version 1.13, 2002/08/13 02:12:47 |
version 1.14, 2002/10/02 21:56:53 |
|
|
X A summary of the steps you'll need to do is: |
X A summary of the steps you'll need to do is: |
X |
X |
X1) Find enough disk space to hold the anoncvs tree, and mount it in an |
X1) Find enough disk space to hold the anoncvs tree, and mount it in an |
Xappropriate place. |
X appropriate place. |
X |
X |
X2) Compile and install anoncvssh, the shell used for the anoncvs user. |
X2) Compile and install anoncvssh, the shell used for the anoncvs user. |
X ( If you aren't using OpenBSD you'll probably need to compile a sup |
X ( If you aren't using OpenBSD you'll probably need to compile a sup |
X client as well. The easier path is to use OpenBSD ;) |
X client as well. The easier path is to use OpenBSD ;) |
X |
X |
X3) Add the anoncvs user to the password file, with no password, and |
X3) Add the anoncvs user to the password file, with no password, and |
Xanoncvssh as it's shell. Decide on a user that will run sup to maintain |
X anoncvssh as it's shell. Decide on a user that will run sup to maintain |
Xthe archive (this is a different user, NOT the anoncvs user) |
X the archive (this is a different user, NOT the anoncvs user) |
X |
X |
X4) Make a home directory for the anoncvs user. The anoncvs user's home |
X4) Make a home directory for the anoncvs user. The anoncvs user's |
Xdirectory is a chroot jail in which the anoncvssh processes run when |
X home directory is a chroot jail in which the anoncvssh processes |
Xservicing anoncvs requests. The jail must contain the cvs binary and |
X run when servicing anoncvs requests. The jail must contain the |
Xrelated programs (rcs, etc) as well as whatever shared libraries and |
X cvs binary as well as whatever shared libraries and support files |
Xsupport files are needed to run them unless you compile and link |
X are needed to run them unless you compile and link everything |
Xeverything staticly. This example shows what is needed for OpenBSD. If |
X staticly. This example shows what is needed for OpenBSD. If you |
Xyou use another platform you'll need to be familiar with what needs |
X use another platform you'll need to be familiar with what needs |
Xto go in a chroot jail for your platform. |
X to go in a chroot jail for your platform. |
X |
X |
X5) Get permission to use sup to obtain the cvs tree from a server. |
X5) Get permission to use sup to obtain the cvs tree from a server. |
X |
X |
|
|
X |
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 1) find enough disk space. |
XSTEP 1) find enough disk space. |
X you need roughly 1.6GB. |
X You need roughly 1.6GB. |
X mount it on /open |
X Mount it on /open. |
X if you are not able to mount it as /open, substitute it's location |
X If you are not able to mount it as /open, substitute it's location |
X throughout the rest of this description |
X throughout the rest of this description. |
X |
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 2) compile the anoncvssh binary |
XSTEP 2) compile the anoncvssh binary |
X in the Makefile, change the variable CVSROOT |
X In the Makefile, change the variable CVSROOT |
X install the binary setuid-root in /open/anoncvssh. |
X Install the binary setuid-root in /open/anoncvssh. |
X |
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 3) Create the anoncvs account. and decide who will run "sup" |
XSTEP 3) Create the anoncvs account. and decide who will run "sup" |
Xto maintain the archive. The anoncvs account should *NOT* be the one |
X to maintain the archive. The anoncvs account should *NOT* be the one |
Xrunning sup to maintain the archive. |
X running sup to maintain the archive. |
X |
X |
Xcreate an account similar to: |
Xcreate an account similar to: |
X |
X |
X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh |
X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh |
X |
X |
Xyes, that is right. the account has no password. Be sure that the uid |
XYes, that is right. the account has no password. Be sure that the |
Xand gid are unique for your system, if the ones above aren't, pick different |
Xuid and gid are unique for your system, if the ones above aren't, |
Xvalues. |
Xpick different values. |
X |
X |
XDecide on who will run sup to maintain the archive. call that user $SUPUSER. |
XDecide who will run sup to maintain the archive. call that user |
XOh, and in case it hasn't been previously mentioned, $SUPUSER should *NOT* |
X$SUPUSER. Oh, and in case it hasn't been previously mentioned, |
Xbe the anoncvs user :) |
X$SUPUSER should *NOT* be the anoncvs user :) |
X |
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 4) Build the anoncvs user's home directory chroot jail. This example |
XSTEP 4) Build the anoncvs user's home directory chroot jail. This |
Xassumes that you're using OpenBSD. If you're not you may need different |
X example assumes that you're using OpenBSD. If you're not you |
Xfiles in the chroot. |
X may need different files in the chroot. |
X |
X |
Xmkdir /open/anoncvs |
Xmkdir /open/anoncvs |
Xmkdir /open/anoncvs/cvs |
Xmkdir /open/anoncvs/cvs |
Xmkdir /open/anoncvs/sup |
Xmkdir /open/anoncvs/sup |
Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs |
Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs |
X |
X |
Xstart filling the account up with nice stuff. You are building a chroot |
XStart filling the account up with nice stuff. You are building a chroot |
Xjail for anoncvs in /open/anoncvs. |
Xjail for anoncvs in /open/anoncvs. |
X |
X |
X cd /open/anoncvs |
X cd /open/anoncvs |
X touch .hushlogin |
X touch .hushlogin |
X touch .profile |
X touch .profile |
X |
X |
Xput a message like the following in .plan: |
XPut a message like the following in .plan: |
X To use anonymous CVS install the latest version of CVS on your local |
X To use anonymous CVS install the latest version of CVS on your local |
X machine. |
X machine. |
X Then set your CVSROOT environment variable to the following value: |
X Then set your CVSROOT environment variable to the following value: |
X anoncvs@anoncvs.openbsd.org:/cvs |
X anoncvs@anoncvs.openbsd.org:/cvs |
X |
X |
X chown root.wheel .hushlogin .profile .plan |
X chown root:wheel .hushlogin .profile .plan |
X |
X |
X mkdir bin dev tmp usr var etc |
X mkdir bin dev tmp usr var etc |
X cp /bin/{cat,pwd,rm,sh} bin/ |
X cp /bin/{cat,pwd,rm,sh} bin/ |
X |
X |
Xusing mknod, make a dev/null that has the same major/minor numbers as |
XUsing mknod, make a dev/null that has the same major/minor numbers as |
X your /dev/null, and make it mode 666. |
X your /dev/null, and make it mode 666. |
X |
X |
Xsome shared library systems require a dev/zero created in the same way |
XSome shared library systems require a dev/zero created in the same way |
X |
X |
Xfill etc space for the account |
XFill etc space for the account |
X cp /etc/{group,hosts,passwd,protocols} etc/ |
X cp /etc/{group,hosts,passwd,protocols} etc/ |
X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/ |
X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/ |
X modify these files to suit your idea of system security |
X modify these files to suit your idea of system security |
X |
X |
Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an |
Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses |
Xtiny extension provided in the openbsd cvs server code which permits |
Xan tiny extension provided in the openbsd cvs server code which |
Xthe use of read-only cvs repositories. therefore you MUST compile the |
Xpermits the use of read-only cvs repositories. therefore you MUST |
Xopenbsd version of cvs. luckily this is not a problem on a |
Xcompile the openbsd version of cvs. luckily this is not a problem |
Xnon-openbsd machine since the cvs sources are imported verbatim into |
Xon a non-openbsd machine since the cvs sources are imported verbatim |
Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are |
Xinto the openbsd tree. they are in gnu/usr.bin/cvs. The sources |
Xintegrated such that Makefile.bsd-wrapper knows how to build the |
Xare integrated such that Makefile.bsd-wrapper knows how to build |
Xsources on an OpenBSD machine, using obj directories. |
Xthe sources on an OpenBSD machine, using obj directories. |
X |
X |
Xcreate tmp space for the account |
XCreate tmp space for the account |
X # cd var; ln -s ../tmp tmp |
X # cd var; ln -s ../tmp tmp |
X # chmod a+rwx tmp |
X # chmod a+rwx tmp |
X |
X |
X # mkdir usr/{bin,lib} |
X # mkdir usr/{bin,lib} |
X # cp /usr/bin/cvs usr/bin/ |
X # cp /usr/bin/cvs usr/bin/ |
X |
X |
Xif your system has ld.so in /usr/libexec, |
XIf your system has ld.so in /usr/libexec, |
X # mkdir usr/libexec |
X # mkdir usr/libexec |
X # cp /usr/libexec/ld.so usr/libexec/ |
X # cp /usr/libexec/ld.so usr/libexec/ |
X |
X |
Xif using shared libraries, use ldd to find out which shared libs you need: |
XIf using shared libraries, use ldd to find out which shared libs you need: |
X # ldd /usr/bin/cvs |
X # ldd /usr/bin/cvs |
X /usr/bin/cvs: |
X /usr/bin/cvs: |
X -lz.1 => /usr/lib/libz.so.1.4 (0x40097000) |
X -lz.1 => /usr/lib/libz.so.1.4 (0x40097000) |
|
|
X |
X |
X and then copy the required libraries to usr/lib/ |
X and then copy the required libraries to usr/lib/ |
X |
X |
Xas a final pass, make sure that all the files you have just created are |
XAs a final pass, make sure that all the files you have just created are |
Xnot world writable (except dev/null) |
Xnot world writable (except dev/null). |
X |
X |
XFor :pserver: support (optional) |
XFor :pserver: support (optional) |
X - Create an entry in /etc/services |
X - Create an entry in /etc/services |
|
|
X |
X |
XIf you're running OpenBSD, you already have a sup client in |
XIf you're running OpenBSD, you already have a sup client in |
X/usr/bin/sup. If not you may need to build it. On an IRIX or other |
X/usr/bin/sup. If not you may need to build it. On an IRIX or other |
XSYSV machine, ensure that your kernel does not allow a user to chown a |
XSYSV machine, ensure that your kernel does not allow a user to chown |
Xfile to another user (You may have heard of this particular brand of |
Xa file to another user (You may have heard of this particular brand |
Xevil referred to as "chown giveaway"). this will cause sup to give |
Xof evil referred to as "chown giveaway"). this will cause sup to |
Xaway the files to root before chmod'ing them |
Xgive away the files to root before chmod'ing them readable. |
Xreadable. michaels@openbsd.org knows how to fix this. |
Xmichaels@openbsd.org knows how to fix this. |
X |
X |
XThe file /open/sup/ss contains a line that tells sup where to get the |
XThe file /open/anoncvs/sup/ss contains a line that tells sup where |
Xcvs tree from. it will normally contain: |
Xto get the cvs tree from. it will normally contain: |
X |
X |
X cvs host=anoncvs1.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete |
X cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete |
X |
X |
XThe file /open/sup/cvs/refuse tells sup what files it should not get. |
XThe file /open/anoncvs/sup/cvs/refuse tells sup what files it should not get. |
XIt should contain the following lines: |
XIt should contain the following lines: |
X |
X |
X cvs/CVSROOT/history |
X cvs/CVSROOT/history |