Shal Jain wrote: > > if <system_user> happens to be 'cvs', then all operations work correctly > if <system_user> is another user that belongs to 'cvsgroup', I get errors > regarding setgid/setuid > > The only way I have been able to get rid of the error is by setting the > uid/gid bits on /usr/bin/cvs > i.e. chmod 6755 /usr/bin/cvs. > > I'm not sure if this is the appropriate course of action. There is not reason to run all the users against the repository with their own account, in fact, I would see that as a security hole. From a repository standpoint it doesn't make sense either, cvs already records who made what changes and when. Also, don't give the user cvsuser access to the CVSROOT directory, create a special account cvsadmin for those who you trust with your life! When some one checks a file into the main repository, cvs will execute the commands it finds in files like CVSROOT/commitinfo and CVSROOT/loginfo using. To top it off, anything you add to the file CVSROOT/checkoutlist gets checked out into the CVSROOT directory of the server. With access to the CVSROOT directory, you can simply add the CVSROOT/passwd file to the CVSROOT/checkoutlist, then simply check in a passwd file and add users as you please. Nothing is stopping you from adding other users to run as root! Once they have root and the ability to execute commands, it's all over. All this with CVS and pserver...evil. For maximum security, run a chroot'ed cvs. I don't see any howto's on chroot'ing cvs specifically, but there is one on bind. The idea is the same, you should be able to figure out how to setup cvs to run the same way. http://www.linuxdoc.org/HOWTO/Chroot-BIND-HOWTO.html For general cvs stuff, I recommend the book Open Source Development with CVS. A real time saver. Good luck! -David