By Kurt Seifried [email protected]
CVS allows multiple developers to work together on large source code projects and maintain a large code base in a somewhat sane manner. CVS's internal security mechanisms are rather simple on their own; in fact some would say weak, and I would have to agree. CVS's authentication is typically achieved over the network using pserver, usernames are sent in clear text, and passwords are trivially hashed (no security really).
To get around this you have several good options. In a Unix environment probably the simplest method is to use SSH to tunnel connections between the client machines and the server. "Tim TimeWaster" (Tim Hemel, one of the Final Scratch guys) has written an excellent page covering this at: http://cuba.xs4all.nl/~tim/scvs/. A somewhat more complicated approach (but better in the long run for large installations) is to kerberize the CVS server and clients.
The primary "vendor" of cvs is http://www.cvshome.org/. CVS can easily be run over the SSH protocol, this is advised if you are interested in security (it can also be done "anonymously").
Apart from that I would strongly urge firewalling CVS unless you are using it for some public purpose (such as an open source project across the Internet).
There are other less obvious concerns you should be aware of, when dealing with source code you should be very to ensure no Trojan horses or backdoors are allowed into the code. In an open source project this is relatively simple, review the code people submit, especially if it is a publicly accessible effort, such as the Mozilla project. Other concerns might be destruction of the source code, make sure you have backups. CVS uses port 2401, tcp.
ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 2401 ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 2401 ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 2401
ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 2401 ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 2401 ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 2401
Last updated on 1/9/2001
Copyright Kurt Seifried 2001 [email protected]