From owner-freebsd-security  Mon Nov  5 20:11:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100])
	by hub.freebsd.org (Postfix) with ESMTP id 4F06D37B405
	for <security@FreeBSD.ORG>; Mon,  5 Nov 2001 20:11:22 -0800 (PST)
Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108])
	by wrath.cs.utah.edu (8.11.6/8.11.1) with ESMTP id fA64BL523873;
	Mon, 5 Nov 2001 21:11:21 -0700 (MST)
From: David G Andersen <danderse@cs.utah.edu>
Received: (from danderse@localhost)
	by faith.cs.utah.edu (8.11.1/8.11.1) id fA64BKh11658;
	Mon, 5 Nov 2001 21:11:21 -0700 (MST)
Message-Id: <200111060411.fA64BKh11658@faith.cs.utah.edu>
Subject: Re: Running secured local anoncvs server for FreeBSD CVS Repository
To: eugen@grosbein.pp.ru (Eugene Grosbein)
Date: Mon, 5 Nov 2001 21:11:20 -0700 (MST)
Cc: security@FreeBSD.ORG
In-Reply-To: <20011106110346.A77269@svzserv.kemerovo.su> from "Eugene Grosbein" at Nov 06, 2001 11:03:46 AM
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

See 'anoncvssh', from the OpenBSD project:

http://openbsd.sunsite.ualberta.ca/papers/anoncvs-paper.ps

Then grab the distribution:

http://www.openbsd.org/anoncvs.shar

Then follow the instructions in the README.  Since this isn't
a real CVS tree that you're granting access to (i.e. not one
that you're making commits to yourself), the setup is really
quite straightforward.  Works well, is a CPU and disk bandwidth/seek
hog, but it's super convenient for local access.
(These are features of using CVS instead of CVSup, NOT features
of anoncvssh.  anoncvssh just gives you a more secure way of
doing the ssh).

If you're super paranoid, you can mount large parts of the 
CVS repository read-only.

  -Dave

Lo and behold, Eugene Grosbein once said:
> 
> Hi!
> 
> I run local cvsup-mirror of FreeBSD CVS Repository. It runs just fine.
> I would like to provide read-only anoncvs access to the Repo and wonder
> how to make it secure. E.g. I do not want users to:
> 
> - make brute-force attacks to /etc/master.passwd
> - touch the Repo in any way, no commits, no tags, no
>   val-tags nor history nor any other file modifications.
> 
> Is it possible?
> 
> Eugene Grosbein
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message