Annotation of www/anoncvs.shar, Revision 1.19
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.19 ! beck 8: # anoncvs.shar
1.6 deraadt 9: # Makefile
1.1 deraadt 10: # README
11: # anoncvssh.c
12: #
1.19 ! beck 13: echo x - anoncvs.shar
! 14: sed 's/^X//' >anoncvs.shar << 'END-of-anoncvs.shar'
! 15: X# This is a shell archive. Save it in a file, remove anything before
! 16: X# this line, and then unpack it by entering "sh file". Note, it may
! 17: X# create directories; files and directories will be owned by you and
! 18: X# have default permissions.
! 19: X#
! 20: X# This archive contains:
! 21: X#
! 22: X# anoncvs.shar
! 23: X# Makefile
! 24: X# README
! 25: X# anoncvssh.c
! 26: X#
! 27: Xecho x - anoncvs.shar
! 28: Xsed 's/^X//' >anoncvs.shar << 'END-of-anoncvs.shar'
! 29: END-of-anoncvs.shar
1.6 deraadt 30: echo x - Makefile
31: sed 's/^X//' >Makefile << 'END-of-Makefile'
32: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
33: XPROG= anoncvssh
34: XBINOWN= root
35: XBINMODE=4111
36: XBINDIR=/open
37: XNOMAN=
38: X
39: X.include <bsd.prog.mk>
40: X
41: END-of-Makefile
1.1 deraadt 42: echo x - README
43: sed 's/^X//' >README << 'END-of-README'
44: X
1.16 millert 45: X So, you want to run an anoncvs server.
1.7 beck 46: X
47: X A summary of the steps you'll need to do is:
48: X
1.16 millert 49: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
1.14 millert 50: X appropriate place.
1.7 beck 51: X
52: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
53: X ( If you aren't using OpenBSD you'll probably need to compile a sup
1.16 millert 54: X client as well. The easier path is to use OpenBSD ;).
1.7 beck 55: X
56: X3) Add the anoncvs user to the password file, with no password, and
1.14 millert 57: X anoncvssh as it's shell. Decide on a user that will run sup to maintain
1.16 millert 58: X the archive (this is a different user, NOT the anoncvs user).
1.7 beck 59: X
1.14 millert 60: X4) Make a home directory for the anoncvs user. The anoncvs user's
61: X home directory is a chroot jail in which the anoncvssh processes
62: X run when servicing anoncvs requests. The jail must contain the
63: X cvs binary as well as whatever shared libraries and support files
64: X are needed to run them unless you compile and link everything
1.16 millert 65: X statically. This example shows what is needed for OpenBSD. If you
1.14 millert 66: X use another platform you'll need to be familiar with what needs
67: X to go in a chroot jail for your platform.
1.7 beck 68: X
69: X5) Get permission to use sup to obtain the cvs tree from a server.
1.1 deraadt 70: X
1.16 millert 71: X6) Set up sup to retrieve the cvs tree from an appropriate place.
1.7 beck 72: X (If you aren't using OpenBSD you will need to compile and install
73: X a sup client).
1.6 deraadt 74: X
1.16 millert 75: X7) Run sup to retrieve the distribution from the server.
1.3 deraadt 76: X
1.16 millert 77: X8) Once you get the distribution in, set up a cron job to run sup
1.7 beck 78: X periodically to keep your server up to date.
1.6 deraadt 79: X
1.19 ! beck 80: X9) Enabling OpenCVS anoncvs.
! 81: X
1.7 beck 82: X**********************************************************************
83: XSTEP 1) find enough disk space.
1.16 millert 84: X You need roughly 2GB.
1.14 millert 85: X Mount it on /open.
86: X If you are not able to mount it as /open, substitute it's location
1.16 millert 87: X throughout the rest of this description.
1.6 deraadt 88: X
1.7 beck 89: X**********************************************************************
1.16 millert 90: XSTEP 2) compile the anoncvssh binary.
91: X In the Makefile, change the variable CVSROOT.
1.14 millert 92: X Install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 93: X
1.7 beck 94: X**********************************************************************
1.16 millert 95: XSTEP 3) Create the anoncvs account and decide who will run "sup"
1.14 millert 96: X to maintain the archive. The anoncvs account should *NOT* be the one
97: X running sup to maintain the archive.
1.1 deraadt 98: X
1.9 beck 99: Xcreate an account similar to:
100: X
1.18 millert 101: X anoncvs::32766:32766::0:0:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
1.4 deraadt 102: X
1.16 millert 103: XYes, that is right - the account has no password. Be sure that the
1.14 millert 104: Xuid and gid are unique for your system, if the ones above aren't,
105: Xpick different values.
1.16 millert 106: X
107: XDecide who will run sup to maintain the archive. Call that user
1.14 millert 108: X$SUPUSER. Oh, and in case it hasn't been previously mentioned,
1.16 millert 109: X$SUPUSER should *NOT* be the anoncvs user :).
110: X
111: XSet "PermitEmptyPasswords yes" option in /etc/ssh/sshd_config and
112: Xrestart your sshd daemon.
1.7 beck 113: X
114: X**********************************************************************
1.14 millert 115: XSTEP 4) Build the anoncvs user's home directory chroot jail. This
116: X example assumes that you're using OpenBSD. If you're not you
117: X may need different files in the chroot.
1.4 deraadt 118: X
1.1 deraadt 119: Xmkdir /open/anoncvs
120: Xmkdir /open/anoncvs/cvs
1.6 deraadt 121: Xmkdir /open/anoncvs/sup
122: Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs
1.1 deraadt 123: X
1.14 millert 124: XStart filling the account up with nice stuff. You are building a chroot
1.7 beck 125: Xjail for anoncvs in /open/anoncvs.
126: X
1.1 deraadt 127: X cd /open/anoncvs
128: X touch .hushlogin
129: X touch .profile
130: X
1.14 millert 131: XPut a message like the following in .plan:
1.16 millert 132: X To use anonymous CVS install the latest version of CVS on your local
1.6 deraadt 133: X machine.
1.1 deraadt 134: X Then set your CVSROOT environment variable to the following value:
135: X anoncvs@anoncvs.openbsd.org:/cvs
136: X
1.14 millert 137: X chown root:wheel .hushlogin .profile .plan
1.1 deraadt 138: X
139: X mkdir bin dev tmp usr var etc
140: X cp /bin/{cat,pwd,rm,sh} bin/
141: X
1.14 millert 142: XUsing mknod, make a dev/null that has the same major/minor numbers as
1.1 deraadt 143: X your /dev/null, and make it mode 666.
144: X
1.16 millert 145: XSome shared library systems require a dev/zero created in the same way.
1.1 deraadt 146: X
1.14 millert 147: XFill etc space for the account
1.1 deraadt 148: X cp /etc/{group,hosts,passwd,protocols} etc/
149: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
150: X modify these files to suit your idea of system security
151: X
1.14 millert 152: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses
1.16 millert 153: Xa tiny extension provided in the openbsd cvs server code which
154: Xpermits the use of read-only cvs repositories, therefore you MUST
155: Xcompile the openbsd version of cvs. Luckily this is not a problem
156: Xon a non-openbsd machine, since the cvs sources are imported verbatim
157: Xinto the openbsd tree. They are in gnu/usr.bin/cvs. The sources
158: Xare integrated in such way that Makefile.bsd-wrapper knows how to build
1.14 millert 159: Xthe sources on an OpenBSD machine, using obj directories.
1.1 deraadt 160: X
1.14 millert 161: XCreate tmp space for the account
1.16 millert 162: X # (cd var && ln -s ../tmp tmp)
1.13 millert 163: X # chmod a+rwx tmp
1.1 deraadt 164: X
1.13 millert 165: X # mkdir usr/{bin,lib}
166: X # cp /usr/bin/cvs usr/bin/
1.1 deraadt 167: X
1.14 millert 168: XIf your system has ld.so in /usr/libexec,
1.13 millert 169: X # mkdir usr/libexec
170: X # cp /usr/libexec/ld.so usr/libexec/
1.1 deraadt 171: X
1.14 millert 172: XIf using shared libraries, use ldd to find out which shared libs you need:
1.13 millert 173: X # ldd /usr/bin/cvs
1.16 millert 174: X /usr/bin/cvs:
175: X Start End Type Ref Name
176: X 00000000 00000000 exe 1 /usr/bin/cvs
177: X 0015f000 20165000 rlib 1 /usr/lib/libz.so.2.0
178: X 0016d000 20172000 rlib 1 /usr/lib/libgssapi.so.2.0
179: X 0017f000 2018d000 rlib 1 /usr/lib/libkrb5.so.5.2
180: X 00141000 20145000 rlib 1 /usr/lib/libasn1.so.3.1
181: X 00089000 200ba000 rlib 1 /usr/lib/libcrypto.so.10.0
182: X 00177000 2017c000 rlib 1 /usr/lib/libdes.so.8.0
183: X 00169000 2016d000 rlib 1 /usr/lib/libcom_err.so.1.0
184: X 00009000 20053000 rlib 1 /usr/lib/libc.so.30.0
185: X 00002000 00002000 rtld 1 /usr/libexec/ld.so
1.13 millert 186: X
187: X and then copy the required libraries to usr/lib/
1.1 deraadt 188: X
1.14 millert 189: XAs a final pass, make sure that all the files you have just created are
190: Xnot world writable (except dev/null).
1.1 deraadt 191: X
1.7 beck 192: XFor :pserver: support (optional)
193: X - Create an entry in /etc/services
1.16 millert 194: X cvspserver 2401/tcp # CVS client/server operations
1.7 beck 195: X - Create an entry in /etc/inetd.conf
1.16 millert 196: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
1.11 millert 197: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
1.16 millert 198: X anoncvs:AHDysQkJIubEc
1.11 millert 199: X which would be a password of "anoncvs" (as per anoncvs.html)
200: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
1.16 millert 201: X anoncvs
1.11 millert 202: X which tells cvs that user "anoncvs" is allowed readonly access.
203: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
204: X want anyone to be able to write to the mirror.
1.16 millert 205: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
1.7 beck 206: X
207: XSee the example layout below for full details.
208: X
209: X**********************************************************************
1.16 millert 210: XSTEP 5): Get sup permission.
1.7 beck 211: Xsend mail to sup@openbsd.org
212: X1) to have sup permissions granted on an appropriate machine for you
1.10 beck 213: X to sup from. We will need to know your host's real hostname and
214: X IP address.
1.16 millert 215: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created.
1.3 deraadt 216: X3) to have your site mentioned in the http://www.openbsd.org page.
217: X
1.7 beck 218: X**********************************************************************
1.16 millert 219: XSTEP 6): Configure sup.
1.7 beck 220: X
221: XIf you're running OpenBSD, you already have a sup client in
222: X/usr/bin/sup. If not you may need to build it. On an IRIX or other
1.14 millert 223: XSYSV machine, ensure that your kernel does not allow a user to chown
1.16 millert 224: Xa file to another user (you may have heard of this particular brand
225: Xof evil referred to as "chown giveaway"). This will cause sup to
1.14 millert 226: Xgive away the files to root before chmod'ing them readable.
227: Xmichaels@openbsd.org knows how to fix this.
1.7 beck 228: X
1.14 millert 229: XThe file /open/anoncvs/sup/ss contains a line that tells sup where
1.16 millert 230: Xto get the cvs tree from. It will normally contain:
1.7 beck 231: X
1.14 millert 232: X cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete
1.7 beck 233: X
1.14 millert 234: XThe file /open/anoncvs/sup/cvs/refuse tells sup what files it should not get.
1.11 millert 235: XIt should contain the following lines:
1.7 beck 236: X
237: X cvs/CVSROOT/history
1.11 millert 238: X cvs/CVSROOT/readers
239: X cvs/CVSROOT/writers
240: X cvs/CVSROOT/passwd
1.7 beck 241: X
1.16 millert 242: XIf you ever fetch the file cvs/CVSROOT/history, delete it. It will
1.7 beck 243: Xcause you problems.
244: X
245: X**********************************************************************
1.16 millert 246: XSTEP 7): Run sup to retrieve the tree for the first time.
1.7 beck 247: X
1.16 millert 248: XLog in as or become the $SUPUSER, and run
1.7 beck 249: X
250: Xsup -v /open/anoncvs/sup/ss > /tmp/suplog &; tail -f /tmp/suplog
251: X
252: XIf you have sup permission, and have specified the correct host and
253: Xhostbase in /open/anoncvs/sup/ss you should see a list of files start
254: Xcoming in after a short while. Don't panic if nothing happens
255: Ximmediately. Watch for errors (sup can timeout or die). If you can't
1.16 millert 256: Xaccess files contact the sup server maintainer. If you get a timeout
1.7 beck 257: Xor if sup dies you can restart and it should continue where it left off.
258: X
259: XIt can take a good while (and a couple of restarts) to obtain the
260: Xwhole tree for the first time.
261: X
262: X**********************************************************************
263: XSTEP 8): Set up cron to keep the tree up to date.
264: X
265: XYou run sup periodically from the cron by setting up the crontab file
266: Xof the $SUPUSER.
267: X
268: XFor example: To run every three hours 'sup -v supfile', and thrice
269: Xweekly 'sup -vo supfile' .. because sup is not reliable ..
270: X
271: X0 0,3,6,9,12,15,18,21 * * 0,2,4,5 sup -v /open/anoncvs/sup/ss > /dev/null
272: X0 0,12,15,18,21 * * 1,3,6 sup -v /open/anoncvs/sup/ss > /dev/null
273: X0 3 * * 1,3,6 sup -vo /open/anoncvs/sup/ss > /dev/null
274: X
275: Xanoncvs5.usa.openbsd.org uses this particular set of entries. A `sup
276: X-o' is done every few days because sup is not very robust.
277: X
278: X**********************************************************************
1.19 ! beck 279: XSTEP 9): Enabling OpenCVS anoncvs.
! 280: X
! 281: XThe next step is to enable OpenCVS, which will run on your system next
! 282: Xto the normal GNU cvs server. This will become the default in the
! 283: Xfuture.
! 284: X
! 285: XFirst off, create a new user account "opencvs" like you did for your
! 286: Xnormal anoncvs user:
! 287: X
! 288: Xopencvs::32766:32766::0:0:Anonymous OpenCVS User:/open/anoncvs:/open/anoncvssh
! 289: X
! 290: XBe sure that the uid and gid are unique for your system, if the ones
! 291: Xabove aren't, pick different values.
! 292: X
! 293: X#define OPENCVS_USER "opencvs"
! 294: X
! 295: XRecompile anoncvssh.c and install the binary setuid-root in /open/anoncvssh.
! 296: X
! 297: XCompile and install a current /usr/bin/opencvs.
! 298: X
! 299: XCopy /usr/bin/opencvs to /open/anoncvs/usr/bin/opencvs
! 300: X
! 301: XYou can now use OpenCVS anoncvs by using the correct CVSROOT:
! 302: X
! 303: X opencvs@anoncvs.openbsd.org:/cvs
! 304: X
! 305: XIf you encounter bugs, send them to joris@openbsd.org
! 306: X
! 307: X**********************************************************************
1.7 beck 308: XEXAMPLE LAYOUT
309: X
310: XExample layout for OpenBSD. In this example "deraadt" is the $SUPUSER.
1.3 deraadt 311: X
312: X[eap open 5 ]> cd /open
1.16 millert 313: X[eap open 6 ]> ls -alF
1.3 deraadt 314: Xtotal 46
315: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./
316: Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../
317: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/
318: X---s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh*
319: Xlrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs
320: Xdrwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/
321: Xdrwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/
322: Xdrwxr-xr-x 4 root wheel 512 Nov 30 1995 src/
323: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/
324: X[eap open 7 ]> cd anoncvs
325: X[eap anoncvs 8 ]> ls -alF
326: Xtotal 20
327: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./
328: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
329: X-r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin
330: X-r--r--r-- 1 root wheel 188 Nov 30 1995 .plan
331: X-r--r--r-- 1 root wheel 0 Nov 29 1995 .profile
1.10 beck 332: Xdrwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 bin/
1.3 deraadt 333: Xdrwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/
334: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/
335: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/
336: Xdrwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/
337: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/
338: Xdrwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/
339: X[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev
340: Xbin:
341: Xtotal 948
1.10 beck 342: Xdrwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 ./
1.3 deraadt 343: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
344: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat*
345: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd*
346: X--wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm*
347: X--wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh*
348: X
349: Xdev:
350: Xtotal 4
351: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 ./
352: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
353: Xcrw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null
354: X
355: Xetc:
356: Xtotal 112
357: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 ./
358: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
359: X-rw-r--r-- 1 root wheel 252 Nov 29 1995 group
360: X-rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts
361: X-rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd
362: X-rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols
363: X-rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db
364: X-rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf
365: X-rw-r--r-- 1 root wheel 5529 Nov 29 1995 services
366: X-rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys
367: X
368: Xusr:
369: Xtotal 10
370: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./
371: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
372: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/
373: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/
374: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/
375: X
376: Xusr/bin:
377: Xtotal 1968
378: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./
379: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
380: X--wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs*
381: X
382: Xusr/lib:
383: Xtotal 5594
384: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./
385: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
1.13 millert 386: X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libasn1.so.2.0
387: X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.28.5
388: X-rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypto.so.6.0
389: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libdes.so.7.0
390: X-rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libgssapi.so.1.0
391: X-rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libkafs.so.10.0
392: X-rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libkrb.so.10.0
393: X-rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libkrb5.so.4.0
394: X-rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libz.so.1.4
1.3 deraadt 395: X
396: Xusr/libexec:
397: Xtotal 100
398: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./
399: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
400: X-rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so*
401: X
402: X[eap anoncvs 14 ]> ls cvs
403: XCVSROOT/ src/ sup/ www/
1.6 deraadt 404: X[eap anoncvs 15 ]> cd /open
1.3 deraadt 405: X[eap anoncvs 16 ]> ls -alF sup
406: Xtotal 8
407: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./
408: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
409: Xdrwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/
410: X-rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss
411: X
412: X
1.7 beck 413: X***************************************************************
414: XNOTES FOR OTHER PLATFORMS:
415: X
416: XIf you're not that familiar with your other platform (i.e. you haven't
1.13 millert 417: Xbuilt a chroot jail for a server on it) you may be better off
1.16 millert 418: Xfinding an OpenBSD machine to use and duplicating the example above.
1.7 beck 419: X
420: X**SunOS 5)
1.10 beck 421: XBob Beck <Bob.Beck@ualberta.ca> has done this. E-mail for
1.7 beck 422: Xhelp if you need it.
1.6 deraadt 423: X
1.7 beck 424: X**OSF 1)
1.6 deraadt 425: XFrom Todd Fries <toddf@acm.org> to the adventurous.
426: XA note for those installing anoncvs on non-OpenBSD operating systems.
427: XYou are in for some fun.
428: X
429: XFor OSF1, on a DEC alpha, I had to do the following in addition to the
430: Xabove:
431: X
432: X- I do not know how to setup dynamic libraries on osf1 and as a result
433: X everything had to be compiled statically.
434: X- Therefore, everything but /bin/sh I had to recmpile in order to
435: X get the chroot setup. In order that there be no guesswork
436: X involved, the following packages' binaries must exist in the chroot
437: X environment:
438: X
439: X GNU
440: X cvs (from the OpenBSD source tree)
441: X
442: XSome notes on compiling.
443: X
444: X cvs fails to install if you don't have makeinfo ... just search for the
445: X string ' install-info$' with regex and remove it from the Makefile for the
446: X install and you'll be fine, or install 'texinfo', your choice.
1.1 deraadt 447: END-of-README
448: echo x - anoncvssh.c
449: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
450: X/*
1.15 millert 451: X * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
452: X * Copyright (c) 1997 Bob Beck <beck@obtuse.com>
453: X * Copyright (c) 1996 Thorsten Lockert <tholo@sigmasoft.com>
454: X *
455: X * Permission to use, copy, modify, and distribute this software for any
456: X * purpose with or without fee is hereby granted, provided that the above
457: X * copyright notice and this permission notice appear in all copies.
458: X *
459: X * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
460: X * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
461: X * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
462: X * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
463: X * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
464: X * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
465: X * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.1 deraadt 466: X */
467: X
1.4 deraadt 468: X#include <stdio.h>
469: X#include <stdlib.h>
470: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
471: X#include <paths.h>
472: X#endif
473: X#include <pwd.h>
474: X#include <unistd.h>
475: X#include <sys/types.h>
476: X
477: X#ifndef __P
478: X#if defined(__STDC__) || defined(__cplusplus)
479: X#define __P(protos) protos /* full-blown ANSI C */
480: X#else
481: X#define __P(protos) () /* traditional C preprocessor */
482: X#endif
483: X#endif
484: X
485: X/*
486: X * You may need to change this path to ensure that RCS, CVS and diff
487: X * can be found
488: X */
489: X#ifndef _PATH_DEFPATH
490: X#define _PATH_DEFPATH "/bin:/usr/bin"
491: X#endif
492: X
493: X/*
494: X * This should not normally have to be changed
495: X */
496: X#ifndef _PATH_BSHELL
497: X#define _PATH_BSHELL "/bin/sh"
498: X#endif
499: X
500: X/*
501: X * Location of CVS tree, relative to the anonymous CVS user's
502: X * home directory
503: X */
504: X#ifndef LOCALROOT
505: X#define LOCALROOT "/cvs"
506: X#endif
507: X
508: X/*
1.19 ! beck 509: X * Hostname to be used when accessing the remote repository.
1.4 deraadt 510: X */
511: X#ifndef HOSTNAME
1.19 ! beck 512: X#define HOSTNAME "anoncvs1.usa.openbsd.org"
! 513: X#endif
! 514: X
! 515: X/*
! 516: X * Username to be used when accessing the remote repository.
! 517: X */
! 518: X#ifndef USERNAME
! 519: X#define USERNAME "anoncvs"
1.4 deraadt 520: X#endif
521: X
522: X/*
1.19 ! beck 523: X * $CVSROOT is created based on USERNAME HOSTNAME and LOCALROOT above
1.4 deraadt 524: X */
1.1 deraadt 525: X#ifndef CVSROOT
1.19 ! beck 526: X#define CVSROOT USERNAME "@" HOSTNAME ":"LOCALROOT
1.1 deraadt 527: X#endif
528: X
1.8 beck 529: X/*
530: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
531: X * You may undefine this if you aren't going to be running pserver.
532: X */
533: X#ifndef PSERVER_SUPPORT
534: X#define PSERVER_SUPPORT
535: X#endif
536: X
537: X/*
538: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
539: X * using syslog()
540: X */
541: X#define USE_SYSLOG
542: X
543: X#ifdef USE_SYSLOG
544: X#include <string.h>
545: X#include <syslog.h>
546: X#include <netinet/in.h>
547: X#include <sys/socket.h>
548: X#include <arpa/inet.h>
549: X#define LOG_FACILITY LOG_DAEMON
550: X#define LOG_PRIO LOG_INFO
551: X#endif
552: X
553: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
554: X * anyone other than root or ANONCVS_USER.
555: X */
1.19 ! beck 556: X/* #define ANONCVS_USER USERNAME */
! 557: X
! 558: X/*
! 559: X * If you want to be able to run an alternate OpenCVS binary on your
! 560: X * anoncvs server, define OPENCVS_USER as the user who will invoke it.
! 561: X */
! 562: X#define OPENCVS_USER "opencvs"
1.8 beck 563: X
1.4 deraadt 564: Xint main __P((int, char *[]));
565: X
566: Xchar * const env[] = {
1.17 espie 567: X "PATH="_PATH_DEFPATH,
568: X "SHELL="_PATH_BSHELL,
569: X "CVSROOT="LOCALROOT,
1.4 deraadt 570: X "HOME=/",
571: X "CVSREADONLYFS=1",
572: X NULL
573: X};
1.1 deraadt 574: X
575: Xint
576: Xmain(argc, argv)
577: Xint argc;
578: Xchar *argv[];
579: X{
580: X struct passwd *pw;
1.5 deraadt 581: X#ifdef DEBUG
582: X int i;
583: X#endif /* DEBUG */
1.19 ! beck 584: X#if defined(OPENCVS_USER)
! 585: X int opencvs;
! 586: X#endif
1.1 deraadt 587: X
588: X pw = getpwuid(getuid());
589: X if (pw == NULL) {
590: X fprintf(stderr, "no user for uid %d\n", getuid());
591: X exit(1);
592: X }
593: X if (pw->pw_dir == NULL) {
594: X fprintf(stderr, "no directory\n");
595: X exit(1);
596: X }
1.8 beck 597: X
598: X#ifdef USE_SYSLOG
599: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
600: X#endif /* USE_SYSLOG */
601: X
602: X#ifdef ANONCVS_USER
603: X /*
604: X * I love lusers who have to test every setuid binary on my machine.
605: X */
606: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
607: X fprintf(stderr, "You're not supposed to be running me!\n");
608: X#ifdef USE_SYSLOG
609: X syslog(LOG_NOTICE,
610: X "User %s(%d) invoked anoncvssh - Possible twink?",
611: X pw->pw_name, pw->pw_uid);
612: X#endif /* USE_SYSLOG */
613: X exit(1);
614: X }
615: X#endif /* ANONCVS_USER */
616: X
617: X
1.11 millert 618: X setuid(0);
1.1 deraadt 619: X if (chroot(pw->pw_dir) == -1) {
620: X perror("chroot");
621: X exit (1);
622: X }
623: X chdir("/");
1.11 millert 624: X setuid(pw->pw_uid);
1.1 deraadt 625: X
1.19 ! beck 626: X#if defined(OPENCVS_USER)
! 627: X if (!strcmp(pw->pw_name, OPENCVS_USER))
! 628: X opencvs = 1;
! 629: X else
! 630: X opencvs = 0;
! 631: X#endif
! 632: X
1.1 deraadt 633: X /*
634: X * program now "safe"
635: X */
1.6 deraadt 636: X
1.8 beck 637: X#ifdef PSERVER_SUPPORT
1.6 deraadt 638: X /* If we want pserver functionality */
1.8 beck 639: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
640: X#ifdef USE_SYSLOG
641: X int slen;
642: X struct sockaddr_in my_sa, peer_sa;
643: X char *us, *them;
1.19 ! beck 644: X
! 645: X#if defined(OPENCVS_USER)
! 646: X if (opencvs == 1) {
! 647: X fprintf(stderr, "OpenCVS does not support pserver\n");
! 648: X sleep(10);
! 649: X exit(1);
! 650: X }
! 651: X#endif
! 652: X
1.8 beck 653: X slen = sizeof(my_sa);
654: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
655: X != 0) {
656: X perror("getsockname");
657: X exit(1);
658: X }
659: X us = strdup(inet_ntoa(my_sa.sin_addr));
660: X if (us == NULL) {
661: X fprintf(stderr, "malloc failed\n");
662: X exit(1);
663: X }
664: X slen = sizeof(peer_sa);
665: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
666: X != 0) {
667: X perror("getpeername");
668: X exit(1);
669: X }
670: X them=strdup(inet_ntoa(peer_sa.sin_addr));
671: X if (them == NULL) {
672: X fprintf(stderr, "malloc failed\n");
673: X exit(1);
674: X }
675: X syslog(LOG_PRIO,
676: X "pserver connection from %s:%d to %s:%d\n",
677: X them, ntohs(peer_sa.sin_port),
678: X us, ntohs(my_sa.sin_port));
679: X#endif /* USE_SYSLOG */
1.11 millert 680: X execle("/usr/bin/cvs", "cvs",
1.17 espie 681: X "--allow-root="LOCALROOT, "pserver", (char *)NULL, env);
1.6 deraadt 682: X perror("execle: cvs");
683: X fprintf(stderr, "unable to exec CVS pserver!\n");
684: X exit(1);
685: X /* NOTREACHED */
686: X }
1.8 beck 687: X#endif
1.1 deraadt 688: X
689: X if (argc != 3 ||
690: X strcmp("anoncvssh", argv[0]) != 0 ||
691: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 692: X (strcmp("cvs server", argv[2]) != 0 &&
1.17 espie 693: X strcmp("cvs -d "LOCALROOT" server", argv[2]) != 0)) {
1.1 deraadt 694: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
695: X fprintf(stderr,"version of CVS on your local machine.\n");
696: X fprintf(stderr,"Then set your CVSROOT environment variable ");
697: X fprintf(stderr,"to the following value:\n");
1.19 ! beck 698: X#if defined(OPENCVS_USER)
! 699: X fprintf(stderr, "\t%s@%s:%s for OpenCVS\n", OPENCVS_USER,
! 700: X HOSTNAME, LOCALROOT);
! 701: X#endif
1.1 deraadt 702: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 703: X#ifdef DEBUG
704: X fprintf(stderr, "argc = %d\n", argc);
705: X for (i = 0 ; i < argc ; i++)
706: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
707: X#endif /* DEBUG */
1.1 deraadt 708: X sleep(10);
709: X exit(0);
710: X }
1.19 ! beck 711: X
! 712: X#if defined(OPENCVS_USER)
! 713: X if (opencvs == 1) {
! 714: X execle("/usr/bin/opencvs", "opencvs",
! 715: X "server", (char *)NULL, env);
! 716: X } else {
! 717: X#endif
! 718: X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env);
! 719: X#if defined(OPENCVS_USER)
! 720: X }
! 721: X#endif
! 722: X
1.4 deraadt 723: X perror("execle: cvs");
1.1 deraadt 724: X fprintf(stderr, "unable to exec CVS server!\n");
725: X exit(1);
1.5 deraadt 726: X /* NOTREACHED */
1.1 deraadt 727: X}
728: X
729: END-of-anoncvssh.c
730: exit
731: