=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/anoncvs.shar,v retrieving revision 1.13 retrieving revision 1.14 diff -c -r1.13 -r1.14 *** www/anoncvs.shar 2002/08/13 02:12:47 1.13 --- www/anoncvs.shar 2002/10/02 21:56:53 1.14 *************** *** 29,52 **** X A summary of the steps you'll need to do is: X X1) Find enough disk space to hold the anoncvs tree, and mount it in an ! Xappropriate place. X X2) Compile and install anoncvssh, the shell used for the anoncvs user. X ( If you aren't using OpenBSD you'll probably need to compile a sup X client as well. The easier path is to use OpenBSD ;) X X3) Add the anoncvs user to the password file, with no password, and ! Xanoncvssh as it's shell. Decide on a user that will run sup to maintain ! Xthe archive (this is a different user, NOT the anoncvs user) X ! X4) Make a home directory for the anoncvs user. The anoncvs user's home ! Xdirectory is a chroot jail in which the anoncvssh processes run when ! Xservicing anoncvs requests. The jail must contain the cvs binary and ! Xrelated programs (rcs, etc) as well as whatever shared libraries and ! Xsupport files are needed to run them unless you compile and link ! Xeverything staticly. This example shows what is needed for OpenBSD. If ! Xyou use another platform you'll need to be familiar with what needs ! Xto go in a chroot jail for your platform. X X5) Get permission to use sup to obtain the cvs tree from a server. X --- 29,52 ---- X A summary of the steps you'll need to do is: X X1) Find enough disk space to hold the anoncvs tree, and mount it in an ! X appropriate place. X X2) Compile and install anoncvssh, the shell used for the anoncvs user. X ( If you aren't using OpenBSD you'll probably need to compile a sup X client as well. The easier path is to use OpenBSD ;) X X3) Add the anoncvs user to the password file, with no password, and ! X anoncvssh as it's shell. Decide on a user that will run sup to maintain ! X the archive (this is a different user, NOT the anoncvs user) X ! X4) Make a home directory for the anoncvs user. The anoncvs user's ! X home directory is a chroot jail in which the anoncvssh processes ! X run when servicing anoncvs requests. The jail must contain the ! X cvs binary as well as whatever shared libraries and support files ! X are needed to run them unless you compile and link everything ! X staticly. This example shows what is needed for OpenBSD. If you ! X use another platform you'll need to be familiar with what needs ! X to go in a chroot jail for your platform. X X5) Get permission to use sup to obtain the cvs tree from a server. X *************** *** 61,152 **** X X********************************************************************** XSTEP 1) find enough disk space. ! X you need roughly 1.6GB. ! X mount it on /open ! X if you are not able to mount it as /open, substitute it's location ! X throughout the rest of this description X X********************************************************************** XSTEP 2) compile the anoncvssh binary ! X in the Makefile, change the variable CVSROOT ! X install the binary setuid-root in /open/anoncvssh. X X********************************************************************** XSTEP 3) Create the anoncvs account. and decide who will run "sup" ! Xto maintain the archive. The anoncvs account should *NOT* be the one ! Xrunning sup to maintain the archive. X Xcreate an account similar to: X X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh X ! Xyes, that is right. the account has no password. Be sure that the uid ! Xand gid are unique for your system, if the ones above aren't, pick different ! Xvalues. X ! XDecide on who will run sup to maintain the archive. call that user $SUPUSER. ! XOh, and in case it hasn't been previously mentioned, $SUPUSER should *NOT* ! Xbe the anoncvs user :) X X********************************************************************** ! XSTEP 4) Build the anoncvs user's home directory chroot jail. This example ! Xassumes that you're using OpenBSD. If you're not you may need different ! Xfiles in the chroot. X Xmkdir /open/anoncvs Xmkdir /open/anoncvs/cvs Xmkdir /open/anoncvs/sup Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs X ! Xstart filling the account up with nice stuff. You are building a chroot Xjail for anoncvs in /open/anoncvs. X X cd /open/anoncvs X touch .hushlogin X touch .profile X ! Xput a message like the following in .plan: X To use anonymous CVS install the latest version of CVS on your local X machine. X Then set your CVSROOT environment variable to the following value: X anoncvs@anoncvs.openbsd.org:/cvs X ! X chown root.wheel .hushlogin .profile .plan X X mkdir bin dev tmp usr var etc X cp /bin/{cat,pwd,rm,sh} bin/ X ! Xusing mknod, make a dev/null that has the same major/minor numbers as X your /dev/null, and make it mode 666. X ! Xsome shared library systems require a dev/zero created in the same way X ! Xfill etc space for the account X cp /etc/{group,hosts,passwd,protocols} etc/ X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/ X modify these files to suit your idea of system security X ! Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an ! Xtiny extension provided in the openbsd cvs server code which permits ! Xthe use of read-only cvs repositories. therefore you MUST compile the ! Xopenbsd version of cvs. luckily this is not a problem on a ! Xnon-openbsd machine since the cvs sources are imported verbatim into ! Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are ! Xintegrated such that Makefile.bsd-wrapper knows how to build the ! Xsources on an OpenBSD machine, using obj directories. X ! Xcreate tmp space for the account X # cd var; ln -s ../tmp tmp X # chmod a+rwx tmp X X # mkdir usr/{bin,lib} X # cp /usr/bin/cvs usr/bin/ X ! Xif your system has ld.so in /usr/libexec, X # mkdir usr/libexec X # cp /usr/libexec/ld.so usr/libexec/ X ! Xif using shared libraries, use ldd to find out which shared libs you need: X # ldd /usr/bin/cvs X /usr/bin/cvs: X -lz.1 => /usr/lib/libz.so.1.4 (0x40097000) --- 61,152 ---- X X********************************************************************** XSTEP 1) find enough disk space. ! X You need roughly 1.6GB. ! X Mount it on /open. ! X If you are not able to mount it as /open, substitute it's location ! X throughout the rest of this description. X X********************************************************************** XSTEP 2) compile the anoncvssh binary ! X In the Makefile, change the variable CVSROOT ! X Install the binary setuid-root in /open/anoncvssh. X X********************************************************************** XSTEP 3) Create the anoncvs account. and decide who will run "sup" ! X to maintain the archive. The anoncvs account should *NOT* be the one ! X running sup to maintain the archive. X Xcreate an account similar to: X X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh X ! XYes, that is right. the account has no password. Be sure that the ! Xuid and gid are unique for your system, if the ones above aren't, ! Xpick different values. X ! XDecide who will run sup to maintain the archive. call that user ! X$SUPUSER. Oh, and in case it hasn't been previously mentioned, ! X$SUPUSER should *NOT* be the anoncvs user :) X X********************************************************************** ! XSTEP 4) Build the anoncvs user's home directory chroot jail. This ! X example assumes that you're using OpenBSD. If you're not you ! X may need different files in the chroot. X Xmkdir /open/anoncvs Xmkdir /open/anoncvs/cvs Xmkdir /open/anoncvs/sup Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs X ! XStart filling the account up with nice stuff. You are building a chroot Xjail for anoncvs in /open/anoncvs. X X cd /open/anoncvs X touch .hushlogin X touch .profile X ! XPut a message like the following in .plan: X To use anonymous CVS install the latest version of CVS on your local X machine. X Then set your CVSROOT environment variable to the following value: X anoncvs@anoncvs.openbsd.org:/cvs X ! X chown root:wheel .hushlogin .profile .plan X X mkdir bin dev tmp usr var etc X cp /bin/{cat,pwd,rm,sh} bin/ X ! XUsing mknod, make a dev/null that has the same major/minor numbers as X your /dev/null, and make it mode 666. X ! XSome shared library systems require a dev/zero created in the same way X ! XFill etc space for the account X cp /etc/{group,hosts,passwd,protocols} etc/ X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/ X modify these files to suit your idea of system security X ! Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses ! Xan tiny extension provided in the openbsd cvs server code which ! Xpermits the use of read-only cvs repositories. therefore you MUST ! Xcompile the openbsd version of cvs. luckily this is not a problem ! Xon a non-openbsd machine since the cvs sources are imported verbatim ! Xinto the openbsd tree. they are in gnu/usr.bin/cvs. The sources ! Xare integrated such that Makefile.bsd-wrapper knows how to build ! Xthe sources on an OpenBSD machine, using obj directories. X ! XCreate tmp space for the account X # cd var; ln -s ../tmp tmp X # chmod a+rwx tmp X X # mkdir usr/{bin,lib} X # cp /usr/bin/cvs usr/bin/ X ! XIf your system has ld.so in /usr/libexec, X # mkdir usr/libexec X # cp /usr/libexec/ld.so usr/libexec/ X ! XIf using shared libraries, use ldd to find out which shared libs you need: X # ldd /usr/bin/cvs X /usr/bin/cvs: X -lz.1 => /usr/lib/libz.so.1.4 (0x40097000) *************** *** 161,168 **** X X and then copy the required libraries to usr/lib/ X ! Xas a final pass, make sure that all the files you have just created are ! Xnot world writable (except dev/null) X XFor :pserver: support (optional) X - Create an entry in /etc/services --- 161,168 ---- X X and then copy the required libraries to usr/lib/ X ! XAs a final pass, make sure that all the files you have just created are ! Xnot world writable (except dev/null). X XFor :pserver: support (optional) X - Create an entry in /etc/services *************** *** 195,212 **** X XIf you're running OpenBSD, you already have a sup client in X/usr/bin/sup. If not you may need to build it. On an IRIX or other ! XSYSV machine, ensure that your kernel does not allow a user to chown a ! Xfile to another user (You may have heard of this particular brand of ! Xevil referred to as "chown giveaway"). this will cause sup to give ! Xaway the files to root before chmod'ing them ! Xreadable. michaels@openbsd.org knows how to fix this. X ! XThe file /open/sup/ss contains a line that tells sup where to get the ! Xcvs tree from. it will normally contain: X ! X cvs host=anoncvs1.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete X ! XThe file /open/sup/cvs/refuse tells sup what files it should not get. XIt should contain the following lines: X X cvs/CVSROOT/history --- 195,212 ---- X XIf you're running OpenBSD, you already have a sup client in X/usr/bin/sup. If not you may need to build it. On an IRIX or other ! XSYSV machine, ensure that your kernel does not allow a user to chown ! Xa file to another user (You may have heard of this particular brand ! Xof evil referred to as "chown giveaway"). this will cause sup to ! Xgive away the files to root before chmod'ing them readable. ! Xmichaels@openbsd.org knows how to fix this. X ! XThe file /open/anoncvs/sup/ss contains a line that tells sup where ! Xto get the cvs tree from. it will normally contain: X ! X cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete X ! XThe file /open/anoncvs/sup/cvs/refuse tells sup what files it should not get. XIt should contain the following lines: X X cvs/CVSROOT/history