I made a patch for rssh that adds support for cvs. Please test. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 20500 [details, diff] the patch a patch that adds cvs support to rssh
Created attachment 20501 [details, diff] the ebuild diff adds a few short lines to the ebuild to enable the patch.
I'm not sure if this is the best approach. The author of rssh states in the FAQ, "The purpose of rssh is to allow system administrators to allow users access to a server via either scp or sftp, or both. This design is simple and clean, and very easy to keep secure." If we add cvs, I can just see someone wanting to add rsync, cpio, tar, rmt, etc. If you do need a set of other commands, perhaps using rbash and pam_chroot (link below) is the way to go. Mike, do you have thoughts on this? http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.2
You're right, this isn't the best possible approach. I think the best approach would be for cvs to support something like this. However, the other solutions I've found were way too messy for my taste: http://www.prima.eu.org/tobez/cvs-howto.html http://www.idealx.org/prj/idx-chrooted-ssh-cvs/dist/chrooted-ssh-cvs-server.html I don't want rbash, the whole point is to not allow someone to get shell access, even if it is somewhat restricted in what they can do. There are many things that could go wrong. If someone could scp a file into that directory, and then get shell to run it, they could do whatever they wanted. (maybe that would work, maybe it wouldn't, but I still think that using bash is NOT the best solution). Maybe someone would want rsync. I don't know enough about how rsync works to know if it would work with this method or not (I didn't know much about how cvs worked on the server end until I worked on this). If someone else wants it, someone else can add it. The author didn't want cvs support, but I did so I added it. Isn't open source great?
The point of rbash is that only commands that you specifically allow, can run. This is what you're looking for, and it doesn't require modification to any code. I really don't think that this project is the proper way to implement restricted cvs.
cvs support is now in officially with 2.2.1 ;) just a future note ... it's better to take such non-standard enhancements upstream and if they accept it, to come back to us (depending of course on their release cycle) ... Gentoo (as a general rule of thumb) tries to keep such enhancements upstream that way everyone benefits and not just users of Gentoo ;)