Annotation of www/anoncvs.shar, Revision 1.13
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.6 deraadt 8: # Makefile
1.1 deraadt 9: # README
10: # anoncvssh.c
11: #
1.6 deraadt 12: echo x - Makefile
13: sed 's/^X//' >Makefile << 'END-of-Makefile'
14: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
15: XPROG= anoncvssh
16: XBINOWN= root
17: XBINMODE=4111
18: XBINDIR=/open
19: XNOMAN=
20: X
21: X.include <bsd.prog.mk>
22: X
23: END-of-Makefile
1.1 deraadt 24: echo x - README
25: sed 's/^X//' >README << 'END-of-README'
26: X
1.7 beck 27: X So, you want to run an anoncvs server.
28: X
29: X A summary of the steps you'll need to do is:
30: X
31: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
32: Xappropriate place.
33: X
34: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
35: X ( If you aren't using OpenBSD you'll probably need to compile a sup
36: X client as well. The easier path is to use OpenBSD ;)
37: X
38: X3) Add the anoncvs user to the password file, with no password, and
39: Xanoncvssh as it's shell. Decide on a user that will run sup to maintain
40: Xthe archive (this is a different user, NOT the anoncvs user)
41: X
42: X4) Make a home directory for the anoncvs user. The anoncvs user's home
43: Xdirectory is a chroot jail in which the anoncvssh processes run when
44: Xservicing anoncvs requests. The jail must contain the cvs binary and
45: Xrelated programs (rcs, etc) as well as whatever shared libraries and
46: Xsupport files are needed to run them unless you compile and link
47: Xeverything staticly. This example shows what is needed for OpenBSD. If
48: Xyou use another platform you'll need to be familiar with what needs
49: Xto go in a chroot jail for your platform.
50: X
51: X5) Get permission to use sup to obtain the cvs tree from a server.
1.1 deraadt 52: X
1.7 beck 53: X6) Set up sup to retrieve the cvs tree from an appropriate place.
54: X (If you aren't using OpenBSD you will need to compile and install
55: X a sup client).
1.6 deraadt 56: X
1.7 beck 57: X7) Run sup to retrieve the distribution from the server
1.3 deraadt 58: X
1.7 beck 59: X8) Once you get the distribution in, set up a cron job to run sup
60: X periodically to keep your server up to date.
1.6 deraadt 61: X
1.7 beck 62: X**********************************************************************
63: XSTEP 1) find enough disk space.
1.13 ! millert 64: X you need roughly 1.6GB.
1.7 beck 65: X mount it on /open
66: X if you are not able to mount it as /open, substitute it's location
67: X throughout the rest of this description
1.6 deraadt 68: X
1.7 beck 69: X**********************************************************************
70: XSTEP 2) compile the anoncvssh binary
71: X in the Makefile, change the variable CVSROOT
72: X install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 73: X
1.7 beck 74: X**********************************************************************
75: XSTEP 3) Create the anoncvs account. and decide who will run "sup"
76: Xto maintain the archive. The anoncvs account should *NOT* be the one
77: Xrunning sup to maintain the archive.
1.1 deraadt 78: X
1.9 beck 79: Xcreate an account similar to:
80: X
1.7 beck 81: X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
1.4 deraadt 82: X
1.9 beck 83: Xyes, that is right. the account has no password. Be sure that the uid
84: Xand gid are unique for your system, if the ones above aren't, pick different
85: Xvalues.
86: X
87: XDecide on who will run sup to maintain the archive. call that user $SUPUSER.
1.7 beck 88: XOh, and in case it hasn't been previously mentioned, $SUPUSER should *NOT*
89: Xbe the anoncvs user :)
90: X
91: X**********************************************************************
92: XSTEP 4) Build the anoncvs user's home directory chroot jail. This example
93: Xassumes that you're using OpenBSD. If you're not you may need different
94: Xfiles in the chroot.
1.4 deraadt 95: X
1.1 deraadt 96: Xmkdir /open/anoncvs
97: Xmkdir /open/anoncvs/cvs
1.6 deraadt 98: Xmkdir /open/anoncvs/sup
99: Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs
1.1 deraadt 100: X
1.7 beck 101: Xstart filling the account up with nice stuff. You are building a chroot
102: Xjail for anoncvs in /open/anoncvs.
103: X
1.1 deraadt 104: X cd /open/anoncvs
105: X touch .hushlogin
106: X touch .profile
107: X
108: Xput a message like the following in .plan:
1.6 deraadt 109: X To use anonymous CVS install the latest version of CVS on your local
110: X machine.
1.1 deraadt 111: X Then set your CVSROOT environment variable to the following value:
112: X anoncvs@anoncvs.openbsd.org:/cvs
113: X
114: X chown root.wheel .hushlogin .profile .plan
115: X
116: X mkdir bin dev tmp usr var etc
117: X cp /bin/{cat,pwd,rm,sh} bin/
118: X
119: Xusing mknod, make a dev/null that has the same major/minor numbers as
120: X your /dev/null, and make it mode 666.
121: X
122: Xsome shared library systems require a dev/zero created in the same way
123: X
124: Xfill etc space for the account
125: X cp /etc/{group,hosts,passwd,protocols} etc/
126: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
127: X modify these files to suit your idea of system security
128: X
1.3 deraadt 129: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an
130: Xtiny extension provided in the openbsd cvs server code which permits
131: Xthe use of read-only cvs repositories. therefore you MUST compile the
132: Xopenbsd version of cvs. luckily this is not a problem on a
133: Xnon-openbsd machine since the cvs sources are imported verbatim into
134: Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are
135: Xintegrated such that Makefile.bsd-wrapper knows how to build the
136: Xsources on an OpenBSD machine, using obj directories.
1.1 deraadt 137: X
138: Xcreate tmp space for the account
1.13 ! millert 139: X # cd var; ln -s ../tmp tmp
! 140: X # chmod a+rwx tmp
1.1 deraadt 141: X
1.13 ! millert 142: X # mkdir usr/{bin,lib}
! 143: X # cp /usr/bin/cvs usr/bin/
1.1 deraadt 144: X
145: Xif your system has ld.so in /usr/libexec,
1.13 ! millert 146: X # mkdir usr/libexec
! 147: X # cp /usr/libexec/ld.so usr/libexec/
1.1 deraadt 148: X
1.13 ! millert 149: Xif using shared libraries, use ldd to find out which shared libs you need:
! 150: X # ldd /usr/bin/cvs
! 151: X /usr/bin/cvs:
! 152: X -lz.1 => /usr/lib/libz.so.1.4 (0x40097000)
! 153: X -lgssapi.1 => /usr/lib/libgssapi.so.1.0 (0x400a4000)
! 154: X -lkrb.10 => /usr/lib/libkrb.so.10.0 (0x400ae000)
! 155: X -lkrb5.4 => /usr/lib/libkrb5.so.4.0 (0x400c8000)
! 156: X -lasn1.2 => /usr/lib/libasn1.so.2.0 (0x400ff000)
! 157: X -lcrypto.6 => /usr/lib/libcrypto.so.6.0 (0x4011d000)
! 158: X -ldes.7 => /usr/lib/libdes.so.7.0 (0x40203000)
! 159: X -lkafs.10 => /usr/lib/libkafs.so.10.0 (0x4020d000)
! 160: X -lc.28 => /usr/lib/libc.so.28.5 (0x40210000)
! 161: X
! 162: X and then copy the required libraries to usr/lib/
1.1 deraadt 163: X
164: Xas a final pass, make sure that all the files you have just created are
1.7 beck 165: Xnot world writable (except dev/null)
1.1 deraadt 166: X
1.7 beck 167: XFor :pserver: support (optional)
168: X - Create an entry in /etc/services
169: X cvspserver 2401/tcp # CVS client/server operations
170: X - Create an entry in /etc/inetd.conf
171: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
1.11 millert 172: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
173: X anoncvs:AHDysQkJIubEc
174: X which would be a password of "anoncvs" (as per anoncvs.html)
175: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
176: X anoncvs
177: X which tells cvs that user "anoncvs" is allowed readonly access.
178: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
179: X want anyone to be able to write to the mirror.
180: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
1.7 beck 181: X
182: XSee the example layout below for full details.
183: X
184: X**********************************************************************
185: XSTEP 5): Get sup permission.
186: Xsend mail to sup@openbsd.org
187: X1) to have sup permissions granted on an appropriate machine for you
1.10 beck 188: X to sup from. We will need to know your host's real hostname and
189: X IP address.
1.3 deraadt 190: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created
191: X3) to have your site mentioned in the http://www.openbsd.org page.
192: X
1.7 beck 193: X**********************************************************************
194: XSTEP 6): Configure sup
195: X
196: XIf you're running OpenBSD, you already have a sup client in
197: X/usr/bin/sup. If not you may need to build it. On an IRIX or other
198: XSYSV machine, ensure that your kernel does not allow a user to chown a
199: Xfile to another user (You may have heard of this particular brand of
200: Xevil referred to as "chown giveaway"). this will cause sup to give
201: Xaway the files to root before chmod'ing them
202: Xreadable. michaels@openbsd.org knows how to fix this.
203: X
204: XThe file /open/sup/ss contains a line that tells sup where to get the
1.10 beck 205: Xcvs tree from. it will normally contain:
1.7 beck 206: X
207: X cvs host=anoncvs1.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete
208: X
209: XThe file /open/sup/cvs/refuse tells sup what files it should not get.
1.11 millert 210: XIt should contain the following lines:
1.7 beck 211: X
212: X cvs/CVSROOT/history
1.11 millert 213: X cvs/CVSROOT/readers
214: X cvs/CVSROOT/writers
215: X cvs/CVSROOT/passwd
1.7 beck 216: X
217: Xif you ever fetch the file cvs/CVSROOT/history, delete it. it will
218: Xcause you problems.
219: X
220: X**********************************************************************
221: XSTEP 7): Run sup to retrieve the tree for the first time
222: X
223: XLog in as or become the $SUPUSER, and run
224: X
225: Xsup -v /open/anoncvs/sup/ss > /tmp/suplog &; tail -f /tmp/suplog
226: X
227: XIf you have sup permission, and have specified the correct host and
228: Xhostbase in /open/anoncvs/sup/ss you should see a list of files start
229: Xcoming in after a short while. Don't panic if nothing happens
230: Ximmediately. Watch for errors (sup can timeout or die). If you can't
231: Xaccess files contact the sup server maintainer, If you get a timeout
232: Xor if sup dies you can restart and it should continue where it left off.
233: X
234: XIt can take a good while (and a couple of restarts) to obtain the
235: Xwhole tree for the first time.
236: X
237: X**********************************************************************
238: XSTEP 8): Set up cron to keep the tree up to date.
239: X
240: XYou run sup periodically from the cron by setting up the crontab file
241: Xof the $SUPUSER.
242: X
243: XFor example: To run every three hours 'sup -v supfile', and thrice
244: Xweekly 'sup -vo supfile' .. because sup is not reliable ..
245: X
246: X0 0,3,6,9,12,15,18,21 * * 0,2,4,5 sup -v /open/anoncvs/sup/ss > /dev/null
247: X0 0,12,15,18,21 * * 1,3,6 sup -v /open/anoncvs/sup/ss > /dev/null
248: X0 3 * * 1,3,6 sup -vo /open/anoncvs/sup/ss > /dev/null
249: X
250: Xanoncvs5.usa.openbsd.org uses this particular set of entries. A `sup
251: X-o' is done every few days because sup is not very robust.
252: X
253: X**********************************************************************
254: XEXAMPLE LAYOUT
255: X
256: XExample layout for OpenBSD. In this example "deraadt" is the $SUPUSER.
1.3 deraadt 257: X
258: X[eap open 5 ]> cd /open
259: X[eap open 6 ]> ls -alF
260: Xtotal 46
261: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./
262: Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../
263: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/
264: X---s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh*
265: Xlrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs
266: Xdrwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/
267: Xdrwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/
268: Xdrwxr-xr-x 4 root wheel 512 Nov 30 1995 src/
269: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/
270: X[eap open 7 ]> cd anoncvs
271: X[eap anoncvs 8 ]> ls -alF
272: Xtotal 20
273: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./
274: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
275: X-r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin
276: X-r--r--r-- 1 root wheel 188 Nov 30 1995 .plan
277: X-r--r--r-- 1 root wheel 0 Nov 29 1995 .profile
1.10 beck 278: Xdrwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 bin/
1.3 deraadt 279: Xdrwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/
280: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/
281: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/
282: Xdrwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/
283: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/
284: Xdrwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/
285: X[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev
286: Xbin:
287: Xtotal 948
1.10 beck 288: Xdrwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 ./
1.3 deraadt 289: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
290: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat*
291: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd*
292: X--wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm*
293: X--wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh*
294: X
295: Xdev:
296: Xtotal 4
297: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 ./
298: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
299: Xcrw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null
300: X
301: Xetc:
302: Xtotal 112
303: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 ./
304: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
305: X-rw-r--r-- 1 root wheel 252 Nov 29 1995 group
306: X-rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts
307: X-rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd
308: X-rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols
309: X-rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db
310: X-rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf
311: X-rw-r--r-- 1 root wheel 5529 Nov 29 1995 services
312: X-rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys
313: X
314: Xusr:
315: Xtotal 10
316: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./
317: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
318: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/
319: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/
320: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/
321: X
322: Xusr/bin:
323: Xtotal 1968
324: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./
325: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
326: X--wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs*
327: X
328: Xusr/lib:
329: Xtotal 5594
330: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./
331: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
1.13 ! millert 332: X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libasn1.so.2.0
! 333: X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.28.5
! 334: X-rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypto.so.6.0
! 335: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libdes.so.7.0
! 336: X-rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libgssapi.so.1.0
! 337: X-rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libkafs.so.10.0
! 338: X-rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libkrb.so.10.0
! 339: X-rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libkrb5.so.4.0
! 340: X-rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libz.so.1.4
1.3 deraadt 341: X
342: Xusr/libexec:
343: Xtotal 100
344: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./
345: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
346: X-rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so*
347: X
348: X[eap anoncvs 14 ]> ls cvs
349: XCVSROOT/ src/ sup/ www/
1.6 deraadt 350: X[eap anoncvs 15 ]> cd /open
1.3 deraadt 351: X[eap anoncvs 16 ]> ls -alF sup
352: Xtotal 8
353: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./
354: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
355: Xdrwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/
356: X-rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss
357: X
358: X
1.7 beck 359: X***************************************************************
360: XNOTES FOR OTHER PLATFORMS:
361: X
362: XIf you're not that familiar with your other platform (i.e. you haven't
1.13 ! millert 363: Xbuilt a chroot jail for a server on it) you may be better off
1.7 beck 364: Xfinding an OpenBSD machine to use. (and duplicating the example above)
365: X
366: X**SunOS 5)
1.10 beck 367: XBob Beck <Bob.Beck@ualberta.ca> has done this. E-mail for
1.7 beck 368: Xhelp if you need it.
1.6 deraadt 369: X
1.7 beck 370: X**OSF 1)
1.6 deraadt 371: XFrom Todd Fries <toddf@acm.org> to the adventurous.
372: XA note for those installing anoncvs on non-OpenBSD operating systems.
373: XYou are in for some fun.
374: X
375: XFor OSF1, on a DEC alpha, I had to do the following in addition to the
376: Xabove:
377: X
378: X- I do not know how to setup dynamic libraries on osf1 and as a result
379: X everything had to be compiled statically.
380: X- Therefore, everything but /bin/sh I had to recmpile in order to
381: X get the chroot setup. In order that there be no guesswork
382: X involved, the following packages' binaries must exist in the chroot
383: X environment:
384: X
385: X GNU
386: X cvs (from the OpenBSD source tree)
387: X
388: XSome notes on compiling.
389: X
390: X cvs fails to install if you don't have makeinfo ... just search for the
391: X string ' install-info$' with regex and remove it from the Makefile for the
392: X install and you'll be fine, or install 'texinfo', your choice.
1.1 deraadt 393: END-of-README
394: echo x - anoncvssh.c
395: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
396: X/*
397: X * anoncvssh
398: X */
399: X
1.4 deraadt 400: X#include <stdio.h>
401: X#include <stdlib.h>
402: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
403: X#include <paths.h>
404: X#endif
405: X#include <pwd.h>
406: X#include <unistd.h>
407: X#include <sys/types.h>
408: X
409: X#ifndef __CONCAT
410: X#if defined(__STDC__) || defined(__cplusplus)
411: X#define __CONCAT(x,y) x ## y
412: X#else
413: X#define __CONCAT(x,y) x/**/y
414: X#endif
415: X#endif
416: X
417: X#ifndef __CONCAT3
418: X#if defined(__STDC__) || defined(__cplusplus)
419: X#define __CONCAT3(x,y,z) x ## y ## z
420: X#else
421: X#define __CONCAT3(x,y,z) x/**/y/**/z
422: X#endif
423: X#endif
424: X
425: X#ifndef __P
426: X#if defined(__STDC__) || defined(__cplusplus)
427: X#define __P(protos) protos /* full-blown ANSI C */
428: X#else
429: X#define __P(protos) () /* traditional C preprocessor */
430: X#endif
431: X#endif
432: X
433: X/*
434: X * You may need to change this path to ensure that RCS, CVS and diff
435: X * can be found
436: X */
437: X#ifndef _PATH_DEFPATH
438: X#define _PATH_DEFPATH "/bin:/usr/bin"
439: X#endif
440: X
441: X/*
442: X * This should not normally have to be changed
443: X */
444: X#ifndef _PATH_BSHELL
445: X#define _PATH_BSHELL "/bin/sh"
446: X#endif
447: X
448: X/*
449: X * Location of CVS tree, relative to the anonymous CVS user's
450: X * home directory
451: X */
452: X#ifndef LOCALROOT
453: X#define LOCALROOT "/cvs"
454: X#endif
455: X
456: X/*
457: X * Account and host name to be used when accessing the
458: X * CVS repository remotely
459: X */
460: X#ifndef HOSTNAME
461: X#define HOSTNAME "anoncvs@anoncvs1.usa.openbsd.org"
462: X#endif
463: X
464: X/*
465: X * $CVSROOT is created based on HOSTNAME and LOCALROOT above
466: X */
1.1 deraadt 467: X#ifndef CVSROOT
1.4 deraadt 468: X#define CVSROOT __CONCAT3(HOSTNAME,":",LOCALROOT)
1.1 deraadt 469: X#endif
470: X
1.8 beck 471: X/*
472: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
473: X * You may undefine this if you aren't going to be running pserver.
474: X */
475: X#ifndef PSERVER_SUPPORT
476: X#define PSERVER_SUPPORT
477: X#endif
478: X
479: X/*
480: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
481: X * using syslog()
482: X */
483: X#define USE_SYSLOG
484: X
485: X#ifdef USE_SYSLOG
486: X#include <string.h>
487: X#include <syslog.h>
488: X#include <netinet/in.h>
489: X#include <sys/socket.h>
490: X#include <arpa/inet.h>
491: X#define LOG_FACILITY LOG_DAEMON
492: X#define LOG_PRIO LOG_INFO
493: X#endif
494: X
495: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
496: X * anyone other than root or ANONCVS_USER.
497: X */
498: X/* #define ANONCVS_USER "anoncvs" */
499: X
1.4 deraadt 500: Xint main __P((int, char *[]));
501: X
502: Xchar * const env[] = {
503: X __CONCAT("PATH=",_PATH_DEFPATH),
504: X __CONCAT("SHELL=",_PATH_BSHELL),
505: X __CONCAT("CVSROOT=",LOCALROOT),
506: X "HOME=/",
507: X "CVSREADONLYFS=1",
508: X NULL
509: X};
1.1 deraadt 510: X
511: Xint
512: Xmain(argc, argv)
513: Xint argc;
514: Xchar *argv[];
515: X{
516: X struct passwd *pw;
1.5 deraadt 517: X#ifdef DEBUG
518: X int i;
519: X#endif /* DEBUG */
1.1 deraadt 520: X
521: X pw = getpwuid(getuid());
522: X if (pw == NULL) {
523: X fprintf(stderr, "no user for uid %d\n", getuid());
524: X exit(1);
525: X }
526: X if (pw->pw_dir == NULL) {
527: X fprintf(stderr, "no directory\n");
528: X exit(1);
529: X }
1.8 beck 530: X
531: X#ifdef USE_SYSLOG
532: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
533: X#endif /* USE_SYSLOG */
534: X
535: X#ifdef ANONCVS_USER
536: X /*
537: X * I love lusers who have to test every setuid binary on my machine.
538: X */
539: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
540: X fprintf(stderr, "You're not supposed to be running me!\n");
541: X#ifdef USE_SYSLOG
542: X syslog(LOG_NOTICE,
543: X "User %s(%d) invoked anoncvssh - Possible twink?",
544: X pw->pw_name, pw->pw_uid);
545: X#endif /* USE_SYSLOG */
546: X exit(1);
547: X }
548: X#endif /* ANONCVS_USER */
549: X
550: X
1.11 millert 551: X setuid(0);
1.1 deraadt 552: X if (chroot(pw->pw_dir) == -1) {
553: X perror("chroot");
554: X exit (1);
555: X }
556: X chdir("/");
1.11 millert 557: X setuid(pw->pw_uid);
1.1 deraadt 558: X
559: X /*
560: X * program now "safe"
561: X */
1.6 deraadt 562: X
1.8 beck 563: X#ifdef PSERVER_SUPPORT
1.6 deraadt 564: X /* If we want pserver functionality */
1.8 beck 565: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
566: X#ifdef USE_SYSLOG
567: X int slen;
568: X struct sockaddr_in my_sa, peer_sa;
569: X char *us, *them;
570: X
571: X slen = sizeof(my_sa);
572: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
573: X != 0) {
574: X perror("getsockname");
575: X exit(1);
576: X }
577: X us = strdup(inet_ntoa(my_sa.sin_addr));
578: X if (us == NULL) {
579: X fprintf(stderr, "malloc failed\n");
580: X exit(1);
581: X }
582: X slen = sizeof(peer_sa);
583: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
584: X != 0) {
585: X perror("getpeername");
586: X exit(1);
587: X }
588: X them=strdup(inet_ntoa(peer_sa.sin_addr));
589: X if (them == NULL) {
590: X fprintf(stderr, "malloc failed\n");
591: X exit(1);
592: X }
593: X syslog(LOG_PRIO,
594: X "pserver connection from %s:%d to %s:%d\n",
595: X them, ntohs(peer_sa.sin_port),
596: X us, ntohs(my_sa.sin_port));
597: X#endif /* USE_SYSLOG */
1.11 millert 598: X execle("/usr/bin/cvs", "cvs",
599: X __CONCAT("--allow-root=",LOCALROOT), "pserver", NULL, env);
1.6 deraadt 600: X perror("execle: cvs");
601: X fprintf(stderr, "unable to exec CVS pserver!\n");
602: X exit(1);
603: X /* NOTREACHED */
604: X }
1.8 beck 605: X#endif
1.1 deraadt 606: X
607: X if (argc != 3 ||
608: X strcmp("anoncvssh", argv[0]) != 0 ||
609: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 610: X (strcmp("cvs server", argv[2]) != 0 &&
611: X strcmp(__CONCAT3("cvs -d ",LOCALROOT," server"), argv[2]) != 0)) {
1.1 deraadt 612: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
613: X fprintf(stderr,"version of CVS on your local machine.\n");
614: X fprintf(stderr,"Then set your CVSROOT environment variable ");
615: X fprintf(stderr,"to the following value:\n");
616: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 617: X#ifdef DEBUG
618: X fprintf(stderr, "argc = %d\n", argc);
619: X for (i = 0 ; i < argc ; i++)
620: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
621: X#endif /* DEBUG */
1.1 deraadt 622: X sleep(10);
623: X exit(0);
624: X }
1.4 deraadt 625: X execle("/usr/bin/cvs", "cvs", "server", NULL, env);
626: X perror("execle: cvs");
1.1 deraadt 627: X fprintf(stderr, "unable to exec CVS server!\n");
628: X exit(1);
1.5 deraadt 629: X /* NOTREACHED */
1.1 deraadt 630: X}
631: X
632: END-of-anoncvssh.c
633: exit
634: