CVS Accesslist Patch
by Leonardo Eloy

Last version is milestone-one, 0.3.
Last compatible CVS version are 1.11.6 and 1.12.1.
Last update was 27/06/2003.

Why to Use it?
Project Planning
Compiling and Installing

Contact Info



The CVS Accesslist Patch is a safe way to keep users accessing only the modules you specify.
It has a simple way to work: a person is only able to perform CVS operations if he has a copy of the original module in his machine. Let's say that johnny is trying to checkout the test module. Johnny hasn't access to that module, so he won't be able to checkout it. 
Thus, Johnny-boy won't be able to perform an update, add, log, remove, etc. command, because he hasn't a checked-out copy of the module in his machine. Simple, huh?

In this first version, this patch is only implemented in the checkout command (because it's my actual need :P) but I do intend to keep going with this project and implement a better security system with CVS. In the session Project Planning, I show the feature timeline that I intend to follow...



I did this patch because I needed a better way to distinguish who can access what. The system user/group method is as effective as hard to maintain and to make, so I tried to bypass the problem, reading tons of  articles and how-tos, etc. 

This example will show if you really need this feature in CVS:
You have a group of Visual Basic programmers, which access only Visual Basic source.
You have another group of programmers, Java programmers.
You have a group of analysts who need to access some VB sources and some Java sources.

The following table shows the module distribution in CVS:

Module Description
vb-src Visual Basic Sources
java-src Java Sources
docs Documentation

The users table:

Username Function Modules to Access
jtodd VB Programmer vb-src
hmuller VB and Java Programmer vb-src,java-src
johnnyboy Java Programmer java-src
akewl System Analyst vb-src,java-src
rulrich The docs guy docs
shead System Analyst vb-src,java-src

Our accesslist file would look like this:

# Accesslist file to the development group:
jtodd,hmuller,akewl,shead vb-src
hmuller,johnnyboy,akewl,shead java-src
ALL docs


I designed a set of features that accesslist patch should provide. Register at our e-mail listing so you can be updated with the latest project info.

Release Name Description Planned Features Date Start Date End
milestone-one Initial release - Module locking in checkout operations 03/06/2003 08/06/2003
milestone-two Bug fix release - Bug fixes against milestone-one
- Accesslist now will have a yes/no option in the config file.
- Yes/no option for the modules which aren't listed in the accesslist file to be enabled for checkout or not.
10/06/2003 17/06/2003
new-age-one Enhancement release (RFEs will be attended) - The source code will be in the conforms of HACKING file. 
- Algorithm improvement
- Now users won't be listed in the accesslist file, they will make a group (such as, development, documentation, etc.) and the group will be listed in the file.
- -
new-age-two Bug fix, enhancement release - Bug fixes against new-age-one
- Addition of the ability to attribute read-only checkouts
- Group of modules will be available
- -
new-age-three Bug fix release (some RFEs will be introduced) - Bug fixes against new-age-one and new-age-two
- Full support to user groups and module groups, read-only checkouts
- -
nova-era-one Enhancement release (RFEs will be attended) - Ability to perform operations per-file. E.g.: a file is read-only for that user/group, the other is not, in the same module.    
nova-era-two Bug fix release - Full accesslist patch intended features release
- Next releases will be maintance only.
- -



Downloads here

CVS can be found at


Use these steps to apply the patch correctly (if you have the source code, if not download patched CVS source code):

- Download the last CVS accesslist patch compatible source version (
- Download the last accesslist patch version (see Downloading)

# tar -xzvf cvs-1.11.5.tar.gz
# cd cvs-1.11.5
# patch -p1 < cvs-accesslist-patch-0.2.patch                    (okay, the patch has been applied!)
# ./configure --enable-client --enable-server                   (here you can add your configure options...)
# make
# make install

That's all!


Okay, now let's take a step-by-step lesson on how to configure CVS to test the patch's features...

Our repository will be located at /cvs, so, create it:
# mkdir /cvs

Add an entry to /etc/inetd.conf:
cvspserver stream tcp nowait root /usr/bin/cvs /usr/bin/cvs --allow-root=/cvs pserver

Another entry to /etc/services (if there isn't one):
cvspserver 2401/tcp # cvspserver
cvspserver 2401/udp # cvspserver

Restart inetd:
# ps -ef  | grep inetd
# kill -HUP <pid>

Now, we need to create our CVSROOT:
# cd /cvs
# cvs -d :local:/cvs init

Our cvs root directory has been created. We need to configure some stuff:
- add two example entries in the passwd file.
- modify our config file to disable system users login in CVS

Go to /cvs/CVSROOT and create the passwd file:
# vi passwd

(I do not recommend running CVS server as root)

We need to add an entry to the accessfile:
# cd /cvs/CVSROOT
# vi accessfile

I know it's controversial, but we'll need it so we can checkout the CVSROOT.

Login into the CVS pserver, but before, set your CVSROOT enviroment variable.
# CVSROOT=:pserver:test1@localhost:/cvs
# export CVSROOT
# cd /tmp
# cvs login (enter as password)
# cvs checkout CVSROOT
# vi config
Uncomment the first option:

Let's attribute the permissions:
I want to enable to user test2 the ability to edit CVSROOT, test-o and test-i modules, test1 may only access test-i module.
Remove the line we've added before: ALL CVSROOT
# vi accesslist
test1,test2 test-i
test2 test-o

(NOTE 1: You MUST provide the user list separated by commas and a WHITESPACE after the list, then the module name.)
(NOTE 2: Modules which aren't listed in the accesslist file will be enabled for checkout, in the next release, this feature will be configured in the config file.)

Let's commit our changes:
# cvs update
# cvs commit -m "Initial configuration"

Let's suppose you've imported some files to test-o and test-i modules.
With the accesslist file ok, we can proceed:

(as the user test1):
# CVSROOT=:pserver:test1@localhost:/cvs
# export CVSROOT
# cd /tmp
# cvs checkout test-i
Updating test-i .
(normal CVS checkout operation)
# cvs checkout test-o
cvs server: cannot access module `test-o': Operation not permitted
# cvs checkout CVSROOT
cvs server: cannot access module `CVSROOT': Operation not permitted


Last ChangeLog:

RELEASE -- milestone-one --
0.1: 06/03/2006
leloy -
  - Development started

0.2: 06/04/2006
leloy -
  - Gave up of CVS procedures and made my very own C-like ops...
  - Added a new procedure: accesslist_has_user() which returns 1 if the user has been found in the current buffered line
  - Added support for multiple users in the same module

0.3: 06/06/2006
leloy -
  - Re-generated patch for compatibility with CVS 1.11.6 and 1.12.1



Drop me a line:



Copyright (c) 1993-1994 Brian Berliner
Copyright (c) 1992 Brian Berliner and Jeff Polk
Copyright (c) 1989-1992, Brian Berliner
All Rights Reserved

This homepage:
Copyright (c) 2003 Leonardo Eloy
All Rights Reserved

 I do  support GNU.
GNU's not Unix! 



CVS and CVS Accesslist Patch are ruled by GNU General Public License.

cvs-acceslist is supported by Logo