| version 1.13, 2002/08/13 02:12:47 |
version 1.14, 2002/10/02 21:56:53 |
|
|
| X A summary of the steps you'll need to do is: |
X A summary of the steps you'll need to do is: |
| X |
X |
| X1) Find enough disk space to hold the anoncvs tree, and mount it in an |
X1) Find enough disk space to hold the anoncvs tree, and mount it in an |
| Xappropriate place. |
X appropriate place. |
| X |
X |
| X2) Compile and install anoncvssh, the shell used for the anoncvs user. |
X2) Compile and install anoncvssh, the shell used for the anoncvs user. |
| X ( If you aren't using OpenBSD you'll probably need to compile a sup |
X ( If you aren't using OpenBSD you'll probably need to compile a sup |
| X client as well. The easier path is to use OpenBSD ;) |
X client as well. The easier path is to use OpenBSD ;) |
| X |
X |
| X3) Add the anoncvs user to the password file, with no password, and |
X3) Add the anoncvs user to the password file, with no password, and |
| Xanoncvssh as it's shell. Decide on a user that will run sup to maintain |
X anoncvssh as it's shell. Decide on a user that will run sup to maintain |
| Xthe archive (this is a different user, NOT the anoncvs user) |
X the archive (this is a different user, NOT the anoncvs user) |
| X |
X |
| X4) Make a home directory for the anoncvs user. The anoncvs user's home |
X4) Make a home directory for the anoncvs user. The anoncvs user's |
| Xdirectory is a chroot jail in which the anoncvssh processes run when |
X home directory is a chroot jail in which the anoncvssh processes |
| Xservicing anoncvs requests. The jail must contain the cvs binary and |
X run when servicing anoncvs requests. The jail must contain the |
| Xrelated programs (rcs, etc) as well as whatever shared libraries and |
X cvs binary as well as whatever shared libraries and support files |
| Xsupport files are needed to run them unless you compile and link |
X are needed to run them unless you compile and link everything |
| Xeverything staticly. This example shows what is needed for OpenBSD. If |
X staticly. This example shows what is needed for OpenBSD. If you |
| Xyou use another platform you'll need to be familiar with what needs |
X use another platform you'll need to be familiar with what needs |
| Xto go in a chroot jail for your platform. |
X to go in a chroot jail for your platform. |
| X |
X |
| X5) Get permission to use sup to obtain the cvs tree from a server. |
X5) Get permission to use sup to obtain the cvs tree from a server. |
| X |
X |
|
|
| X |
X |
| X********************************************************************** |
X********************************************************************** |
| XSTEP 1) find enough disk space. |
XSTEP 1) find enough disk space. |
| X you need roughly 1.6GB. |
X You need roughly 1.6GB. |
| X mount it on /open |
X Mount it on /open. |
| X if you are not able to mount it as /open, substitute it's location |
X If you are not able to mount it as /open, substitute it's location |
| X throughout the rest of this description |
X throughout the rest of this description. |
| X |
X |
| X********************************************************************** |
X********************************************************************** |
| XSTEP 2) compile the anoncvssh binary |
XSTEP 2) compile the anoncvssh binary |
| X in the Makefile, change the variable CVSROOT |
X In the Makefile, change the variable CVSROOT |
| X install the binary setuid-root in /open/anoncvssh. |
X Install the binary setuid-root in /open/anoncvssh. |
| X |
X |
| X********************************************************************** |
X********************************************************************** |
| XSTEP 3) Create the anoncvs account. and decide who will run "sup" |
XSTEP 3) Create the anoncvs account. and decide who will run "sup" |
| Xto maintain the archive. The anoncvs account should *NOT* be the one |
X to maintain the archive. The anoncvs account should *NOT* be the one |
| Xrunning sup to maintain the archive. |
X running sup to maintain the archive. |
| X |
X |
| Xcreate an account similar to: |
Xcreate an account similar to: |
| X |
X |
| X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh |
X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh |
| X |
X |
| Xyes, that is right. the account has no password. Be sure that the uid |
XYes, that is right. the account has no password. Be sure that the |
| Xand gid are unique for your system, if the ones above aren't, pick different |
Xuid and gid are unique for your system, if the ones above aren't, |
| Xvalues. |
Xpick different values. |
| X |
X |
| XDecide on who will run sup to maintain the archive. call that user $SUPUSER. |
XDecide who will run sup to maintain the archive. call that user |
| XOh, and in case it hasn't been previously mentioned, $SUPUSER should *NOT* |
X$SUPUSER. Oh, and in case it hasn't been previously mentioned, |
| Xbe the anoncvs user :) |
X$SUPUSER should *NOT* be the anoncvs user :) |
| X |
X |
| X********************************************************************** |
X********************************************************************** |
| XSTEP 4) Build the anoncvs user's home directory chroot jail. This example |
XSTEP 4) Build the anoncvs user's home directory chroot jail. This |
| Xassumes that you're using OpenBSD. If you're not you may need different |
X example assumes that you're using OpenBSD. If you're not you |
| Xfiles in the chroot. |
X may need different files in the chroot. |
| X |
X |
| Xmkdir /open/anoncvs |
Xmkdir /open/anoncvs |
| Xmkdir /open/anoncvs/cvs |
Xmkdir /open/anoncvs/cvs |
| Xmkdir /open/anoncvs/sup |
Xmkdir /open/anoncvs/sup |
| Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs |
Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs |
| X |
X |
| Xstart filling the account up with nice stuff. You are building a chroot |
XStart filling the account up with nice stuff. You are building a chroot |
| Xjail for anoncvs in /open/anoncvs. |
Xjail for anoncvs in /open/anoncvs. |
| X |
X |
| X cd /open/anoncvs |
X cd /open/anoncvs |
| X touch .hushlogin |
X touch .hushlogin |
| X touch .profile |
X touch .profile |
| X |
X |
| Xput a message like the following in .plan: |
XPut a message like the following in .plan: |
| X To use anonymous CVS install the latest version of CVS on your local |
X To use anonymous CVS install the latest version of CVS on your local |
| X machine. |
X machine. |
| X Then set your CVSROOT environment variable to the following value: |
X Then set your CVSROOT environment variable to the following value: |
| X anoncvs@anoncvs.openbsd.org:/cvs |
X anoncvs@anoncvs.openbsd.org:/cvs |
| X |
X |
| X chown root.wheel .hushlogin .profile .plan |
X chown root:wheel .hushlogin .profile .plan |
| X |
X |
| X mkdir bin dev tmp usr var etc |
X mkdir bin dev tmp usr var etc |
| X cp /bin/{cat,pwd,rm,sh} bin/ |
X cp /bin/{cat,pwd,rm,sh} bin/ |
| X |
X |
| Xusing mknod, make a dev/null that has the same major/minor numbers as |
XUsing mknod, make a dev/null that has the same major/minor numbers as |
| X your /dev/null, and make it mode 666. |
X your /dev/null, and make it mode 666. |
| X |
X |
| Xsome shared library systems require a dev/zero created in the same way |
XSome shared library systems require a dev/zero created in the same way |
| X |
X |
| Xfill etc space for the account |
XFill etc space for the account |
| X cp /etc/{group,hosts,passwd,protocols} etc/ |
X cp /etc/{group,hosts,passwd,protocols} etc/ |
| X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/ |
X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/ |
| X modify these files to suit your idea of system security |
X modify these files to suit your idea of system security |
| X |
X |
| Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an |
Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses |
| Xtiny extension provided in the openbsd cvs server code which permits |
Xan tiny extension provided in the openbsd cvs server code which |
| Xthe use of read-only cvs repositories. therefore you MUST compile the |
Xpermits the use of read-only cvs repositories. therefore you MUST |
| Xopenbsd version of cvs. luckily this is not a problem on a |
Xcompile the openbsd version of cvs. luckily this is not a problem |
| Xnon-openbsd machine since the cvs sources are imported verbatim into |
Xon a non-openbsd machine since the cvs sources are imported verbatim |
| Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are |
Xinto the openbsd tree. they are in gnu/usr.bin/cvs. The sources |
| Xintegrated such that Makefile.bsd-wrapper knows how to build the |
Xare integrated such that Makefile.bsd-wrapper knows how to build |
| Xsources on an OpenBSD machine, using obj directories. |
Xthe sources on an OpenBSD machine, using obj directories. |
| X |
X |
| Xcreate tmp space for the account |
XCreate tmp space for the account |
| X # cd var; ln -s ../tmp tmp |
X # cd var; ln -s ../tmp tmp |
| X # chmod a+rwx tmp |
X # chmod a+rwx tmp |
| X |
X |
| X # mkdir usr/{bin,lib} |
X # mkdir usr/{bin,lib} |
| X # cp /usr/bin/cvs usr/bin/ |
X # cp /usr/bin/cvs usr/bin/ |
| X |
X |
| Xif your system has ld.so in /usr/libexec, |
XIf your system has ld.so in /usr/libexec, |
| X # mkdir usr/libexec |
X # mkdir usr/libexec |
| X # cp /usr/libexec/ld.so usr/libexec/ |
X # cp /usr/libexec/ld.so usr/libexec/ |
| X |
X |
| Xif using shared libraries, use ldd to find out which shared libs you need: |
XIf using shared libraries, use ldd to find out which shared libs you need: |
| X # ldd /usr/bin/cvs |
X # ldd /usr/bin/cvs |
| X /usr/bin/cvs: |
X /usr/bin/cvs: |
| X -lz.1 => /usr/lib/libz.so.1.4 (0x40097000) |
X -lz.1 => /usr/lib/libz.so.1.4 (0x40097000) |
|
|
| X |
X |
| X and then copy the required libraries to usr/lib/ |
X and then copy the required libraries to usr/lib/ |
| X |
X |
| Xas a final pass, make sure that all the files you have just created are |
XAs a final pass, make sure that all the files you have just created are |
| Xnot world writable (except dev/null) |
Xnot world writable (except dev/null). |
| X |
X |
| XFor :pserver: support (optional) |
XFor :pserver: support (optional) |
| X - Create an entry in /etc/services |
X - Create an entry in /etc/services |
|
|
| X |
X |
| XIf you're running OpenBSD, you already have a sup client in |
XIf you're running OpenBSD, you already have a sup client in |
| X/usr/bin/sup. If not you may need to build it. On an IRIX or other |
X/usr/bin/sup. If not you may need to build it. On an IRIX or other |
| XSYSV machine, ensure that your kernel does not allow a user to chown a |
XSYSV machine, ensure that your kernel does not allow a user to chown |
| Xfile to another user (You may have heard of this particular brand of |
Xa file to another user (You may have heard of this particular brand |
| Xevil referred to as "chown giveaway"). this will cause sup to give |
Xof evil referred to as "chown giveaway"). this will cause sup to |
| Xaway the files to root before chmod'ing them |
Xgive away the files to root before chmod'ing them readable. |
| Xreadable. michaels@openbsd.org knows how to fix this. |
Xmichaels@openbsd.org knows how to fix this. |
| X |
X |
| XThe file /open/sup/ss contains a line that tells sup where to get the |
XThe file /open/anoncvs/sup/ss contains a line that tells sup where |
| Xcvs tree from. it will normally contain: |
Xto get the cvs tree from. it will normally contain: |
| X |
X |
| X cvs host=anoncvs1.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete |
X cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete |
| X |
X |
| XThe file /open/sup/cvs/refuse tells sup what files it should not get. |
XThe file /open/anoncvs/sup/cvs/refuse tells sup what files it should not get. |
| XIt should contain the following lines: |
XIt should contain the following lines: |
| X |
X |
| X cvs/CVSROOT/history |
X cvs/CVSROOT/history |
![[BACK]](/icons/back.gif){kind=icon}
Return to anoncvs.shar CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www