For all access methods except pserver , CVS relies exclusively on the filesystem to manage permissions. Each user must have a username on the repository server, and must have write access to every directory that contains files they will need to commit.
You can control permissions only at a directory level. If a user will need to commit to any file in a directory, she needs read and write access to the whole directory.
Once, I was working on a project where I had to connect to the repository server through an intermediate proxy server. We kept getting permission errors and eventually tracked it to the intermediary. We all had membership in the col group on the client and repository servers, but not on the intermediary. As files passed through the intermediate server, their group membership information was lost, so they were saved in the repository with no group ownership. We corrected this by setting the repository directories' SGID flags on the repository server.
The history and val-tags files in the repository's CVSROOT directory must be writable to all CVS users. The history file can be removed if none of your users use the cvs history command.
The pserver connection method uses a more complicated permission system than the one other connection methods use. The passwd file in the repository's CVSROOT directory can cause a user to have two effective usernames: one that affects only CVS and another that affects the filesystem. If a user has permission within one but not the other, he may be unable to access his project files. For instance, if his CVS username is in the writers file in the CVSROOT directory, CVS attempts to allow him to write to his project files. If, however, his system username is not allowed to write to the project directories, the operating system denies access and CVS is unable to write to the files.
The readers and writers files in the repository's CVSROOT directory are used to set read-only or read-write permission, based the on CVS username. These files must have a newline character after each username, including the last.