Inside of the repository, there is CVSROOT directory which contains CVS configuration information.
Permissions should be restricted so that only limited number of (trusted!) users can check out directory. (If a user does not have write permission for the dir, they cannot check it out.)
Not all files in CVSROOT dir are checked out. Some, like history remain only on the server.
After modification, when you commit changes, administrative databases are rebuilt with your modifications.