Annotation of www/anoncvs.shar, Revision 1.1
1.1 ! deraadt 1: # This is a shell archive. Save it in a file, remove anything before
! 2: # this line, and then unpack it by entering "sh file". Note, it may
! 3: # create directories; files and directories will be owned by you and
! 4: # have default permissions.
! 5: #
! 6: # This archive contains:
! 7: #
! 8: # README
! 9: # Makefile
! 10: # anoncvssh.c
! 11: #
! 12: echo x - README
! 13: sed 's/^X//' >README << 'END-of-README'
! 14: Xfind enough disk space.
! 15: X you need roughly 300MB.
! 16: X mount it on /open
! 17: X if you are not able to mount it as /open, substitute it's location
! 18: X throughout this description
! 19: X
! 20: Xcompile the anoncvssh binary
! 21: X in the Makefile, change the variable CVSROOT
! 22: X anoncvs is installed setuid-root.
! 23: X
! 24: Xcreate an account:
! 25: X anoncvs:*:32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
! 26: X
! 27: Xinstall a crontab entry which runs as any user besides anoncvs (ie. run
! 28: Xit as yourself, or as root). call that user $SUPUSER
! 29: X 0 5,9,13,17,21,1 * * * /usr/local/bin/sup -v /open/sup/ss
! 30: X
! 31: Xthe file /open/sup/ss contains
! 32: X cvs host=cvs.openbsd.org hostbase=/ base=/open/anoncvs delete
! 33: X
! 34: Xmkdir /open/
! 35: Xmkdir /open/anoncvs
! 36: Xmkdir /open/anoncvs/cvs
! 37: Xmkdir /open/sup
! 38: Xchown -R $SUPUSER /open/anoncvs/cvs /open/sup
! 39: X
! 40: Xstart filling the account up with nice stuff
! 41: X cd /open/anoncvs
! 42: X touch .hushlogin
! 43: X touch .profile
! 44: X
! 45: Xput a message like the following in .plan:
! 46: X To use anonymous CVS install the latest version of CVS on your local machine.
! 47: X Then set your CVSROOT environment variable to the following value:
! 48: X anoncvs@anoncvs.openbsd.org:/cvs
! 49: X
! 50: X chown root.wheel .hushlogin .profile .plan
! 51: X
! 52: X mkdir bin dev tmp usr var etc
! 53: X cp /bin/{cat,pwd,rm,sh} bin/
! 54: X
! 55: Xusing mknod, make a dev/null that has the same major/minor numbers as
! 56: X your /dev/null, and make it mode 666.
! 57: X
! 58: Xsome shared library systems require a dev/zero created in the same way
! 59: X
! 60: Xfill etc space for the account
! 61: X cp /etc/{group,hosts,passwd,protocols} etc/
! 62: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
! 63: X modify these files to suit your idea of system security
! 64: X
! 65: Xanoncvssh (by setting an extra environment variable) use an extension
! 66: Xprovided in the openbsd cvs server code. therefore you want to compile
! 67: Xthe openbsd version. luckily this is not a problem on a non-openbsd
! 68: Xmachine since the cvs sources are imported verbatim into the openbsd
! 69: Xtree. they are in gnu/usr.bin/cvs. (explanation: the extension allows
! 70: Xa way to have read-only cvs repositories)
! 71: X
! 72: Xcreate tmp space for the account
! 73: X cd var; ln -s ../tmp tmp
! 74: X chmod a+rwx tmp
! 75: X
! 76: X mkdir usr/{bin,lib}
! 77: X cp /usr/bin/{ci,co,cvs,diff,diff3,gzip,rcs,rcsclean} usr/bin/
! 78: X cp /usr/bin/{rcsdiff,rcsfreeze,rcsmerge,rlog,sdiff,zdiff} usr/bin/
! 79: X
! 80: Xif your system has ld.so in /usr/libexec,
! 81: X mkdir usr/libexec
! 82: X cp /usr/libexec/ld.so usr/libexec/
! 83: X
! 84: Xif using shared libraries, copy the shared libs you might need:
! 85: X cp /usr/lib/lib*.so.* usr/lib/
! 86: X
! 87: Xas a final pass, make sure that all the files you have just created are
! 88: Xnot world writeable (except dev/null)
! 89: X
! 90: Xsend mail to deraadt@openbsd.org to have sup permissions granted.
! 91: END-of-README
! 92: echo x - Makefile
! 93: sed 's/^X//' >Makefile << 'END-of-Makefile'
! 94: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
! 95: XPROG= anoncvssh
! 96: XBINOWN= root
! 97: XBINMODE=4111
! 98: XBINDIR=/open
! 99: XNOMAN=
! 100: X
! 101: X.include <bsd.prog.mk>
! 102: X
! 103: END-of-Makefile
! 104: echo x - anoncvssh.c
! 105: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
! 106: X/*
! 107: X * anoncvssh
! 108: X */
! 109: X
! 110: X#ifndef CVSROOT
! 111: X#define CVSROOT "anoncvs@anoncvs1.usa.openbsd.org:/cvs"
! 112: X#endif
! 113: X
! 114: X#include <stdio.h>
! 115: X#include <unistd.h>
! 116: X#include <pwd.h>
! 117: X#include <sys/types.h>
! 118: X
! 119: Xint
! 120: Xmain(argc, argv)
! 121: Xint argc;
! 122: Xchar *argv[];
! 123: X{
! 124: X struct passwd *pw;
! 125: X
! 126: X pw = getpwuid(getuid());
! 127: X if (pw == NULL) {
! 128: X fprintf(stderr, "no user for uid %d\n", getuid());
! 129: X exit(1);
! 130: X }
! 131: X if (pw->pw_dir == NULL) {
! 132: X fprintf(stderr, "no directory\n");
! 133: X exit(1);
! 134: X }
! 135: X seteuid(0);
! 136: X if (chroot(pw->pw_dir) == -1) {
! 137: X perror("chroot");
! 138: X exit (1);
! 139: X }
! 140: X chdir("/");
! 141: X seteuid(getuid());
! 142: X
! 143: X /*
! 144: X * program now "safe"
! 145: X */
! 146: X
! 147: X if (argc != 3 ||
! 148: X strcmp("anoncvssh", argv[0]) != 0 ||
! 149: X strcmp("-c", argv[1]) != 0 ||
! 150: X strcmp("cvs server", argv[2]) != 0) {
! 151: X
! 152: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
! 153: X fprintf(stderr,"version of CVS on your local machine.\n");
! 154: X fprintf(stderr,"Then set your CVSROOT environment variable ");
! 155: X fprintf(stderr,"to the following value:\n");
! 156: X fprintf(stderr,"\t%s\n\n", CVSROOT);
! 157: X sleep(10);
! 158: X exit(0);
! 159: X }
! 160: X
! 161: X /*
! 162: X * since the only things in annocvs's bin entire chroot space will
! 163: X * be "safe commands", this is not a big deal
! 164: X */
! 165: X putenv("SHELL=/bin/sh");
! 166: X putenv("CVSROOT=/cvs");
! 167: X putenv("HOME=/");
! 168: X putenv("CVSREADONLYFS=");
! 169: X
! 170: X execl("/usr/bin/cvs", "cvs", "server", NULL);
! 171: X perror("execl: cvs");
! 172: X fprintf(stderr, "unable to exec CVS server!\n");
! 173: X exit(1);
! 174: X}
! 175: X
! 176: END-of-anoncvssh.c
! 177: exit
! 178: