I'm fairly pessimistic, so that's how I'm running it. Here's what I did. (Note: I'm still verifying that these instructions work, so caveat emptor.)
# rpm -i cvs*.rpmor by downloading it from cvshome.org.
If you're into security, you should probably build it from source, and apply the patches mentioned in this bug-cvs post.
info cvsand the doc at cvshome.org. If you prefer printed documentation, one of the authors of CVS has a book, "Open Source Development with CVS", which may be of some help.
# useradd cvsuser -s /bin/false # rm /home/cvsuser/.[a-z]* # chown root.cvsuser /home/cvsuser # chmod 750 /home/cvsuser
# cd /home/cvsuser # mkdir jail # chown root.cvsuser jail # chmod 750 jail # cd jail # mkdir bin dev etc lib tmp # cp /usr/bin/cvs bin # cp -a /dev/null dev # cp /etc/localtime etc # cd lib # cp -a /lib/ld-2.1.3.so . # cp -a /lib/libc-2.1.3.so . # cp -a /lib/libcrypt-2.1.3.so . # cp -a /lib/libnsl-2.1.3.so . # cp -a /lib/libnss_files-2.1.3.so . # cp -a /usr/kerberos/lib/libkrb5.so.2 . # cp -a /usr/kerberos/lib/libk5crypto.so.2 . # cp -a /usr/kerberos/lib/libcom_err.so.3 . # ln -s ld-2.1.3.so ld-linux.so.2 # ln -s libc-2.1.3.so libc.so.6 # ln -s libcrypt-2.1.3.so libcrypt.so.1 # ln -s libnsl-2.1.3.so libnsl.so.1 # ln -s libnss_files-2.1.3.so libnss_files.so.2 # cd .. # chown -R root.root bin dev etc lib # chmod -R 111 bin # chmod 1777 tmp # cp /sbin/ldconfig bin # /usr/sbin/chroot /home/cvsuser/jail bin/ldconfig # rm bin/ldconfig
# cd /home/cvsuser/jail # grep cvsuser /etc/passwd > etc/passwd # mkdir -p home/cvsuserMake sure there's no real password in /home/cvsuser/jail/etc/passwd. If there is, replace it with an asterisk.
/usr/sbin/chroot /home/cvsuser/jail bin/cvs --version
# cd /home/cvsuser/jail # mkdir repository # cvs -d /home/cvsuser/jail/repository init
# chown -R cvsuser /home/cvsuser/jail/repository # chmod 700 /home/cvsuser/jail/repository /home/cvsuser/jail/repository/CVSROOT
2401 stream tcp nowait root /usr/bin/cvs-chroot cvs-chrootSuggestion: while you're in there, spend some time on system security. Figure out what each line does, and whether you need it. If you don't, comment it out; the fewer services running, the fewer ways a script kiddie can attack your system.
Then make inetd reread its config file by sending it the HUP signal, e.g.
# killall -HUP inetdOn Red Hat Linux, if inetd is not running, you may need to enable it by using the command 'ntsysv' and checking the box next to inetd.
# cd /home/cvsuser/jail/repository/CVSROOT # cvspasswd dank >> passwdto add a new CVS user 'dank'. (If you call the pseudouser something other than 'cvsuser', you'll need to edit cvspasswd.c or its output.)
$ cvs -d ':pserver:myusername@myserver:/repository' loginwhere 'myusername' is a CVS username created above, and 'myserver' is the IP address or hostname of the CVS server.
If that doesn't work, and you can't figure out why, you can often figure out what's up by running
# strace -f -o trace.out -p `pidof inetd`on the server (where `pidof inetd` is the process id of the running inetd).
$ cd $ mkdir work $ cd work $ cvs checkout CVSROOT $ cd CVSROOT $ vi cvswrappersand add the lines
*.gif -k 'b' *.png -k 'b' *.jpg -k 'b' *.zip -k 'b'then commit your changes:
cvs commitcvswrappers is case-sensitive; if you have both .jpg and .JPG files, you need one entry for each! Also, you will get no feedback on whether this file is correct until you try to view an image or sound file that has been corrupted. So be careful, and do a full dress rehearsal and test of your site with CVS before switching over for real!
# rpm -i cvs*.rpmor by downloading it from cvshome.org.
$ CVSROOT=':pserver:myusername@myserver:/repository' $ export CVSROOT $ cvs loginwhere 'myusername' is the CVS username created above, and 'myserver' is the IP address or hostname of the CVS server.
$ wget -k -m www.frivolity.orgwhere 'www.frivolity.org' is the web site you want to manage with CVS. This will create a directory 'www.frivolity.org' containing the directory hierarchy of the site as it appears to the web browser. It will also convert any internal absolute links to relative links; this is important, as it allows you to test your web site locally, without uploading it.
(Note: wget doesn't retrieve style sheet files, so if your site uses any of those, you'll have to grab them one by one.)
Here's how a Unix commandline user would approach this task. (HTML editors like Dreamweaver often have multifile search and replace tools that can handle this, too.) To find all the files that refer to an external style sheet, use a search like
$ find . -name '*.htm*' -print | xargs grep -l friv.cssThen, in each directory containing one of those files, use a search-and-replace command to replace the absolute path with the appropriate relative path. In a directory one level under where the friv.css file lives, the relative path would be ../friv.css, so a good search-and-replace command would be
$ perl -p -i.bak -e 's,http://www.frivolity.org/friv.css,../friv.css,' *.html(You can also do this after importing your site into CVS, but hey, why not get it right the first time?)
$ rm *.bak
$ find . -print | sed 's/.*\././' | grep -v / | sort -uwill display all the filename suffices in use on your site; make sure you know which are binary, and that all the binary ones are flagged as such to CVS.
$ cd www.frivolity.org $ cvs import -m "Imported sources" frivolity myname startwhere "Imported sources" is a comment describing the change you're making to CVS,
CVS will output one line for each file or directory in the site, plus the message
No conflicts created by this import
$ cd $ mkdir work $ cd work $ cvs checkout frivolityThis should create a directory 'frivolity' containing the files for your site (www.frivolity.org). Each directory will have one extra directory named CVS in it -- don't worry about this. You can ignore it; it's just housekeeping files for CVS.
# cd /home/httpd/html # mkdir frivolity # cvs -d /home/cvsuser/jail/repository checkout frivolity
# cd /etc/cron.hourly # vi frivolity.cronand add the lines
#!/bin/sh cd /home/httpd/html /usr/bin/cvs -d /home/cvsuser/jail/repository updatethen mark that file executable by root alone,
# chmod 700 frivolity.cronand edit root's crontab,
# crontab -eadding the line
*/5 * * * * /etc/cron.hourly/frivolity.cron