Unless /usr/bin/cvs is setuid root, it can't change users, which makes it unusable for serving multiple anonymous read-only clients. Details and discussion: http://mail.gnu.org/archive/html/info-cvs/2001-06/msg00071.html cvs in portage works fine as-is for client usage. --ryan.
Wanted to follow up on this, and correct my report: cvs gets installed into xinetd to run in pserver mode as user "cvs" and group "cvs". This breaks anonymous pserver access, since non-root binaries can't setuid() to a different user, which pserver does for security...in dropping root privs like this, it doesn't need to run as a "cvs" user in the first place. However, setting the suid bit on /usr/bin/cvs so it runs as root breaks cvs-over-ssh in other strange ways. Details here: https://bugzilla.icculus.org/show_bug.cgi?id=1646 The solution appears to be running the pserver as root in xinetd (which lets it change users and drop privs), and NOT setting the suid bit on the binary (so users working over ssh get the right permissions...in this case, the cvs binary has to be run as the user that ssh'd into the server, and not root). So I guess the actual bug solution is not tagging the binary as suid root, but instead: - change the xinetd entry for cvspserver to run as root, not the user "cvs". - Don't make the cvs user/group in the ebuild at all? I don't think it's necessary in light of this...? Sorry for the misinformation in the original bug report, but the issue was a little deeper than I originally believed it to be. Thanks, --ryan.
Sorry, it took me some time to comment on this :) I am currently looking for our cvs server admin, so that we can fix this issue for people who want to run a server for sure. I hope to get this solved over the weekend.
I will attach proposed fixes for the ebuild/xinetd file soon. Please review then :)
Created attachment 31856 [details, diff] proposed changes for xinetd config
Created attachment 31857 [details, diff] proposed changes for cvs-1.11.16-r1
The ebuild diff also contains the "doc" USE additions proposed by jmglov. Sorry that I didn't seperate them :/
I have tested scandium's proposed changes, and I can get pserver working using the normal methods. Go for it, scandium! :)
committed
You guys rock, as usual. :) Thanks for your attention! --ryan.