[chora] a tip about protecting a cvsroot

MagicalTux (FF.ST) MagicalTux at ff.st
Mon Oct 20 05:24:38 PDT 2003 

Hello,
I had to protect a CVS root which contains private informations.

Since I use the same chora installation for public & private cvs roots, I
wrote a little code. I think it could be useful for people, that's why I
post it here.

(this script must be placed in cvsroots.php)

// Protected cvs roots
  $pcvsroots=array();
  $pcvsroots['ffweb'] = array(
    'name' => 'Website',
    'location' => '/var/lib/cvsd/ffweb',
    'title' => 'CVS Repository',
    'cvsusers' => 'CVSROOT/cvsusers'
  );
  // do a fake entry for menu display - only mandatory fields
  $cvsroots['ffweb'] = array(
    'name' => 'Website',
    'location' => '/tmp',
    'title' => 'CVS Repository'
  );

// this function will allow us to easily send auth_basic headers
function prv_do_auth() {
  Header("WWW-authenticate: basic realm=\"Access restricted\"");
  Header("HTTP/1.0 401 Unauthorized");
  echo "You failed to provide a valid user-id or password\n";
  exit;
}

if (!trim($_GET["rt"])) $_GET["rt"]="ffweb"; // default CVS root

// code
if ( (isset($_SERVER["PHP_AUTH_USER"])) and
(isset($pcvsroots[$_GET["rt"]])) ) { // only for protected cvs roots
  $passfile=$pcvsroots[$_GET["rt"]]['location']."/CVSROOT/passwd"; // passwd
file
  if (!$fp=fopen($passfile,"r")) die("Couldn't open pass file");
  $user=array();
  while($lin=fgets($fp,4096)) {
    $lin=explode(":",$lin);
    $user[$lin[0]]=$lin[1];
  }
  fclose($fp);
  // check access
  if (!isset($user[$_SERVER["PHP_AUTH_USER"]])) prv_do_auth();
  $c=crypt($_SERVER["PHP_AUTH_PW"],$user[$_SERVER["PHP_AUTH_USER"]]);
  if ($c!=$user[$_SERVER["PHP_AUTH_USER"]]) prv_do_auth();
  unset($c);
  unset($_SERVER["PHP_AUTH_PW"]);
  unset($PHP_AUTH_PW);
  // access ok ! :p
  $cvsroots[$_GET["rt"]]=$pcvsroots[$_GET["rt"]];
} else
if (isset($pcvsroots[$_GET["rt"]])) prv_do_auth();

// ***** END OF CODE

I rewrote the code while typing the mail and improved it again ^_^ (and
tested it)

Hope it will help everyone who need a good web interface with password
protected system. (still need a security audit but I think it's safe :p )
You can also hide a cvs root (do not set up its pulic info in $cvsroots).
You'll have to add a ?rt=cvsroot (replace cvsroot) to the url to access it.

MagicalTux

More information about the chora mailing list