CVS is a famous version of the control tool, both for individual programmers or a development team, CVS is very useful version control tool, and it is free. The function of CVS is also very powerful, and it is a C / S structure software. The user first wants to set up a CVS server. Import item instances on the CVS server, set CVS project access control. The client can access the CVS server through the client, and the customer can get the latest code copy of the project, submit the code you modified, etc., and customers can access the CVS server from Internet, LAN, or even natives.
In fact, many individuals engaged in software or organizations are using this free software to help software development. However, when the user performs version control, the user is ignored, but the problem is therefore generated. We all know that software makes a special product, it is valuable. For a software company, the source code of the software is the most valuable resources of the company. If leaks, it may give companies to major losses, and even affect the survival of the company. Many companies can work in order to make colleagues in their home or travel, usually put the CVS server on the Internet, and the CVS server placed on the Internet is an important way to leak the source code, so it is also more serious consideration. The problem of security.
This article takes a small and medium-sized software development company as an example to show how to set up a secure CVS server on the Internet to distribute employees to all localities access it through the Internet.
In this hypothetical example, this software company uses 10M ADSL line to access the Internet and has a set of fixed IPs. In order to achieve higher levels of security, the company has adopted the following strategies and methods step by step:
First layer protection: use firewalls in the gateway
The firewall is installed at the interface gateway and three regions of DMZ, intranet, and external networks are divided. Both CVS servers and other external servers are placed in the DMZ area, and the firewall implements a special security policy for different internal networks and external networks to the DMZ region. It also implemented a special security policy for the CVS server.
Second layer protection: Operating system reinforcement for the machine to install the CVS service
The company uses Red Hat Linux, the lack of rigorous security settings in the originally installed Linux, which requires operating system reinforcement to achieve higher security.
Layer 3 protection: Using CVS own security features
In this part, the author will explain the installation configuration of the CVS server in detail later.
Fourth floor protection: personnel training and system
For employees using CVS, CVS use training, describes how to secure access to CVS servers from the outside, and how to protect personal CVS accounts. Since developers may access CVS servers in DMZ from the company's intranet, it is also possible to access CVS servers from the company outside the company. The corresponding CVS access system is required for both cases, while requiring employees to protect their usernames and passwords.
In the above four-layer protection, this paper focuses on the third layer protection.
The first is the basic installation of CVS:
Download the source code
The source code package of CVS can be found by the exploration engine, or start from CVS official website cvshome.org, because there are some security vulnerabilities in CVS history, it is recommended to regularly go to its official website to see if there is no latest version. roll out. The latest version is the 1.12.5 version launched on December 18, 2003. Everyone tries to download from the following link:
Http://ccvs.cvshome.org/servlets/projectdownloadlist?action=download&dlid=351
2. Compilation and installation
[root @ Terry SRC] # tar -xjpvf CVS-1.12.5.tar.bz2 [root @ Terry SRC] # CD CVS-1.12.5 [root @ Terry CVS-1.12.5] # ./configure --prefix = / usr / local / terry_yu / cvs --disable-server-flow-control [root @ Terry CVS-1.12.5] # make [root @ Terry CVS-1.12.5] # Make Install More instructions Mount CVS to / usr / local / terry_yu / cvs on this directory.
Note: In addition to using the source package for installation, you can also use the RPM package to install.
3. Set the startup CVS service
On Linux, CVS service can be launched by inetd, xinetd, or tcpwrapper, where inetd has been replaced by XINETD due to safety reasons. Here we use xinetd to start CVS services.
Create a profile for the CVS service in the /etc/xinetd.d directory, such as: /etc/xinetd.d/cvspserver, edit /etc/xinetd.d/cvspserver, enter the following:
Service cvspserver {disable = no socket_type = stream wait = no user = root env = home = server = / usr / bin / cvs server_args = -f --allow-root = / home / cvsroot pserver}
Note:
1) PSERVER is a password-certified approval method, which is the most common way, other Gserve, KServer, EXT, if you want more security, you can use SSH to encrypt passwords and data streams, but here for users Easy, still selecting PServer 2) - allow-root is the directory specified by Repository, can create multiple repository
Then restart xinetd:
[root @ Terry Bin] # /etc/rc.d/init.d/xinetd restart stopping xinetd: [ok] starting xinetd: [OK]
After restarting the Xinetd service, the CVS service has also started working:
4. Create repository in the CVS server side
First create a group called CVS and a user named cvsroot, and users who want to access CVS services will join CVS group:
[root @ Terry root] # groupadd cvs [root @ Terry root] # UserAdd -g cvs -s / sbin / nologin cvsroot [root @ Terry root] # chown -r cvsroot / home / cvsroot
Next, initialization:
[root @ Terry root] # cvs -d / home / cvsroot init
This creates a cvsroot directory in the / home / cvsroot directory, where some configuration files are stored, such as config, then set permissions:
[root @ Terry root] # chown -r cvsroot.cvs / home / cvsroot [root @ Terry root] # chmod -r ug rwx / home / cvsroot [root @ Terry root] # chmod 644 / home / cvsroot / cvsroot / Config for the security of the CVS system, we want to modify the / home / cvsroot / cvsroot / config file, remove the "#systemauth = no", "即", that is, change to "systemauth = no", then give developers Estably an account is created one by one, and the newly created user directory is newly created, because it will be used as a virtual user account, the specific commands are as follows:
[root @ Terry root] # UserAdd -g cvs -m bogus [root @ Terry root] # Passwd Bogus
The above command created a user Bogus without the home directory, then copied the SHADOW file of the system to CVSROOT and renamed Passwd:
[root @ Terry root] # cp / etc / shadow / home / cvsroot / cvsroot / passwd [root @ Terry root] # chmod 0644 / home / cvsroot / cvsroot / passwd
The Passwd file is then modified, and will be deleted except for all rows that have just set using CVS users Bogus, then remove everything after each line of colon, and add string cvsroot, change to the following format:
Bogus: ND5 $ j8n9bw5dkv.npdxfdsh: cvsroot
Then, delete the user bogus that is just added to the system:
[root @ Terry root] # Userdel -f bogus
Ok, do it, CVS's server is installed, so your CVS users can only log in to your CVS server with users specified in Passwd, pay attention to: Add users in this article The method is suitable for a small number of users, and if there is a large-scale developer, it is recommended to use the LDAP or database to perform the user's authentication service. Through these four-layer protection, I believe that you can use the CVS service you can safely, but this article is just the simplest introduction, I hope I can give you a reference role. In addition, you want to get the latest information from CVS, you can access the homepage of CVS: http://www.cvshome.org/, there is a CVS website of Pascal Molli: http://www.loria.fr/~molli/cvs- INDEX.HTML
