[clug] exposing a CVS repository to the internet

Martin Pool mbp at samba.org
Tue May 27 12:22:03 EST 2003


On 24 May 2003, James Ring <sjr at jdns.org> wrote:
> Hi all,
> 
> I was wondering, what is the 'accepted' way of exposing a CVS repository 
> to the internet (for read-only access). My CVS repository is stored on a 
> fileserver on my local segment (192.168.0.0/24), and my website is 
> hosted on a DMZ separated by a firewall. This firewall permits no 
> connects from the DMZ to the local network.
> 
> For me, the most convenient way is to allow the web server to mount a 
> NFS on the fileserver through the firewall, but I am concerned that this 
> will be too dangerous if somebody manages to compromise the web
> server.

I think it would be.

I would rsync from the real CVS server to the public server.  Syncing
every say 5 minutes should be quite feasible.

Tridge has some code here to help you chroot the CVS server, which you
can get from here

  http://pserver.samba.org/samba/cvs.html

Make sure the public server runs as an unprivileged uid that is not
able to write to its copy of the repository.

-- 
Martin 

linux.conf.au 2004: Adelaide, Australia         http://lca2004.linux.org.au/



More information about the linux mailing list