0.3.7
- fixed WNOHANG compile bug on Mandrake,suse,debian
and possible other distributions.
- Started README.FAQ
- Re-Added autocert directory.
Seems it dissappered in some of the last realeases.
This can happen, when a the "make dist" is run on a host
without SSL.
0.3.6
- added script which allows user based read/write access in every module.
(Module based access is a feature, which cvs does't support
"out-of-the-box")
Please read the README.modules file, for further setup information
0.3.5
- compiler fix for RedHat7.1
0.3.4
- added logic so that the you can set for every repository
allowPasswd=true (or false)
(default= true)
When set to false, then cvasuth:
- does not resolve "passwd" when found in password field
- exit with "I HATE YOU" - access denied
- if an encrypted password is found:
- checks if UserName exists on the machine
- if cvspass == systempass - "I HATE YOU"- access denied
- fixed security related bug.
Even if AllowLocal=false, it was set to true!
0.3.3
- removed debug output when setting up SSL connection
- added patch script
- fixed a segfault in cvs when there is no login found in .cvspass
(updated the patch against cvs-1.10, cvs-1.11 and WinCVS-ssl)
0.3.2
In general it is a convinient/lazy admin release.
- First there are minor patches by Achim for BSD like setenv.
Now this works with POSIX putenv,which may be more portable.(Solaris port)
- Second: I moved the setuid operation at the very beginning to
the authentication process. The WriterUID is valid
if the repository exists, not only if the user sends
the correct password. This change made the
"allowLocal" patch safe enough.
- new keys in every repository.
cvsrootADMIN=name You can specifiy a name of a CVS User. This
name is exported to the environment as
CVSROOTADMIN. This is used later in the
checkAdminRights script to check if
the person is allowed to commit in CVSROOT
(make sure to enable/disable emailnotify)
allowLocal=true (or false). Use this if you want cvsauth to
look in $CVSROOT for a file called:
cvsauth-userlist.txt
This file can contain User=name:passwd:access
key/values like you setup for every repository.
The benefit of this is, that an admin != root
can add users. The lookup of this file, is
already done under the writerUID of the CVS
repository, there is no more setuid done.
So, if you are a lazy sysadmin (me) you will do repository setups
like this:
[kmpg]
cvsrootADMIN=joe
WriterUID=kmpg
AllowLocal=true
User=joe:abcdef:W
And all other users can be added by "joe". (Who is the only
person who can CVSROOT commits as well.)
PLEASE: 1. joe must be a person "of trust". Someone who can do CVSROOT
commits can get a shell on your machine rather easily.
2. "joe" should be an ssl encrypted account, otherwise every
"network sniffer" can become "joe" on your machine.
NOTE: Because cvsauth installs the secureCVSROOT scripts
always it is not possible that "joe" grants commit rights
in CVSROOT to other persons.
0.3.1
- changed log level to 3 , if env variables are NULL and
are not exported.(the log appeared on pserver without
the security scripts)
- changed the security scripts, they now use a direkt
SMTP connect to a mailserver. (needs perl, because
this module is written in perl)
- new variables in cvsauth.conf:
smtpServer=
FromAdress=
They are exported to the environment as:
SMTPSERVER
FROMADRESS
0.2.8
- added VERSION to help text
- enhancements for sserver/sslserver. Now the -l switch
decides that you do SSL. If a normal BEGIN AUTH REQUEST
comes in we do full SSL server. This makes it compatible
with pure SSL tunnels.
If BEGIN AUTH SSERVER REQUEST request comes in
we drop SSL after the authentication phase.
0.2.7
- updated the patches to apply against 1.10.8
- rewritten config file parser to accept empty values
for example you can leave adminMail or scriptPath empty.
If your leave things empty which _shouldn't_ you may get
trouble now :-)
- You can debug the parser with
./cvsauth -d 10 -y -c ./cvsauth.conf -a ./auth.txt
On the Command line.
0.2.6
- split the huge patch into smaller ones
0.2.5
- new definition for SSL.
You need to start cvsauth with the -l option (for ssL).
cvsauth then starts as first thing a ssl negotiation,
before expection a BEGIN AUTH REQUEST.
This makes it compatible with any ssl tunnel you setup,
but has the disadvantage that you cannot have "one port for all"
sserver and sslserver is now on port 2405.
sserver only does the authentication over ssl sslserver encrypts
everything (slower!)
s2server now longer exists.
0.2.4
- configure.in fixes
- compile fixes
- defines NOIDEA as defaults. Its not needed and you need
to pay licence fees if you compiled openssl with IDEA.
0.2.3
- code cleanup
- bug fixes in security scripts
0.2.2
- added adminMail. cvsauth sets the environment variable CVS_ADMINMAIL.
An admin is the admin for all repositories, he gets all error
messages (on login failure, etc..) Its usefull to setup
a mailinglist for this, set adminMail to this mailinglist
and subscribe the real CVSAdmin to this list.
- added scriptPath to cvsauth. This sets an environment variable
SCRIPTPATH.
- added preRun to cvsauth. preRun is executed after setuid but
before we start cvs.
cvsauth stops if preRun returns a value != 0.
- added secureCVSROOT script. It checks (and adds it if check fails)
if you have in your CVSROOT/commitinfo in the _first_ line:
^CVSROOT $SCRIPTPATH/checkAdminRights
- added checkAdminRights scripts. This script denies access
to all cvs users and sends an email to adminMail
if a user tries to do a commit in CVSROOT.
0.2.0
- ssl support in cvsauth. patch agains cvs for two new access methods
(sserver,s2server). Please read the README and INSTALL.
0.1.9
- setting supplementary group access. Usefull for links
through your filesystem. setuid/setgid do not the things
like "su"
0.1.8
- unset HOME environment variable after the setuid
(bugfix, if /root is chmod 700)
0.1.7
- if the password in cvsauth.conf is "passwd" it gets the
encrypted password from the system.(Usefull for NIS)
- if the writerUID does not exists we only warn. If we
need to cast to it, we abort.
0.1.6
- Many thanks to KOIE Hidetaka for his patch.
This patch improves the way the passwords are created.
It is _really_ very random now.
It fixes a bug, that passwords can contain $ in it
an improves the lexer definitions for STRING.
- Many thanks to Miles Lott. You now should cvsauth build with
./configure --prefix=/usr --sysconfdir=/etc
This installs the cvsauth.conf in /etc and the excutable in
/usr/sbin
- changed getline to getline_safe
0.1.5
* initial release