[cvsnt] How to install cvsnt on windows, with sserver support?

Wed Jul 14 11:46:32 BST 2004

Hi all.

I'm trying to set up cvsnt on a win2k box and have been reading a lot on the 
subject lately, but still have a few questions regarding security issues. As 
the server will eventually be accessible over internet, I need to get it 
right.

Currently installed is cvsnt 2.0.47, with the command line client, server 
components + setuid lsa helper, RCS emulation (needed?), SSL (:sserver:) 
protocol + CA certificates, and readme/help files.

To secure myself from remote exploits due to bugs in cvsnt, I've made a new 
user account, 'cvsadmin', for running the service. It belongs to the guest 
group for write access to /temp folders and read access to the cvsnt 
executables, (Should have access to /temp as needed, with a default 
w2k-server setup, or?), and has full access to the repository.

To add a (the first) user, I just create the passwd/admin files with no 
passwd/nt-user in 'passwd'. Will of course have to add a password once 
things get going.

Then to securing the system..

I figure I'll need to create a second account for this, 'cvsuser', with 
restricted access rights. It shouldn't need even read access to 
passwd/admin, so I add deny clauses for both of those in the ntfs acl's. 
Maybe I could even deny all access to the CVSROOT directory, or will that 
stop things from working?

And for this to work, every single user account created has to be on the 
form "<cvslogin>:<password>:cvsuser" ? If i forget about the 
'cvsuser'-account-part, they'll essentially have admin access? (or at least 
be able to read 'passwd'/'admin'?)

As I'm new to both CVS and windows security, in other words don't have a 
clue what I'm doing, this probably isn't the best approach, and may not even 
be working correctly.

Any feedback appreciated,
Tore

_________________________________________________________________
MSN Life Events gives you the tips and tools to handle the turning points in 
your life. http://lifeevents.msn.com