Legacy Source Control: CVS under xinetd

We have a team that uses legacy source control: cvs. We run cvs pserver under xinetd (config file below).

Audit Flag

A security audit raised a flag: "make sure the cvs server does not run under root".


Can I safely lock down the 'cvs pserver' by replacing "user=root" with "user=cvs" ? Any harmful side effects or 'gotchas' ?

Note: User "cvs" owns all files in the 'cvs root' directory "/var/cvs/cvs"

I ask because I've searched around through all the decade-old documentation and all examples have 'user=root' and none suggest changing the "user=" parameter to increase security.

Update: I tried it. It worked. No problems.


Example: cvspserver config file

# Begin /etc/xinetd.d/cvspserver

     service cvspserver
          port        = 2401
          socket_type = stream
          protocol    = tcp
          wait        = no
          user        = root
          passenv     = PATH
          server      = /usr/bin/cvs
          server_args = -f --allow-root=/var/cvs/cvs   pserver

# End /etc/xinetd.d/cvspserver
  • 315
  • 1
  • 2
  • 8

1 Answers1


You should absolutely follow their advice. It is extremely good advice.

Generally, when doing this, you will need to ensure that the daemon has enough rights to do what it does. In this specific case, that most likely just means the ownership it already has. My suggestion would be to back up your repository and just go ahead and make the change.

The way this works is that xinetd (often running as root) will drop privileges and then execute the /usr/bin/cvs with stdin and stdout directed toward the socket which xinetd manages. There really isn't anything to it. CVS is simple enough and shouldn't require any permissions beyond being able to manipulate the files under its root.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92