version 1.15, 2003/06/17 23:06:36 |
version 1.16, 2003/07/30 20:27:32 |
|
|
echo x - README |
echo x - README |
sed 's/^X//' >README << 'END-of-README' |
sed 's/^X//' >README << 'END-of-README' |
X |
X |
X So, you want to run an anoncvs server. |
X So, you want to run an anoncvs server. |
X |
X |
X A summary of the steps you'll need to do is: |
X A summary of the steps you'll need to do is: |
X |
X |
X1) Find enough disk space to hold the anoncvs tree, and mount it in an |
X1) Find enough disk space to hold the anoncvs tree, and mount it in an |
X appropriate place. |
X appropriate place. |
X |
X |
X2) Compile and install anoncvssh, the shell used for the anoncvs user. |
X2) Compile and install anoncvssh, the shell used for the anoncvs user. |
X ( If you aren't using OpenBSD you'll probably need to compile a sup |
X ( If you aren't using OpenBSD you'll probably need to compile a sup |
X client as well. The easier path is to use OpenBSD ;) |
X client as well. The easier path is to use OpenBSD ;). |
X |
X |
X3) Add the anoncvs user to the password file, with no password, and |
X3) Add the anoncvs user to the password file, with no password, and |
X anoncvssh as it's shell. Decide on a user that will run sup to maintain |
X anoncvssh as it's shell. Decide on a user that will run sup to maintain |
X the archive (this is a different user, NOT the anoncvs user) |
X the archive (this is a different user, NOT the anoncvs user). |
X |
X |
X4) Make a home directory for the anoncvs user. The anoncvs user's |
X4) Make a home directory for the anoncvs user. The anoncvs user's |
X home directory is a chroot jail in which the anoncvssh processes |
X home directory is a chroot jail in which the anoncvssh processes |
X run when servicing anoncvs requests. The jail must contain the |
X run when servicing anoncvs requests. The jail must contain the |
X cvs binary as well as whatever shared libraries and support files |
X cvs binary as well as whatever shared libraries and support files |
X are needed to run them unless you compile and link everything |
X are needed to run them unless you compile and link everything |
X staticly. This example shows what is needed for OpenBSD. If you |
X statically. This example shows what is needed for OpenBSD. If you |
X use another platform you'll need to be familiar with what needs |
X use another platform you'll need to be familiar with what needs |
X to go in a chroot jail for your platform. |
X to go in a chroot jail for your platform. |
X |
X |
X5) Get permission to use sup to obtain the cvs tree from a server. |
X5) Get permission to use sup to obtain the cvs tree from a server. |
X |
X |
X6) Set up sup to retrieve the cvs tree from an appropriate place. |
X6) Set up sup to retrieve the cvs tree from an appropriate place. |
X (If you aren't using OpenBSD you will need to compile and install |
X (If you aren't using OpenBSD you will need to compile and install |
X a sup client). |
X a sup client). |
X |
X |
X7) Run sup to retrieve the distribution from the server |
X7) Run sup to retrieve the distribution from the server. |
X |
X |
X8) Once you get the distribution in, set up a cron job to run sup |
X8) Once you get the distribution in, set up a cron job to run sup |
X periodically to keep your server up to date. |
X periodically to keep your server up to date. |
X |
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 1) find enough disk space. |
XSTEP 1) find enough disk space. |
X You need roughly 1.6GB. |
X You need roughly 2GB. |
X Mount it on /open. |
X Mount it on /open. |
X If you are not able to mount it as /open, substitute it's location |
X If you are not able to mount it as /open, substitute it's location |
X throughout the rest of this description. |
X throughout the rest of this description. |
X |
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 2) compile the anoncvssh binary |
XSTEP 2) compile the anoncvssh binary. |
X In the Makefile, change the variable CVSROOT |
X In the Makefile, change the variable CVSROOT. |
X Install the binary setuid-root in /open/anoncvssh. |
X Install the binary setuid-root in /open/anoncvssh. |
X |
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 3) Create the anoncvs account. and decide who will run "sup" |
XSTEP 3) Create the anoncvs account and decide who will run "sup" |
X to maintain the archive. The anoncvs account should *NOT* be the one |
X to maintain the archive. The anoncvs account should *NOT* be the one |
X running sup to maintain the archive. |
X running sup to maintain the archive. |
X |
X |
|
|
X |
X |
X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh |
X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh |
X |
X |
XYes, that is right. the account has no password. Be sure that the |
XYes, that is right - the account has no password. Be sure that the |
Xuid and gid are unique for your system, if the ones above aren't, |
Xuid and gid are unique for your system, if the ones above aren't, |
Xpick different values. |
Xpick different values. |
X |
X |
XDecide who will run sup to maintain the archive. call that user |
XDecide who will run sup to maintain the archive. Call that user |
X$SUPUSER. Oh, and in case it hasn't been previously mentioned, |
X$SUPUSER. Oh, and in case it hasn't been previously mentioned, |
X$SUPUSER should *NOT* be the anoncvs user :) |
X$SUPUSER should *NOT* be the anoncvs user :). |
X |
X |
|
XSet "PermitEmptyPasswords yes" option in /etc/ssh/sshd_config and |
|
Xrestart your sshd daemon. |
|
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 4) Build the anoncvs user's home directory chroot jail. This |
XSTEP 4) Build the anoncvs user's home directory chroot jail. This |
X example assumes that you're using OpenBSD. If you're not you |
X example assumes that you're using OpenBSD. If you're not you |
|
|
X touch .profile |
X touch .profile |
X |
X |
XPut a message like the following in .plan: |
XPut a message like the following in .plan: |
X To use anonymous CVS install the latest version of CVS on your local |
X To use anonymous CVS install the latest version of CVS on your local |
X machine. |
X machine. |
X Then set your CVSROOT environment variable to the following value: |
X Then set your CVSROOT environment variable to the following value: |
X anoncvs@anoncvs.openbsd.org:/cvs |
X anoncvs@anoncvs.openbsd.org:/cvs |
|
|
XUsing mknod, make a dev/null that has the same major/minor numbers as |
XUsing mknod, make a dev/null that has the same major/minor numbers as |
X your /dev/null, and make it mode 666. |
X your /dev/null, and make it mode 666. |
X |
X |
XSome shared library systems require a dev/zero created in the same way |
XSome shared library systems require a dev/zero created in the same way. |
X |
X |
XFill etc space for the account |
XFill etc space for the account |
X cp /etc/{group,hosts,passwd,protocols} etc/ |
X cp /etc/{group,hosts,passwd,protocols} etc/ |
|
|
X modify these files to suit your idea of system security |
X modify these files to suit your idea of system security |
X |
X |
Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses |
Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses |
Xan tiny extension provided in the openbsd cvs server code which |
Xa tiny extension provided in the openbsd cvs server code which |
Xpermits the use of read-only cvs repositories. therefore you MUST |
Xpermits the use of read-only cvs repositories, therefore you MUST |
Xcompile the openbsd version of cvs. luckily this is not a problem |
Xcompile the openbsd version of cvs. Luckily this is not a problem |
Xon a non-openbsd machine since the cvs sources are imported verbatim |
Xon a non-openbsd machine, since the cvs sources are imported verbatim |
Xinto the openbsd tree. they are in gnu/usr.bin/cvs. The sources |
Xinto the openbsd tree. They are in gnu/usr.bin/cvs. The sources |
Xare integrated such that Makefile.bsd-wrapper knows how to build |
Xare integrated in such way that Makefile.bsd-wrapper knows how to build |
Xthe sources on an OpenBSD machine, using obj directories. |
Xthe sources on an OpenBSD machine, using obj directories. |
X |
X |
XCreate tmp space for the account |
XCreate tmp space for the account |
X # cd var; ln -s ../tmp tmp |
X # (cd var && ln -s ../tmp tmp) |
X # chmod a+rwx tmp |
X # chmod a+rwx tmp |
X |
X |
X # mkdir usr/{bin,lib} |
X # mkdir usr/{bin,lib} |
|
|
X |
X |
XIf using shared libraries, use ldd to find out which shared libs you need: |
XIf using shared libraries, use ldd to find out which shared libs you need: |
X # ldd /usr/bin/cvs |
X # ldd /usr/bin/cvs |
X /usr/bin/cvs: |
X /usr/bin/cvs: |
X -lz.1 => /usr/lib/libz.so.1.4 (0x40097000) |
X Start End Type Ref Name |
X -lgssapi.1 => /usr/lib/libgssapi.so.1.0 (0x400a4000) |
X 00000000 00000000 exe 1 /usr/bin/cvs |
X -lkrb.10 => /usr/lib/libkrb.so.10.0 (0x400ae000) |
X 0015f000 20165000 rlib 1 /usr/lib/libz.so.2.0 |
X -lkrb5.4 => /usr/lib/libkrb5.so.4.0 (0x400c8000) |
X 0016d000 20172000 rlib 1 /usr/lib/libgssapi.so.2.0 |
X -lasn1.2 => /usr/lib/libasn1.so.2.0 (0x400ff000) |
X 0017f000 2018d000 rlib 1 /usr/lib/libkrb5.so.5.2 |
X -lcrypto.6 => /usr/lib/libcrypto.so.6.0 (0x4011d000) |
X 00141000 20145000 rlib 1 /usr/lib/libasn1.so.3.1 |
X -ldes.7 => /usr/lib/libdes.so.7.0 (0x40203000) |
X 00089000 200ba000 rlib 1 /usr/lib/libcrypto.so.10.0 |
X -lkafs.10 => /usr/lib/libkafs.so.10.0 (0x4020d000) |
X 00177000 2017c000 rlib 1 /usr/lib/libdes.so.8.0 |
X -lc.28 => /usr/lib/libc.so.28.5 (0x40210000) |
X 00169000 2016d000 rlib 1 /usr/lib/libcom_err.so.1.0 |
|
X 00009000 20053000 rlib 1 /usr/lib/libc.so.30.0 |
|
X 00002000 00002000 rtld 1 /usr/libexec/ld.so |
X |
X |
X and then copy the required libraries to usr/lib/ |
X and then copy the required libraries to usr/lib/ |
X |
X |
|
|
X |
X |
XFor :pserver: support (optional) |
XFor :pserver: support (optional) |
X - Create an entry in /etc/services |
X - Create an entry in /etc/services |
X cvspserver 2401/tcp # CVS client/server operations |
X cvspserver 2401/tcp # CVS client/server operations |
X - Create an entry in /etc/inetd.conf |
X - Create an entry in /etc/inetd.conf |
X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver |
X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver |
X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry |
X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry |
X anoncvs:AHDysQkJIubEc |
X anoncvs:AHDysQkJIubEc |
X which would be a password of "anoncvs" (as per anoncvs.html) |
X which would be a password of "anoncvs" (as per anoncvs.html) |
X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry: |
X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry: |
X anoncvs |
X anoncvs |
X which tells cvs that user "anoncvs" is allowed readonly access. |
X which tells cvs that user "anoncvs" is allowed readonly access. |
X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't |
X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't |
X want anyone to be able to write to the mirror. |
X want anyone to be able to write to the mirror. |
X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers |
X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers |
X |
X |
XSee the example layout below for full details. |
XSee the example layout below for full details. |
X |
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 5): Get sup permission. |
XSTEP 5): Get sup permission. |
Xsend mail to sup@openbsd.org |
Xsend mail to sup@openbsd.org |
X1) to have sup permissions granted on an appropriate machine for you |
X1) to have sup permissions granted on an appropriate machine for you |
X to sup from. We will need to know your host's real hostname and |
X to sup from. We will need to know your host's real hostname and |
X IP address. |
X IP address. |
X2) to have an anoncvsN.COUNTRY.openbsd.org alias created |
X2) to have an anoncvsN.COUNTRY.openbsd.org alias created. |
X3) to have your site mentioned in the http://www.openbsd.org page. |
X3) to have your site mentioned in the http://www.openbsd.org page. |
X |
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 6): Configure sup |
XSTEP 6): Configure sup. |
X |
X |
XIf you're running OpenBSD, you already have a sup client in |
XIf you're running OpenBSD, you already have a sup client in |
X/usr/bin/sup. If not you may need to build it. On an IRIX or other |
X/usr/bin/sup. If not you may need to build it. On an IRIX or other |
XSYSV machine, ensure that your kernel does not allow a user to chown |
XSYSV machine, ensure that your kernel does not allow a user to chown |
Xa file to another user (You may have heard of this particular brand |
Xa file to another user (you may have heard of this particular brand |
Xof evil referred to as "chown giveaway"). this will cause sup to |
Xof evil referred to as "chown giveaway"). This will cause sup to |
Xgive away the files to root before chmod'ing them readable. |
Xgive away the files to root before chmod'ing them readable. |
Xmichaels@openbsd.org knows how to fix this. |
Xmichaels@openbsd.org knows how to fix this. |
X |
X |
XThe file /open/anoncvs/sup/ss contains a line that tells sup where |
XThe file /open/anoncvs/sup/ss contains a line that tells sup where |
Xto get the cvs tree from. it will normally contain: |
Xto get the cvs tree from. It will normally contain: |
X |
X |
X cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete |
X cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete |
X |
X |
|
|
X cvs/CVSROOT/writers |
X cvs/CVSROOT/writers |
X cvs/CVSROOT/passwd |
X cvs/CVSROOT/passwd |
X |
X |
Xif you ever fetch the file cvs/CVSROOT/history, delete it. it will |
XIf you ever fetch the file cvs/CVSROOT/history, delete it. It will |
Xcause you problems. |
Xcause you problems. |
X |
X |
X********************************************************************** |
X********************************************************************** |
XSTEP 7): Run sup to retrieve the tree for the first time |
XSTEP 7): Run sup to retrieve the tree for the first time. |
X |
X |
XLog in as or become the $SUPUSER, and run |
XLog in as or become the $SUPUSER, and run |
X |
X |
Xsup -v /open/anoncvs/sup/ss > /tmp/suplog &; tail -f /tmp/suplog |
Xsup -v /open/anoncvs/sup/ss > /tmp/suplog &; tail -f /tmp/suplog |
X |
X |
|
|
Xhostbase in /open/anoncvs/sup/ss you should see a list of files start |
Xhostbase in /open/anoncvs/sup/ss you should see a list of files start |
Xcoming in after a short while. Don't panic if nothing happens |
Xcoming in after a short while. Don't panic if nothing happens |
Ximmediately. Watch for errors (sup can timeout or die). If you can't |
Ximmediately. Watch for errors (sup can timeout or die). If you can't |
Xaccess files contact the sup server maintainer, If you get a timeout |
Xaccess files contact the sup server maintainer. If you get a timeout |
Xor if sup dies you can restart and it should continue where it left off. |
Xor if sup dies you can restart and it should continue where it left off. |
X |
X |
XIt can take a good while (and a couple of restarts) to obtain the |
XIt can take a good while (and a couple of restarts) to obtain the |
|
|
XExample layout for OpenBSD. In this example "deraadt" is the $SUPUSER. |
XExample layout for OpenBSD. In this example "deraadt" is the $SUPUSER. |
X |
X |
X[eap open 5 ]> cd /open |
X[eap open 5 ]> cd /open |
X[eap open 6 ]> ls -alF |
X[eap open 6 ]> ls -alF |
Xtotal 46 |
Xtotal 46 |
Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./ |
Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./ |
Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../ |
Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../ |
|
|
X |
X |
XIf you're not that familiar with your other platform (i.e. you haven't |
XIf you're not that familiar with your other platform (i.e. you haven't |
Xbuilt a chroot jail for a server on it) you may be better off |
Xbuilt a chroot jail for a server on it) you may be better off |
Xfinding an OpenBSD machine to use. (and duplicating the example above) |
Xfinding an OpenBSD machine to use and duplicating the example above. |
X |
X |
X**SunOS 5) |
X**SunOS 5) |
XBob Beck <Bob.Beck@ualberta.ca> has done this. E-mail for |
XBob Beck <Bob.Beck@ualberta.ca> has done this. E-mail for |
|
|
X us, ntohs(my_sa.sin_port)); |
X us, ntohs(my_sa.sin_port)); |
X#endif /* USE_SYSLOG */ |
X#endif /* USE_SYSLOG */ |
X execle("/usr/bin/cvs", "cvs", |
X execle("/usr/bin/cvs", "cvs", |
X __CONCAT("--allow-root=",LOCALROOT), "pserver", NULL, env); |
X __CONCAT("--allow-root=",LOCALROOT), "pserver", (char *)NULL, env); |
X perror("execle: cvs"); |
X perror("execle: cvs"); |
X fprintf(stderr, "unable to exec CVS pserver!\n"); |
X fprintf(stderr, "unable to exec CVS pserver!\n"); |
X exit(1); |
X exit(1); |
|
|
X sleep(10); |
X sleep(10); |
X exit(0); |
X exit(0); |
X } |
X } |
X execle("/usr/bin/cvs", "cvs", "server", NULL, env); |
X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env); |
X perror("execle: cvs"); |
X perror("execle: cvs"); |
X fprintf(stderr, "unable to exec CVS server!\n"); |
X fprintf(stderr, "unable to exec CVS server!\n"); |
X exit(1); |
X exit(1); |