CVS patches

patches for CVS

The following patch is to be applied to cvs-1.10.

passwd.patch

This patch moves the passwords for the remote cvs pserver authentication to /etc/cvs.passwd, solving a serious security problem.

download patch for cvs-1.10
download patch for cvs-1.10.7
download patch for cvs-1.10.8

The format of the /etc/cvs.passwd file is something like:

# comments on lines that start with a '#'
/egcs/carton/cvsfiles
jeff:N4tKMf9.2NJng
jason:86nX.to0JhzBE
anoncvs:6gYwma3F4X6E.:cvs

/other/repository
user1:OY9BOZ9RA9HjA:jim
anoncvs:lGOipPbCSx5l2

/third/repository/etc
user:DES:optional
etc:etc:etc

When /etc/cvs.passwd exist, then CVSROOT/passwd and --allow-root are ignored.

The permissions on /etc/cvs.passwd must be such that only root can read it (let alone write to it), in order to avoid someone using Crack on the DES encrypted passwords.