Chapter 3. Security

Table of Contents

How to set up security
How to add and delete users
Setting permissions for files and directories
Groups of users can be assigned permissions
Running CVSNT as a nonprivileged user
Running within a chroot jail
Setting and changing passwords
Repository administrators
Read-only repository access
Temporary directories for the server
The CVSNT lockserver

A remote cvsnt repository can be set up to have its own security system outside of the standard security provided by the system. See also information about the chacl and chown commands, and the CVSROOT/admin file.

How to set up security

First setup the server normally. Changing the base path as described in the section called “Using repository aliases” can be very convenient. The command should run as the user that owns the repository (not root). Use the RunAsUser setting for this.

On Unix systems setting a the Chroot variable is recommended also.

To lock down the access to the repository by default set the AclMode setting in the CVSROOT/config to 'normal'. This will stop anyone accessing the any file unless they are specifically granted access by an access control entry

On a secure system it is recommended that pserver is not used, as it sends its passwords in a trivially decryptable form. On Windows systems use encrypted SSPI, and on Unix ssh is recommended.