=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/anoncvs.shar,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- www/anoncvs.shar 2002/08/13 02:12:47 1.13 +++ www/anoncvs.shar 2002/10/02 21:56:53 1.14 @@ -29,24 +29,24 @@ X A summary of the steps you'll need to do is: X X1) Find enough disk space to hold the anoncvs tree, and mount it in an -Xappropriate place. +X appropriate place. X X2) Compile and install anoncvssh, the shell used for the anoncvs user. X ( If you aren't using OpenBSD you'll probably need to compile a sup X client as well. The easier path is to use OpenBSD ;) X X3) Add the anoncvs user to the password file, with no password, and -Xanoncvssh as it's shell. Decide on a user that will run sup to maintain -Xthe archive (this is a different user, NOT the anoncvs user) +X anoncvssh as it's shell. Decide on a user that will run sup to maintain +X the archive (this is a different user, NOT the anoncvs user) X -X4) Make a home directory for the anoncvs user. The anoncvs user's home -Xdirectory is a chroot jail in which the anoncvssh processes run when -Xservicing anoncvs requests. The jail must contain the cvs binary and -Xrelated programs (rcs, etc) as well as whatever shared libraries and -Xsupport files are needed to run them unless you compile and link -Xeverything staticly. This example shows what is needed for OpenBSD. If -Xyou use another platform you'll need to be familiar with what needs -Xto go in a chroot jail for your platform. +X4) Make a home directory for the anoncvs user. The anoncvs user's +X home directory is a chroot jail in which the anoncvssh processes +X run when servicing anoncvs requests. The jail must contain the +X cvs binary as well as whatever shared libraries and support files +X are needed to run them unless you compile and link everything +X staticly. This example shows what is needed for OpenBSD. If you +X use another platform you'll need to be familiar with what needs +X to go in a chroot jail for your platform. X X5) Get permission to use sup to obtain the cvs tree from a server. X @@ -61,92 +61,92 @@ X X********************************************************************** XSTEP 1) find enough disk space. -X you need roughly 1.6GB. -X mount it on /open -X if you are not able to mount it as /open, substitute it's location -X throughout the rest of this description +X You need roughly 1.6GB. +X Mount it on /open. +X If you are not able to mount it as /open, substitute it's location +X throughout the rest of this description. X X********************************************************************** XSTEP 2) compile the anoncvssh binary -X in the Makefile, change the variable CVSROOT -X install the binary setuid-root in /open/anoncvssh. +X In the Makefile, change the variable CVSROOT +X Install the binary setuid-root in /open/anoncvssh. X X********************************************************************** XSTEP 3) Create the anoncvs account. and decide who will run "sup" -Xto maintain the archive. The anoncvs account should *NOT* be the one -Xrunning sup to maintain the archive. +X to maintain the archive. The anoncvs account should *NOT* be the one +X running sup to maintain the archive. X Xcreate an account similar to: X X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh X -Xyes, that is right. the account has no password. Be sure that the uid -Xand gid are unique for your system, if the ones above aren't, pick different -Xvalues. +XYes, that is right. the account has no password. Be sure that the +Xuid and gid are unique for your system, if the ones above aren't, +Xpick different values. X -XDecide on who will run sup to maintain the archive. call that user $SUPUSER. -XOh, and in case it hasn't been previously mentioned, $SUPUSER should *NOT* -Xbe the anoncvs user :) +XDecide who will run sup to maintain the archive. call that user +X$SUPUSER. Oh, and in case it hasn't been previously mentioned, +X$SUPUSER should *NOT* be the anoncvs user :) X X********************************************************************** -XSTEP 4) Build the anoncvs user's home directory chroot jail. This example -Xassumes that you're using OpenBSD. If you're not you may need different -Xfiles in the chroot. +XSTEP 4) Build the anoncvs user's home directory chroot jail. This +X example assumes that you're using OpenBSD. If you're not you +X may need different files in the chroot. X Xmkdir /open/anoncvs Xmkdir /open/anoncvs/cvs Xmkdir /open/anoncvs/sup Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs X -Xstart filling the account up with nice stuff. You are building a chroot +XStart filling the account up with nice stuff. You are building a chroot Xjail for anoncvs in /open/anoncvs. X X cd /open/anoncvs X touch .hushlogin X touch .profile X -Xput a message like the following in .plan: +XPut a message like the following in .plan: X To use anonymous CVS install the latest version of CVS on your local X machine. X Then set your CVSROOT environment variable to the following value: X anoncvs@anoncvs.openbsd.org:/cvs X -X chown root.wheel .hushlogin .profile .plan +X chown root:wheel .hushlogin .profile .plan X X mkdir bin dev tmp usr var etc X cp /bin/{cat,pwd,rm,sh} bin/ X -Xusing mknod, make a dev/null that has the same major/minor numbers as +XUsing mknod, make a dev/null that has the same major/minor numbers as X your /dev/null, and make it mode 666. X -Xsome shared library systems require a dev/zero created in the same way +XSome shared library systems require a dev/zero created in the same way X -Xfill etc space for the account +XFill etc space for the account X cp /etc/{group,hosts,passwd,protocols} etc/ X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/ X modify these files to suit your idea of system security X -Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an -Xtiny extension provided in the openbsd cvs server code which permits -Xthe use of read-only cvs repositories. therefore you MUST compile the -Xopenbsd version of cvs. luckily this is not a problem on a -Xnon-openbsd machine since the cvs sources are imported verbatim into -Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are -Xintegrated such that Makefile.bsd-wrapper knows how to build the -Xsources on an OpenBSD machine, using obj directories. +Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses +Xan tiny extension provided in the openbsd cvs server code which +Xpermits the use of read-only cvs repositories. therefore you MUST +Xcompile the openbsd version of cvs. luckily this is not a problem +Xon a non-openbsd machine since the cvs sources are imported verbatim +Xinto the openbsd tree. they are in gnu/usr.bin/cvs. The sources +Xare integrated such that Makefile.bsd-wrapper knows how to build +Xthe sources on an OpenBSD machine, using obj directories. X -Xcreate tmp space for the account +XCreate tmp space for the account X # cd var; ln -s ../tmp tmp X # chmod a+rwx tmp X X # mkdir usr/{bin,lib} X # cp /usr/bin/cvs usr/bin/ X -Xif your system has ld.so in /usr/libexec, +XIf your system has ld.so in /usr/libexec, X # mkdir usr/libexec X # cp /usr/libexec/ld.so usr/libexec/ X -Xif using shared libraries, use ldd to find out which shared libs you need: +XIf using shared libraries, use ldd to find out which shared libs you need: X # ldd /usr/bin/cvs X /usr/bin/cvs: X -lz.1 => /usr/lib/libz.so.1.4 (0x40097000) @@ -161,8 +161,8 @@ X X and then copy the required libraries to usr/lib/ X -Xas a final pass, make sure that all the files you have just created are -Xnot world writable (except dev/null) +XAs a final pass, make sure that all the files you have just created are +Xnot world writable (except dev/null). X XFor :pserver: support (optional) X - Create an entry in /etc/services @@ -195,18 +195,18 @@ X XIf you're running OpenBSD, you already have a sup client in X/usr/bin/sup. If not you may need to build it. On an IRIX or other -XSYSV machine, ensure that your kernel does not allow a user to chown a -Xfile to another user (You may have heard of this particular brand of -Xevil referred to as "chown giveaway"). this will cause sup to give -Xaway the files to root before chmod'ing them -Xreadable. michaels@openbsd.org knows how to fix this. +XSYSV machine, ensure that your kernel does not allow a user to chown +Xa file to another user (You may have heard of this particular brand +Xof evil referred to as "chown giveaway"). this will cause sup to +Xgive away the files to root before chmod'ing them readable. +Xmichaels@openbsd.org knows how to fix this. X -XThe file /open/sup/ss contains a line that tells sup where to get the -Xcvs tree from. it will normally contain: +XThe file /open/anoncvs/sup/ss contains a line that tells sup where +Xto get the cvs tree from. it will normally contain: X -X cvs host=anoncvs1.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete +X cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete X -XThe file /open/sup/cvs/refuse tells sup what files it should not get. +XThe file /open/anoncvs/sup/cvs/refuse tells sup what files it should not get. XIt should contain the following lines: X X cvs/CVSROOT/history