[cvsnt] viewvc repecting cvsnt's ACLs

Jürgen Depicker jurgen.depicker at gmail.com
Fri Mar 9 09:21:47 GMT 2007

Hi to all.  This mail arrives late, since I'm using Lotus Notes at work, 
and I don't have a clue about how to confuigure that beast to send 
clear-text mails instead of HTML bulk, and my mails got rejected...

I have to disagree partly with Bo, sorry ;-).
I can password-protect directories by using apache directives:
cat /etc/apache2/sites-available/default
 <Location "/viewcvs/CVSROOT">
                AuthUserFile /etc/apache2/conf.d/.htpasswd
                AuthGroupFile /dev/null
                AuthName EnterPassword
                AuthType Basic
                require user JDE
This works like a charm.  I'm sure I can do this with .htaccess files 
too, for any directory I like.  So it is perfectly possible to do this 
with a script, updating the apache configuration file directly or 
creating .htaccess files per subdirectory.  I guess the per-subdir 
option is the best, since it requires just parsing of the cvsnt acl in 
that subdir and creating the proper .htaccess file.  
As mentioned before, this only works properly if apache authenticates 
against /etc/shadow (using a utility program runing with SUID root) and 
not like I implemented at present (with .htpasswd).

Re rpm: indeed, ubuntu uses debs, and i just have to apt-get install 
cvsnt to get the whole thing to work.  

Am I wrong thinking this is an interesting extension to cvsnt, if we 
would set up such an integrated system, with viewvc respecting acls?  Or 
am I the only one interested in such a thing?  Or was I wrong n 
selecting cvs, and is svn the way to go?  Why did viewvc drop cvs 

Jürgen Depicker


On Wed, 7 Mar 2007 21:53:06 +0100, jurgen.depicker at let.be wrote:

 >Dear all,
 >Is there anyone out there who knows how to solve this problem:
 >I set up security on my ubuntu cvs server using cvsnt's acls.  But of
 >course (or at least: of course to me...) viewvc (or viewcvs) doesn't care
 >about my ACLs.  Anyone any ideas about how to solve this?
 >I read something about an apache module authenticating against
 >/etc/shadow.  But then I would need to set up everywhere .htaccess files
 >based on the fileatr.xml files of cvsnt.  So it must be possible to do
 >this with a script ruinning via a cron job.   But it seems like a big
 >headache.  Maybe one of you knows about a more elegant solution?

ViewCVS (or as it is now named ViewVC) works by reading the RCS
repository files directly on the server. It uses the RCS functions in
CVSNT to do so in order to parse the new stuff that CVSNT has added to
the RCS files and which the GNU RCS tools are unable to parse.

BUT, when doing so it is not acting as any particular user and it does
not go through the CVSNT service with a particular protocol that would
authenticate a user to CVSNT. Therfore the built-in ACL system in
CVSNT is totally bypassed.
I don't know if the ViewVC project works towards fixing this now, but
I doubt it very much since they switched their focus towards
SubVersion about 1.5 years ago.
That is when I stopped following their activities. I am now using
ViewCVS from mid-2005, which works as described above and is OK for
our needs.

BTW is there any special gotchas to install CVSNT into Ubuntu? If I
remember correctly it does not respect rpm packages....


(Bo Berglund, developer in Sweden)
cvsnt mailing list
cvsnt at cvsnt.org

More information about the cvsnt mailing list