How to chroot anoncvs pserver using chroot_safe

Do you run a anoncvs pserver? Have you considered the security implications of doing so? Or maybe even tried to chroot the cvs pserver in a secure manner but not succeeded (or only partially succeeded)? Then this document is for you.

Running an anoncvs pserver requires a number of considerations to properly secure the CVS server. Normally pserver requires root access which should be sufficient for most people to raise a big red flag on security, and indeed as recent advisories have shown for good reason.

To secure a anoncvs pserver there is a number of steps to take

Create a anoncvs user. This user is a "nobody" kind of user and should not own any files.
Create a directory to be used as root for the anoncvs pserver, and move the cvs repository below this.
Create a symbolic link giving ssh or local users as simple path to the cvs repository as anoncvs users will have, preferably the same path.
Create a lock directory. This is the only directory the anoncvs user should have write permission to. This directory needs to be within the anoncvs pserver root directory, and reachable by the same path both from within the chroot and locally.
Configure CVS to use this lock directory
Secure the rest of the CVS repository to only be writeable by the assigned group
Create a minimal etc/passwd file within the cvs pserver root. This should only contain the anoncvs user with / as home directory.
Create CVSROOT/passwd, listing the anoncvs user and optional password

You can download the current version of chroot_safe from the project files archive

If you like this software please consider to donate a reasonable sum to the author to support his work and encourage further development of both chroot_safe and other useful tools.