NEW)/$(basename $NEW .new)"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
+ # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+# Keep same perms on
+if [ -e etc/rc.d/rc.cvsd ]; then
+ cp -a etc/rc.d/rc.cvsd etc/rc.d/
+ cat etc/rc.d/ > etc/rc.d/
+ mv etc/rc.d/ etc/rc.d/
+config etc/rc.d/
+config etc/cvsd/
diff --git a/development/cvsd/slack-desc b/development/cvsd/slack-desc
new file mode 100644
index 0000000000..fa486862bf
--- /dev/null
+++ b/development/cvsd/slack-desc
@@ -0,0 +1,19 @@
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+ |-----handy-ruler------------------------------------------------------|
+cvsd: cvsd (a cvs pserver daemon)
+cvsd: cvsd is a wrapper program for cvs in pserver mode. It will run
+cvsd: 'cvs pserver' under a special uid/gid in a chroot jail.
+cvsd: cvsd is run as a daemon and is controlled through a configuration
+cvsd: file. It is relatively easy to configure and tools are provided for
+cvsd: setting up a rootjail.
+cvsd: Home: