CVS does not require any particular repository permission scheme – it can handle a wide variety of permission arrangements. However, to avoid getting confusing behaviors, you should make sure your repository setup meets at least the following criteria:
As noted in Repository Administration, you can get around this writeability requirement by setting the LockDir parameter in CVSROOT/config, like this:
Of course, then you would need to make sure the directory /usr/local/cvslocks is writeable by all CVS users. Either way, most CVS operations, including read-only ones, are going to require a writeable directory somewhere. By default, that directory is the project's repository; if you're very security conscious, you can change it to be somewhere else.
Unfortunately (and inexplicably), the history file is not born world-writeable when you create a new repository with cvs init. At least with the current version of CVS, you should explicitly change its permissions after you create a new repository (or just remove it, if you want to disable history logging entirely).
(This problem may go away – I just now submitted a patch to the CVS maintainers that makes the history file world-writeable when you initialize a new repository. So perhaps if you get a more recent version of CVS than the one available now (September 1999), it won't be a problem for you.)