Annotation of www/anoncvs.shar, Revision 1.11
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.6 deraadt 8: # Makefile
1.1 deraadt 9: # README
10: # anoncvssh.c
11: #
1.6 deraadt 12: echo x - Makefile
13: sed 's/^X//' >Makefile << 'END-of-Makefile'
14: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
15: XPROG= anoncvssh
16: XBINOWN= root
17: XBINMODE=4111
18: XBINDIR=/open
19: XNOMAN=
20: X
21: X.include <bsd.prog.mk>
22: X
23: END-of-Makefile
1.1 deraadt 24: echo x - README
25: sed 's/^X//' >README << 'END-of-README'
26: X
1.7 beck 27: X So, you want to run an anoncvs server.
28: X
29: X A summary of the steps you'll need to do is:
30: X
31: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
32: Xappropriate place.
33: X
34: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
35: X ( If you aren't using OpenBSD you'll probably need to compile a sup
36: X client as well. The easier path is to use OpenBSD ;)
37: X
38: X3) Add the anoncvs user to the password file, with no password, and
39: Xanoncvssh as it's shell. Decide on a user that will run sup to maintain
40: Xthe archive (this is a different user, NOT the anoncvs user)
41: X
42: X4) Make a home directory for the anoncvs user. The anoncvs user's home
43: Xdirectory is a chroot jail in which the anoncvssh processes run when
44: Xservicing anoncvs requests. The jail must contain the cvs binary and
45: Xrelated programs (rcs, etc) as well as whatever shared libraries and
46: Xsupport files are needed to run them unless you compile and link
47: Xeverything staticly. This example shows what is needed for OpenBSD. If
48: Xyou use another platform you'll need to be familiar with what needs
49: Xto go in a chroot jail for your platform.
50: X
51: X5) Get permission to use sup to obtain the cvs tree from a server.
1.1 deraadt 52: X
1.7 beck 53: X6) Set up sup to retrieve the cvs tree from an appropriate place.
54: X (If you aren't using OpenBSD you will need to compile and install
55: X a sup client).
1.6 deraadt 56: X
1.7 beck 57: X7) Run sup to retrieve the distribution from the server
1.3 deraadt 58: X
1.7 beck 59: X8) Once you get the distribution in, set up a cron job to run sup
60: X periodically to keep your server up to date.
1.6 deraadt 61: X
1.7 beck 62: X**********************************************************************
63: XSTEP 1) find enough disk space.
1.10 beck 64: X you need roughly 750MB.
1.7 beck 65: X mount it on /open
66: X if you are not able to mount it as /open, substitute it's location
67: X throughout the rest of this description
1.6 deraadt 68: X
1.7 beck 69: X**********************************************************************
70: XSTEP 2) compile the anoncvssh binary
71: X in the Makefile, change the variable CVSROOT
72: X install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 73: X
1.7 beck 74: X**********************************************************************
75: XSTEP 3) Create the anoncvs account. and decide who will run "sup"
76: Xto maintain the archive. The anoncvs account should *NOT* be the one
77: Xrunning sup to maintain the archive.
1.1 deraadt 78: X
1.9 beck 79: Xcreate an account similar to:
80: X
1.7 beck 81: X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
1.4 deraadt 82: X
1.9 beck 83: Xyes, that is right. the account has no password. Be sure that the uid
84: Xand gid are unique for your system, if the ones above aren't, pick different
85: Xvalues.
86: X
87: XDecide on who will run sup to maintain the archive. call that user $SUPUSER.
1.7 beck 88: XOh, and in case it hasn't been previously mentioned, $SUPUSER should *NOT*
89: Xbe the anoncvs user :)
90: X
91: X**********************************************************************
92: XSTEP 4) Build the anoncvs user's home directory chroot jail. This example
93: Xassumes that you're using OpenBSD. If you're not you may need different
94: Xfiles in the chroot.
1.4 deraadt 95: X
1.1 deraadt 96: Xmkdir /open/anoncvs
97: Xmkdir /open/anoncvs/cvs
1.6 deraadt 98: Xmkdir /open/anoncvs/sup
99: Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs
1.1 deraadt 100: X
1.7 beck 101: Xstart filling the account up with nice stuff. You are building a chroot
102: Xjail for anoncvs in /open/anoncvs.
103: X
1.1 deraadt 104: X cd /open/anoncvs
105: X touch .hushlogin
106: X touch .profile
107: X
108: Xput a message like the following in .plan:
1.6 deraadt 109: X To use anonymous CVS install the latest version of CVS on your local
110: X machine.
1.1 deraadt 111: X Then set your CVSROOT environment variable to the following value:
112: X anoncvs@anoncvs.openbsd.org:/cvs
113: X
114: X chown root.wheel .hushlogin .profile .plan
115: X
116: X mkdir bin dev tmp usr var etc
117: X cp /bin/{cat,pwd,rm,sh} bin/
118: X
119: Xusing mknod, make a dev/null that has the same major/minor numbers as
120: X your /dev/null, and make it mode 666.
121: X
122: Xsome shared library systems require a dev/zero created in the same way
123: X
124: Xfill etc space for the account
125: X cp /etc/{group,hosts,passwd,protocols} etc/
126: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
127: X modify these files to suit your idea of system security
128: X
1.3 deraadt 129: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an
130: Xtiny extension provided in the openbsd cvs server code which permits
131: Xthe use of read-only cvs repositories. therefore you MUST compile the
132: Xopenbsd version of cvs. luckily this is not a problem on a
133: Xnon-openbsd machine since the cvs sources are imported verbatim into
134: Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are
135: Xintegrated such that Makefile.bsd-wrapper knows how to build the
136: Xsources on an OpenBSD machine, using obj directories.
1.1 deraadt 137: X
138: Xcreate tmp space for the account
139: X cd var; ln -s ../tmp tmp
140: X chmod a+rwx tmp
141: X
142: X mkdir usr/{bin,lib}
143: X cp /usr/bin/{ci,co,cvs,diff,diff3,gzip,rcs,rcsclean} usr/bin/
144: X cp /usr/bin/{rcsdiff,rcsfreeze,rcsmerge,rlog,sdiff,zdiff} usr/bin/
1.6 deraadt 145: X cp /usr/bin/grep usr/bin
1.1 deraadt 146: X
147: Xif your system has ld.so in /usr/libexec,
148: X mkdir usr/libexec
149: X cp /usr/libexec/ld.so usr/libexec/
150: X
151: Xif using shared libraries, copy the shared libs you might need:
152: X cp /usr/lib/lib*.so.* usr/lib/
153: X
154: Xas a final pass, make sure that all the files you have just created are
1.7 beck 155: Xnot world writable (except dev/null)
1.1 deraadt 156: X
1.7 beck 157: XFor :pserver: support (optional)
158: X - Create an entry in /etc/services
159: X cvspserver 2401/tcp # CVS client/server operations
160: X - Create an entry in /etc/inetd.conf
161: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
1.11 ! millert 162: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
! 163: X anoncvs:AHDysQkJIubEc
! 164: X which would be a password of "anoncvs" (as per anoncvs.html)
! 165: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
! 166: X anoncvs
! 167: X which tells cvs that user "anoncvs" is allowed readonly access.
! 168: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
! 169: X want anyone to be able to write to the mirror.
! 170: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
1.7 beck 171: X
172: XSee the example layout below for full details.
173: X
174: X**********************************************************************
175: XSTEP 5): Get sup permission.
176: Xsend mail to sup@openbsd.org
177: X1) to have sup permissions granted on an appropriate machine for you
1.10 beck 178: X to sup from. We will need to know your host's real hostname and
179: X IP address.
1.3 deraadt 180: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created
181: X3) to have your site mentioned in the http://www.openbsd.org page.
182: X
1.7 beck 183: X**********************************************************************
184: XSTEP 6): Configure sup
185: X
186: XIf you're running OpenBSD, you already have a sup client in
187: X/usr/bin/sup. If not you may need to build it. On an IRIX or other
188: XSYSV machine, ensure that your kernel does not allow a user to chown a
189: Xfile to another user (You may have heard of this particular brand of
190: Xevil referred to as "chown giveaway"). this will cause sup to give
191: Xaway the files to root before chmod'ing them
192: Xreadable. michaels@openbsd.org knows how to fix this.
193: X
194: XThe file /open/sup/ss contains a line that tells sup where to get the
1.10 beck 195: Xcvs tree from. it will normally contain:
1.7 beck 196: X
197: X cvs host=anoncvs1.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete
198: X
199: XThe file /open/sup/cvs/refuse tells sup what files it should not get.
1.11 ! millert 200: XIt should contain the following lines:
1.7 beck 201: X
202: X cvs/CVSROOT/history
1.11 ! millert 203: X cvs/CVSROOT/readers
! 204: X cvs/CVSROOT/writers
! 205: X cvs/CVSROOT/passwd
1.7 beck 206: X
207: Xif you ever fetch the file cvs/CVSROOT/history, delete it. it will
208: Xcause you problems.
209: X
210: X**********************************************************************
211: XSTEP 7): Run sup to retrieve the tree for the first time
212: X
213: XLog in as or become the $SUPUSER, and run
214: X
215: Xsup -v /open/anoncvs/sup/ss > /tmp/suplog &; tail -f /tmp/suplog
216: X
217: XIf you have sup permission, and have specified the correct host and
218: Xhostbase in /open/anoncvs/sup/ss you should see a list of files start
219: Xcoming in after a short while. Don't panic if nothing happens
220: Ximmediately. Watch for errors (sup can timeout or die). If you can't
221: Xaccess files contact the sup server maintainer, If you get a timeout
222: Xor if sup dies you can restart and it should continue where it left off.
223: X
224: XIt can take a good while (and a couple of restarts) to obtain the
225: Xwhole tree for the first time.
226: X
227: X**********************************************************************
228: XSTEP 8): Set up cron to keep the tree up to date.
229: X
230: XYou run sup periodically from the cron by setting up the crontab file
231: Xof the $SUPUSER.
232: X
233: XFor example: To run every three hours 'sup -v supfile', and thrice
234: Xweekly 'sup -vo supfile' .. because sup is not reliable ..
235: X
236: X0 0,3,6,9,12,15,18,21 * * 0,2,4,5 sup -v /open/anoncvs/sup/ss > /dev/null
237: X0 0,12,15,18,21 * * 1,3,6 sup -v /open/anoncvs/sup/ss > /dev/null
238: X0 3 * * 1,3,6 sup -vo /open/anoncvs/sup/ss > /dev/null
239: X
240: Xanoncvs5.usa.openbsd.org uses this particular set of entries. A `sup
241: X-o' is done every few days because sup is not very robust.
242: X
243: X**********************************************************************
244: XEXAMPLE LAYOUT
245: X
246: XExample layout for OpenBSD. In this example "deraadt" is the $SUPUSER.
1.3 deraadt 247: X
248: X[eap open 5 ]> cd /open
249: X[eap open 6 ]> ls -alF
250: Xtotal 46
251: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./
252: Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../
253: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/
254: X---s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh*
255: Xlrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs
256: Xdrwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/
257: Xdrwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/
258: Xdrwxr-xr-x 4 root wheel 512 Nov 30 1995 src/
259: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/
260: X[eap open 7 ]> cd anoncvs
261: X[eap anoncvs 8 ]> ls -alF
262: Xtotal 20
263: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./
264: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
265: X-r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin
266: X-r--r--r-- 1 root wheel 188 Nov 30 1995 .plan
267: X-r--r--r-- 1 root wheel 0 Nov 29 1995 .profile
1.10 beck 268: Xdrwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 bin/
1.3 deraadt 269: Xdrwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/
270: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/
271: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/
272: Xdrwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/
273: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/
274: Xdrwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/
275: X[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev
276: Xbin:
277: Xtotal 948
1.10 beck 278: Xdrwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 ./
1.3 deraadt 279: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
280: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat*
281: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd*
282: X--wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm*
283: X--wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh*
284: X
285: Xdev:
286: Xtotal 4
287: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 ./
288: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
289: Xcrw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null
290: X
291: Xetc:
292: Xtotal 112
293: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 ./
294: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
295: X-rw-r--r-- 1 root wheel 252 Nov 29 1995 group
296: X-rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts
297: X-rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd
298: X-rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols
299: X-rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db
300: X-rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf
301: X-rw-r--r-- 1 root wheel 5529 Nov 29 1995 services
302: X-rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys
303: X
304: Xusr:
305: Xtotal 10
306: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./
307: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
308: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/
309: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/
310: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/
311: X
312: Xusr/bin:
313: Xtotal 1968
314: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./
315: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
316: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 ci*
317: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 co*
318: X--wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs*
319: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 diff*
320: X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 diff3*
321: X--wx--x--x 1 deraadt wheel 90112 Jun 18 09:46 gzip*
322: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 rcs*
323: X--wx--x--x 1 deraadt wheel 65536 Jun 18 09:46 rcsclean*
324: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsdiff*
325: X--wx--x--x 1 deraadt wheel 3228 Jun 18 09:46 rcsfreeze*
326: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsmerge*
327: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rlog*
328: X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 sdiff*
329: X--wx--x--x 1 deraadt wheel 2006 Jun 18 09:46 zdiff*
330: X
331: Xusr/lib:
332: Xtotal 5594
333: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./
334: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
335: X-rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libacl.so.4.0
336: X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.12.3
337: X-rw-r--r-- 1 deraadt wheel 377359 Jun 18 09:50 libc.so.12.6
338: X-rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypt.so.0.0
339: X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libcrypt.so.1.0
340: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libcurses.so.2.1
341: X-rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libcurses.so.3.0
342: X-rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libdes.so.4.1
343: X-rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libedit.so.0.0
344: X-rw-r--r-- 1 deraadt wheel 43131 Jun 18 09:50 libform.so.0.0
345: X-rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libg++.so.2.0
346: X-rw-r--r-- 1 deraadt wheel 305738 Jun 18 09:50 libg++.so.27.1
347: X-rw-r--r-- 1 deraadt wheel 25544 Jun 18 09:50 libgnumalloc.so.0.0
348: X-rw-r--r-- 1 deraadt wheel 42696 Jun 18 09:50 libiberty.so.0.0
349: X-rw-r--r-- 1 deraadt wheel 25282 Jun 18 09:50 libkadm.so.4.0
350: X-rw-r--r-- 1 deraadt wheel 16610 Jun 18 09:50 libkafs.so.4.0
351: X-rw-r--r-- 1 deraadt wheel 25539 Jun 18 09:50 libkdb.so.4.0
352: X-rw-r--r-- 1 deraadt wheel 59943 Jun 18 09:50 libkrb.so.4.0
353: X-rw-r--r-- 1 deraadt wheel 25328 Jun 18 09:50 libkvm.so.4.0
354: X-rw-r--r-- 1 deraadt wheel 102104 Jun 18 09:50 libm.so.0.1
355: X-rw-r--r-- 1 deraadt wheel 26540 Jun 18 09:50 libmenu.so.0.0
356: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libocurses.so.2.1
357: X-rw-r--r-- 1 deraadt wheel 16881 Jun 18 09:50 libpanel.so.0.0
358: X-rw-r--r-- 1 deraadt wheel 60222 Jun 18 09:50 libpcap.so.0.0
359: X-rw-r--r-- 1 deraadt wheel 25060 Jun 18 09:50 libresolv.so.1.0
360: X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libresolv.so.2.0
361: X-rw-r--r-- 1 deraadt wheel 33538 Jun 18 09:50 libskey.so.0.0
362: X-rw-r--r-- 1 deraadt wheel 25764 Jun 18 09:50 libss.so.4.0
363: X-rw-r--r-- 1 deraadt wheel 277954 Jun 18 09:50 libstdc++.so.27.1
364: X-rw-r--r-- 1 deraadt wheel 16835 Jun 18 09:50 libtelnet.so.1.0
365: X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermcap.so.0.0
366: X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermlib.so.0.0
367: X-rw-r--r-- 1 deraadt wheel 75039 Jun 18 09:50 libtermlib.so.1.0
368: X-rw-r--r-- 1 deraadt wheel 16625 Jun 18 09:50 libutil.so.3.1
369: X-rw-r--r-- 1 deraadt wheel 25628 Jun 18 09:50 libutil.so.3.2
370: X
371: Xusr/libexec:
372: Xtotal 100
373: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./
374: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
375: X-rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so*
376: X
377: X[eap anoncvs 14 ]> ls cvs
378: XCVSROOT/ src/ sup/ www/
1.6 deraadt 379: X[eap anoncvs 15 ]> cd /open
1.3 deraadt 380: X[eap anoncvs 16 ]> ls -alF sup
381: Xtotal 8
382: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./
383: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
384: Xdrwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/
385: X-rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss
386: X
387: X
1.7 beck 388: X***************************************************************
389: XNOTES FOR OTHER PLATFORMS:
390: X
391: XIf you're not that familiar with your other platform (i.e. you haven't
392: Xbuilt a chroot jail for a server on it) You may be better off
393: Xfinding an OpenBSD machine to use. (and duplicating the example above)
394: X
395: X**SunOS 5)
1.10 beck 396: XBob Beck <Bob.Beck@ualberta.ca> has done this. E-mail for
1.7 beck 397: Xhelp if you need it.
1.6 deraadt 398: X
1.7 beck 399: X**OSF 1)
1.6 deraadt 400: XFrom Todd Fries <toddf@acm.org> to the adventurous.
401: XA note for those installing anoncvs on non-OpenBSD operating systems.
402: XYou are in for some fun.
403: X
404: XFor OSF1, on a DEC alpha, I had to do the following in addition to the
405: Xabove:
406: X
407: X- I do not know how to setup dynamic libraries on osf1 and as a result
408: X everything had to be compiled statically.
409: X- Therefore, everything but /bin/sh I had to recmpile in order to
410: X get the chroot setup. In order that there be no guesswork
411: X involved, the following packages' binaries must exist in the chroot
412: X environment:
413: X
414: X GNU
415: X cvs (from the OpenBSD source tree)
416: X diff[utils] (unless you're running *BSD, probably better get it from a gnu
417: X mirror...the Makefile doesn't work otherwise)
418: X rcs (from the OpenBSD source tree)
419: X
420: XSome notes on compiling.
421: X
422: X rcs must have diff3 capable of diff3 -m during configure.
423: X OSF doesn't by default, thus I had to compile diffutils first.
424: X
425: X cvs fails to install if you don't have makeinfo ... just search for the
426: X string ' install-info$' with regex and remove it from the Makefile for the
427: X install and you'll be fine, or install 'texinfo', your choice.
1.10 beck 428: X
1.1 deraadt 429: END-of-README
430: echo x - anoncvssh.c
431: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
432: X/*
433: X * anoncvssh
434: X */
435: X
1.4 deraadt 436: X#include <stdio.h>
437: X#include <stdlib.h>
438: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
439: X#include <paths.h>
440: X#endif
441: X#include <pwd.h>
442: X#include <unistd.h>
443: X#include <sys/types.h>
444: X
445: X#ifndef __CONCAT
446: X#if defined(__STDC__) || defined(__cplusplus)
447: X#define __CONCAT(x,y) x ## y
448: X#else
449: X#define __CONCAT(x,y) x/**/y
450: X#endif
451: X#endif
452: X
453: X#ifndef __CONCAT3
454: X#if defined(__STDC__) || defined(__cplusplus)
455: X#define __CONCAT3(x,y,z) x ## y ## z
456: X#else
457: X#define __CONCAT3(x,y,z) x/**/y/**/z
458: X#endif
459: X#endif
460: X
461: X#ifndef __P
462: X#if defined(__STDC__) || defined(__cplusplus)
463: X#define __P(protos) protos /* full-blown ANSI C */
464: X#else
465: X#define __P(protos) () /* traditional C preprocessor */
466: X#endif
467: X#endif
468: X
469: X/*
470: X * You may need to change this path to ensure that RCS, CVS and diff
471: X * can be found
472: X */
473: X#ifndef _PATH_DEFPATH
474: X#define _PATH_DEFPATH "/bin:/usr/bin"
475: X#endif
476: X
477: X/*
478: X * This should not normally have to be changed
479: X */
480: X#ifndef _PATH_BSHELL
481: X#define _PATH_BSHELL "/bin/sh"
482: X#endif
483: X
484: X/*
485: X * Location of CVS tree, relative to the anonymous CVS user's
486: X * home directory
487: X */
488: X#ifndef LOCALROOT
489: X#define LOCALROOT "/cvs"
490: X#endif
491: X
492: X/*
493: X * Account and host name to be used when accessing the
494: X * CVS repository remotely
495: X */
496: X#ifndef HOSTNAME
497: X#define HOSTNAME "anoncvs@anoncvs1.usa.openbsd.org"
498: X#endif
499: X
500: X/*
501: X * $CVSROOT is created based on HOSTNAME and LOCALROOT above
502: X */
1.1 deraadt 503: X#ifndef CVSROOT
1.4 deraadt 504: X#define CVSROOT __CONCAT3(HOSTNAME,":",LOCALROOT)
1.1 deraadt 505: X#endif
506: X
1.8 beck 507: X/*
508: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
509: X * You may undefine this if you aren't going to be running pserver.
510: X */
511: X#ifndef PSERVER_SUPPORT
512: X#define PSERVER_SUPPORT
513: X#endif
514: X
515: X/*
516: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
517: X * using syslog()
518: X */
519: X#define USE_SYSLOG
520: X
521: X#ifdef USE_SYSLOG
522: X#include <string.h>
523: X#include <syslog.h>
524: X#include <netinet/in.h>
525: X#include <sys/socket.h>
526: X#include <arpa/inet.h>
527: X#define LOG_FACILITY LOG_DAEMON
528: X#define LOG_PRIO LOG_INFO
529: X#endif
530: X
531: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
532: X * anyone other than root or ANONCVS_USER.
533: X */
534: X/* #define ANONCVS_USER "anoncvs" */
535: X
1.4 deraadt 536: Xint main __P((int, char *[]));
537: X
538: Xchar * const env[] = {
539: X __CONCAT("PATH=",_PATH_DEFPATH),
540: X __CONCAT("SHELL=",_PATH_BSHELL),
541: X __CONCAT("CVSROOT=",LOCALROOT),
542: X "HOME=/",
543: X "CVSREADONLYFS=1",
544: X NULL
545: X};
1.1 deraadt 546: X
547: Xint
548: Xmain(argc, argv)
549: Xint argc;
550: Xchar *argv[];
551: X{
552: X struct passwd *pw;
1.5 deraadt 553: X#ifdef DEBUG
554: X int i;
555: X#endif /* DEBUG */
1.1 deraadt 556: X
557: X pw = getpwuid(getuid());
558: X if (pw == NULL) {
559: X fprintf(stderr, "no user for uid %d\n", getuid());
560: X exit(1);
561: X }
562: X if (pw->pw_dir == NULL) {
563: X fprintf(stderr, "no directory\n");
564: X exit(1);
565: X }
1.8 beck 566: X
567: X#ifdef USE_SYSLOG
568: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
569: X#endif /* USE_SYSLOG */
570: X
571: X#ifdef ANONCVS_USER
572: X /*
573: X * I love lusers who have to test every setuid binary on my machine.
574: X */
575: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
576: X fprintf(stderr, "You're not supposed to be running me!\n");
577: X#ifdef USE_SYSLOG
578: X syslog(LOG_NOTICE,
579: X "User %s(%d) invoked anoncvssh - Possible twink?",
580: X pw->pw_name, pw->pw_uid);
581: X#endif /* USE_SYSLOG */
582: X exit(1);
583: X }
584: X#endif /* ANONCVS_USER */
585: X
586: X
1.11 ! millert 587: X setuid(0);
1.1 deraadt 588: X if (chroot(pw->pw_dir) == -1) {
589: X perror("chroot");
590: X exit (1);
591: X }
592: X chdir("/");
1.11 ! millert 593: X setuid(pw->pw_uid);
1.1 deraadt 594: X
595: X /*
596: X * program now "safe"
597: X */
1.6 deraadt 598: X
1.8 beck 599: X#ifdef PSERVER_SUPPORT
1.6 deraadt 600: X /* If we want pserver functionality */
1.8 beck 601: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
602: X#ifdef USE_SYSLOG
603: X int slen;
604: X struct sockaddr_in my_sa, peer_sa;
605: X char *us, *them;
606: X
607: X slen = sizeof(my_sa);
608: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
609: X != 0) {
610: X perror("getsockname");
611: X exit(1);
612: X }
613: X us = strdup(inet_ntoa(my_sa.sin_addr));
614: X if (us == NULL) {
615: X fprintf(stderr, "malloc failed\n");
616: X exit(1);
617: X }
618: X slen = sizeof(peer_sa);
619: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
620: X != 0) {
621: X perror("getpeername");
622: X exit(1);
623: X }
624: X them=strdup(inet_ntoa(peer_sa.sin_addr));
625: X if (them == NULL) {
626: X fprintf(stderr, "malloc failed\n");
627: X exit(1);
628: X }
629: X syslog(LOG_PRIO,
630: X "pserver connection from %s:%d to %s:%d\n",
631: X them, ntohs(peer_sa.sin_port),
632: X us, ntohs(my_sa.sin_port));
633: X#endif /* USE_SYSLOG */
1.11 ! millert 634: X execle("/usr/bin/cvs", "cvs",
! 635: X __CONCAT("--allow-root=",LOCALROOT), "pserver", NULL, env);
1.6 deraadt 636: X perror("execle: cvs");
637: X fprintf(stderr, "unable to exec CVS pserver!\n");
638: X exit(1);
639: X /* NOTREACHED */
640: X }
1.8 beck 641: X#endif
1.1 deraadt 642: X
643: X if (argc != 3 ||
644: X strcmp("anoncvssh", argv[0]) != 0 ||
645: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 646: X (strcmp("cvs server", argv[2]) != 0 &&
647: X strcmp(__CONCAT3("cvs -d ",LOCALROOT," server"), argv[2]) != 0)) {
1.1 deraadt 648: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
649: X fprintf(stderr,"version of CVS on your local machine.\n");
650: X fprintf(stderr,"Then set your CVSROOT environment variable ");
651: X fprintf(stderr,"to the following value:\n");
652: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 653: X#ifdef DEBUG
654: X fprintf(stderr, "argc = %d\n", argc);
655: X for (i = 0 ; i < argc ; i++)
656: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
657: X#endif /* DEBUG */
1.1 deraadt 658: X sleep(10);
659: X exit(0);
660: X }
1.4 deraadt 661: X execle("/usr/bin/cvs", "cvs", "server", NULL, env);
662: X perror("execle: cvs");
1.1 deraadt 663: X fprintf(stderr, "unable to exec CVS server!\n");
664: X exit(1);
1.5 deraadt 665: X /* NOTREACHED */
1.1 deraadt 666: X}
667: X
668: END-of-anoncvssh.c
669: exit
670: