Using CVS to Manage a Web Site - A Guide For System Administrators

Linux Server Setup
Linux Client Setup
Importing Your Site Into CVS
Linux Web Server Setup
Related Sites
Web pages regarding CVS and the web
Web Pages regarding CVS Server Security

Linux Server Setup

There are many ways to set up a CVS server. One of the big choices is whether to allow pserver mode (which lets you avoid giving shell accounts to CVS-only users, but is full of security holes), or to give shell accounts to the users, and make them log in via ssh (which is nice and secure, but requires users who know how to use ssh). Every approach requires care, since CVS was not written for security. The pessimist would say that the only safe way to run CVS is to never give it root privileges, to run it in a chroot jail, and to apply all possible security patches. You give up some flexibility this way, but gain a modicum of assurance that hackers won't take down your machine.

I'm fairly pessimistic, so that's how I'm running it. Here's what I did. (Note: I'm still verifying that these instructions work, so caveat emptor.)

Install CVS, if needed, with
```
# rpm -i cvs*.rpm
```
or by downloading it from cvshome.org.
If you're into security, you should probably build it from source, and apply the patches mentioned in this bug-cvs post.
Read
```
info cvs
```
and the doc at cvshome.org. If you prefer printed documentation, one of the authors of CVS has a book, "Open Source Development with CVS", which may be of some help.
Create the pseudouser and group that own the repository, but don't let him log in, don't let him write to his home directory, take away all his dot files, and let him but no other user read his home directory:
```
# useradd cvsuser -s /bin/false
# rm /home/cvsuser/.[a-z]*
# chown root.cvsuser /home/cvsuser
# chmod 750 /home/cvsuser
```

Create the chroot jail for cvs to run in. (Following is for Red Hat 6.2.)

# cd /home/cvsuser
# mkdir jail
# chown root.cvsuser jail
# chmod 750 jail
# cd jail
# mkdir bin dev etc lib tmp
# cp /usr/bin/cvs bin
# cp -a /dev/null dev
# cp /etc/localtime etc
# cd lib
# cp -a /lib/ld-2.1.3.so .
# cp -a /lib/libc-2.1.3.so .
# cp -a /lib/libcrypt-2.1.3.so .
# cp -a /lib/libnsl-2.1.3.so .
# cp -a /lib/libnss_files-2.1.3.so .
# cp -a /usr/kerberos/lib/libkrb5.so.2 .
# cp -a /usr/kerberos/lib/libk5crypto.so.2 .
# cp -a /usr/kerberos/lib/libcom_err.so.3 .
# ln -s ld-2.1.3.so ld-linux.so.2
# ln -s libc-2.1.3.so libc.so.6
# ln -s libcrypt-2.1.3.so libcrypt.so.1
# ln -s libnsl-2.1.3.so libnsl.so.1
# ln -s libnss_files-2.1.3.so libnss_files.so.2
# cd ..
# chown -R root.root bin dev etc lib
# chmod -R 111 bin
# chmod 1777 tmp
# cp /sbin/ldconfig bin
# /usr/sbin/chroot /home/cvsuser/jail bin/ldconfig
# rm bin/ldconfig

Create a Unix account and home directory for the CVS pseudouser inside the jail:
```
# cd /home/cvsuser/jail
# grep cvsuser /etc/passwd > etc/passwd
# mkdir -p home/cvsuser 
```
Make sure there's no real password in /home/cvsuser/jail/etc/passwd. If there is, replace it with an asterisk.

Verify you can run cvs inside the jail:

/usr/sbin/chroot /home/cvsuser/jail bin/cvs --version

Create the new repository in a subdirectory of the jail:

# cd /home/cvsuser/jail
# mkdir repository
# cvs -d /home/cvsuser/jail/repository init

Make sure cvsuser owns the repository, and set its permissions:

# chown -R cvsuser /home/cvsuser/jail/repository
# chmod 700 /home/cvsuser/jail/repository /home/cvsuser/jail/repository/CVSROOT

Download this program, customize it to reflect cvsuser's uid and gid, compile it, and install the executable as /usr/bin/cvs-chroot. (Note: it uses Linux-specific variants of setgid() and setuid(). To compile on a different operating system, use the standard setgid() and setuid().)
As root, bring the CVS server online by adding the appropriate file to /etc/inetd.conf; it will probably be
```
2401  stream  tcp  nowait  root  /usr/bin/cvs-chroot cvs-chroot
```
Suggestion: while you're in there, spend some time on system security. Figure out what each line does, and whether you need it. If you don't, comment it out; the fewer services running, the fewer ways a script kiddie can attack your system.
Then make inetd reread its config file by sending it the HUP signal, e.g.
```
# killall -HUP inetd
```
On Red Hat Linux, if inetd is not running, you may need to enable it by using the command 'ntsysv' and checking the box next to inetd.
Create CVS accounts for the users. I decided to use CVS accounts rather than system accounts; all CVS users share the Unix account 'cvsuser'. There is no standard utility for creating or managing CVS accounts yet; you add CVS accounts by adding lines to a plain text file 'CVSROOT/passwd' in the repository. This does not need to be under CVS control. Like many others, I wrote a tiny program cvspasswd.c to generate password lines. Compile this program with 'cc cvspasswd.c -lcrypt -o cvspasswd', install the resulting binary somewhere on your PATH (e.g. /usr/local/bin), then do
```
# cd /home/cvsuser/jail/repository/CVSROOT
# cvspasswd dank >> passwd
```
to add a new CVS user 'dank'. (If you call the pseudouser something other than 'cvsuser', you'll need to edit cvspasswd.c or its output.)
Make sure you can connect to the server; give the command
```
$ cvs -d ':pserver:myusername@myserver:/repository' login
```
where 'myusername' is a CVS username created above, and 'myserver' is the IP address or hostname of the CVS server.
If that doesn't work, and you can't figure out why, you can often figure out what's up by running
```
# strace -f -o trace.out -p `pidof inetd`
```
on the server (where `pidof inetd` is the process id of the running inetd).
Configure your CVS server so that it knows what files are binary and which are ASCII. This is important because initially it thinks all files are ASCII, so it does things like CRLF and keyword substitution on them, which screws up image and sound files no end. Here's how to configure the CVS server: edit the repository's copy of CVSROOT/cvswrappers. This file contains comments explaining its format (one wildcard per line). You can do this from the client (shiver). For example (assuming you've logged in as above):
```
$ cd
$ mkdir work
$ cd work
$ cvs checkout CVSROOT
$ cd CVSROOT
$ vi cvswrappers
```
and add the lines
```
*.gif -k 'b'
*.png -k 'b'
*.jpg -k 'b'
*.zip -k 'b'
```
then commit your changes:
```
cvs commit 
```
cvswrappers is case-sensitive; if you have both .jpg and .JPG files, you need one entry for each! Also, you will get no feedback on whether this file is correct until you try to view an image or sound file that has been corrupted. So be careful, and do a full dress rehearsal and test of your site with CVS before switching over for real!

Linux Client Setup

Install CVS, if needed, with
```
# rpm -i cvs*.rpm
```
or by downloading it from cvshome.org.
Try logging in to the server with the commands
```
$ CVSROOT=':pserver:myusername@myserver:/repository'
$ export CVSROOT
$ cvs login
```
where 'myusername' is the CVS username created above, and 'myserver' is the IP address or hostname of the CVS server.
If that works, put the CVSROOT lines into ~/.bash_profile, so they are executed automatically on login. (This assumes you only use CVS with one server; if you start using it with multiple servers, you'll need to get fancier.)

Importing Your Site Into CVS

I've chosen here to get started with CVS without disturbing the existing web site by setting up the CVS server on a different machine than the web server, and not running any CVS commands at all on the real web server at first. This involves the extra step of downloading the site to a client machine so it can be imported into CVS.

On the Linux client, get a local copy of the web site; one easy way to do this is with wget:
```
$ wget -k -m www.frivolity.org
```
where 'www.frivolity.org' is the web site you want to manage with CVS. This will create a directory 'www.frivolity.org' containing the directory hierarchy of the site as it appears to the web browser. It will also convert any internal absolute links to relative links; this is important, as it allows you to test your web site locally, without uploading it.
(Note: wget doesn't retrieve style sheet files, so if your site uses any of those, you'll have to grab them one by one.)
wget converted most links to relative form, but does not touch style sheet links. If all your pages use an absolute link e.g. http://www.frivolity.org/friv.css to the style sheet, you'll need to convert them to use a relative link.
Here's how a Unix commandline user would approach this task. (HTML editors like Dreamweaver often have multifile search and replace tools that can handle this, too.) To find all the files that refer to an external style sheet, use a search like
```
$ find . -name '*.htm*' -print | xargs grep -l friv.css 
```
Then, in each directory containing one of those files, use a search-and-replace command to replace the absolute path with the appropriate relative path. In a directory one level under where the friv.css file lives, the relative path would be ../friv.css, so a good search-and-replace command would be
```
$ perl -p -i.bak -e 's,http://www.frivolity.org/friv.css,../friv.css,' *.html
```
(You can also do this after importing your site into CVS, but hey, why not get it right the first time?)
Verify that this copy of the site works properly by opening it in your local web browser. You do this in Netscape by typing in the full path to the directory created by wget, e.g. "/home/dank/www.frivolity.org/". Click around and verify that everything looks good. cgi-bin scripts and server side includes won't work, of course; only static HTML will function properly here.
Remove the backup files created by perl (if that's the tool you used):
```
$ rm *.bak
```
Check to make sure your CVS server is configured correctly to know about each binary file type in your site; see above. The command
```
$ find . -print | sed 's/.*\././' | grep -v / | sort -u
```
will display all the filename suffices in use on your site; make sure you know which are binary, and that all the binary ones are flagged as such to CVS.
Import the site into CVS using 'cvs import'. You'll need to pick a project name; I suggest the hostname of the website, minus the "www." and ".com". For example:
```
$ cd www.frivolity.org
$ cvs import -m "Imported sources" frivolity myname start      
```
where "Imported sources" is a comment describing the change you're making to CVS,
frivolity is the project name,
myname is a 'vendor id' (use your CVS account name) used to keep CVS happy, and
start is just there to keep CVS happy.
CVS will output one line for each file or directory in the site, plus the message
```
No conflicts created by this import 
```
Set up the directory you'll use to edit the site's files, and check out a copy of the site into it using CVS. I choose to keep the local sandboxes for all my CVS projects in a directory '~/work'. Here's how to do that:
```
$ cd
$ mkdir work
$ cd work
$ cvs checkout frivolity
```
This should create a directory 'frivolity' containing the files for your site (www.frivolity.org). Each directory will have one extra directory named CVS in it -- don't worry about this. You can ignore it; it's just housekeeping files for CVS.
Verify that this copy of the site works properly by opening it in your local web browser. You do this in Netscape by typing in the full path to the directory created by CVS, e.g. "/home/dank/work/frivolity/". Click around and verify that everything looks good. cgi-bin scripts and server side includes won't work, of course; only static HTML will function properly here.

Linux Web Server Setup

If there is a web server running on the CVS server, you can set up the server to update a copy of the web site from CVS every five minutes as follows:

First, as root, make a directory to hold the copy of the web site, and check out a copy, e.g.

# cd /home/httpd/html
# mkdir frivolity
# cvs -d /home/cvsuser/jail/repository checkout frivolity

Second, set up a crontab file to update this every five minutes, e.g.

# cd /etc/cron.hourly
# vi frivolity.cron

and add the lines

#!/bin/sh
cd /home/httpd/html
/usr/bin/cvs -d /home/cvsuser/jail/repository update

then mark that file executable by root alone,

# chmod 700 frivolity.cron

and edit root's crontab,

# crontab -e

adding the line

*/5 * * * * /etc/cron.hourly/frivolity.cron

You should be able to see a constantly updated copy of the web site on that web server now, at the URL 'http://server/frivolity'.

Web pages regarding CVS and the web

The CVS home page
- CVS and the Web
  - [A list of] Web Sites Using CVS
mod_cvs - an Apache module to keep your web site up to date with respect to CVS
Using CVS for collaborative website development, by David Sklar
CVS Version Control for Web Site Projects, by Sean Drilinger
Time Travel: Web Development and CVS, by Ronald Roeber
Managing websites using Unix, by Nik Clayton
How to create a CVS server using Red Hat linux 6.1, by Michael Amorose.
A comparison of CVS and DAV (written by the chair of the IETF WebDAV Working Group)

Web Pages regarding CVS Server Security

Chrooted SSH CVS server HOW-TO by IDEALX 18 Jun 2001
cvsauth - one of the efforts to bring SSL support to CVS
A post to bug-cvs showing how users with pserver write access can execute arbitrary code on server
Chroot-BIND HOWTO - how to set up a different system daemon in a chroot jail (for comparison)
How Samba's CVS is set up
- source and doc for Samba's anonymous chroot'd cvs server
CVS Server Setup and Info [using chroot jail]
Chrooted tunnelled read-write CVS server
SCVS - one way to set up CVS for transparant SSH tunneling
Justin's patch to build chroot into cvs -- the followups to this message discuss the pros and cons. Put on your flame-proof suit.
More info from Justin - how to let CVS send mail from inside a chroot jail

Thanks

This page would have been must harder to write without the pages from Samba.org and unixtools.org documenting how they set up chroot jails for CVS. Much of this material is directly copied from those sites. Thanks also for suggestions from info-cvs and lula, and corrections from Chris Smith.