This site is now 100% read-only, and retired.

Permitting anonymous read-only access to your CVS repository

Posted by Steve on Thu 14 Jul 2005 at 14:19


Previously we've described how to run a secure CVS server using OpenSSH, but that didn't allow anonymous users to use the repository to checkout code in a read-only fashion. Here we'll correct that ommision.

The process of setting up a secure CVS server with OpenSSH is ideal for small groups of users who all need to make changes, and the issue of anonymous remote users wasn't discussed.

Updating the server setup to permit anonymous checkouts is very simple though.

If you've got the CVS server up and running then you only need to make a few small additions:

  • Allow the CVS server process to run via inetd/xinetd
  • Create a new "anonymous" user.
  • Setup the anonymous user so that CVS will regard it as a read-only user.

If you've got the CVS package installed already you should be up and running in no time. If not you'll first need to install it with:

apt-get install cvs

When you install the server you'll be asked where you would like your CVS repository to be located, or given the chance to point it at an existing one. Choose whichever option you need.

Finally you'll be offered the chance to run the "CVS Peserver", to this question say yes. (If you have previously installed CVS and wish to change your options you may run "dpkg-reconfigure cvs")

Once you have the CVS server up and running you need to add a new system account with no shell for the anonymous user.

The following command will do that:

useradd -s /bin/false anonymous

The next step is to configure the anonymous user to be a valid user with no password for CVS logins. This involves adding a line to a file passwd beneath your CVSROOT directory.

My CVS repository is located in /home/cvs, so for me the command is:

echo "anonymous:" >> /home/cvs/CVSROOT/passwd

Then to make sure this is only used for read-only access add the anonymous user to the file readers in the same directory:

echo "anonymous" >> /home/cvs/CVSROOT/readers

This should be sufficient to allow the anonymous user to login and checkout code without being able to modify anything.

The syntax for the client would be:

skx@mystery:/tmp$ cvs -d :pserver:anonymous@hostname:/home/cvs login
Logging in to :pserver:anonymous@hostname:2401/home/cvs
CVS password:  [Enter here = blank password]
skx@mystery:/tmp$ cvs -d :pserver:anonymous@hostname:/home/cvs co module

The anonymous client will now be able to keep up to date with the codebase and not be able to modify anything upon the server. Attempting to commit a local change will result in the following error message:

cvs [server aborted]: "commit" requires write access to the repository
cvs commit: saving log message in /tmp/cvsXXX

The code which runs this site is available online, and can now be checked out anonymously if you wish:

cvs -d login
cvs -d co yawns



Re: Permitting anonymous read-only access to your CVS repository
Posted by Anonymous (141.52.xx.xx) on Fri 15 Jul 2005 at 08:12
Actually it's also possible to use anoncvs via ssh. I believe all I did was to ensure I have these entries in the following files:

auth required nullok



where rcvssh is a neat tool that shows a friendly message that interactive login is not allowed, while cvs is. Optionally you can enable sftp. I wasn't able to enable scp. You'll find the sources in my cvs if you google for rccvssh.c


[ Parent ]

Re: Permitting anonymous read-only access to your CVS repository
Posted by Anonymous (112.111.xx.xx) on Wed 30 Mar 2011 at 10:13
"添加评注"+“名[ 57;”+“标题” 2

[ Parent ]

Re: Permitting anonymous read-only access to your CVS repository
Posted by Anonymous (80.100.xx.xx) on Sat 1 Jul 2017 at 15:15

Thanks I could successfully add an anonymous user. However I had to make one change. The passwd file must contain


in order to work. Then adding anonymous to the readers file is essential because otherwise everybody could change the archive without even a password. The problem was that without this ``setuid cvs'' anonymous couldn't get a lock.

Groetjes Albert

[ Parent ]