Annotation of www/anoncvs.shar, Revision 1.2
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
8: # README
9: # Makefile
10: # anoncvssh.c
11: #
12: echo x - README
13: sed 's/^X//' >README << 'END-of-README'
14: Xfind enough disk space.
15: X you need roughly 300MB.
16: X mount it on /open
17: X if you are not able to mount it as /open, substitute it's location
18: X throughout this description
19: X
20: Xcompile the anoncvssh binary
21: X in the Makefile, change the variable CVSROOT
22: X anoncvs is installed setuid-root.
23: X
24: Xcreate an account:
1.2 ! deraadt 25: X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
! 26: Xyes, that is right. the account has no password.
1.1 deraadt 27: X
28: Xinstall a crontab entry which runs as any user besides anoncvs (ie. run
29: Xit as yourself, or as root). call that user $SUPUSER
30: X 0 5,9,13,17,21,1 * * * /usr/local/bin/sup -v /open/sup/ss
31: X
32: Xthe file /open/sup/ss contains
33: X cvs host=cvs.openbsd.org hostbase=/ base=/open/anoncvs delete
34: X
35: Xmkdir /open/
36: Xmkdir /open/anoncvs
37: Xmkdir /open/anoncvs/cvs
38: Xmkdir /open/sup
39: Xchown -R $SUPUSER /open/anoncvs/cvs /open/sup
40: X
41: Xstart filling the account up with nice stuff
42: X cd /open/anoncvs
43: X touch .hushlogin
44: X touch .profile
45: X
46: Xput a message like the following in .plan:
47: X To use anonymous CVS install the latest version of CVS on your local machine.
48: X Then set your CVSROOT environment variable to the following value:
49: X anoncvs@anoncvs.openbsd.org:/cvs
50: X
51: X chown root.wheel .hushlogin .profile .plan
52: X
53: X mkdir bin dev tmp usr var etc
54: X cp /bin/{cat,pwd,rm,sh} bin/
55: X
56: Xusing mknod, make a dev/null that has the same major/minor numbers as
57: X your /dev/null, and make it mode 666.
58: X
59: Xsome shared library systems require a dev/zero created in the same way
60: X
61: Xfill etc space for the account
62: X cp /etc/{group,hosts,passwd,protocols} etc/
63: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
64: X modify these files to suit your idea of system security
65: X
66: Xanoncvssh (by setting an extra environment variable) use an extension
67: Xprovided in the openbsd cvs server code. therefore you want to compile
68: Xthe openbsd version. luckily this is not a problem on a non-openbsd
69: Xmachine since the cvs sources are imported verbatim into the openbsd
70: Xtree. they are in gnu/usr.bin/cvs. (explanation: the extension allows
71: Xa way to have read-only cvs repositories)
72: X
73: Xcreate tmp space for the account
74: X cd var; ln -s ../tmp tmp
75: X chmod a+rwx tmp
76: X
77: X mkdir usr/{bin,lib}
78: X cp /usr/bin/{ci,co,cvs,diff,diff3,gzip,rcs,rcsclean} usr/bin/
79: X cp /usr/bin/{rcsdiff,rcsfreeze,rcsmerge,rlog,sdiff,zdiff} usr/bin/
80: X
81: Xif your system has ld.so in /usr/libexec,
82: X mkdir usr/libexec
83: X cp /usr/libexec/ld.so usr/libexec/
84: X
85: Xif using shared libraries, copy the shared libs you might need:
86: X cp /usr/lib/lib*.so.* usr/lib/
87: X
88: Xas a final pass, make sure that all the files you have just created are
89: Xnot world writeable (except dev/null)
90: X
91: Xsend mail to deraadt@openbsd.org to have sup permissions granted.
92: END-of-README
93: echo x - Makefile
94: sed 's/^X//' >Makefile << 'END-of-Makefile'
95: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
96: XPROG= anoncvssh
97: XBINOWN= root
98: XBINMODE=4111
99: XBINDIR=/open
100: XNOMAN=
101: X
102: X.include <bsd.prog.mk>
103: X
104: END-of-Makefile
105: echo x - anoncvssh.c
106: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
107: X/*
108: X * anoncvssh
109: X */
110: X
111: X#ifndef CVSROOT
112: X#define CVSROOT "anoncvs@anoncvs1.usa.openbsd.org:/cvs"
113: X#endif
114: X
115: X#include <stdio.h>
116: X#include <unistd.h>
117: X#include <pwd.h>
118: X#include <sys/types.h>
119: X
120: Xint
121: Xmain(argc, argv)
122: Xint argc;
123: Xchar *argv[];
124: X{
125: X struct passwd *pw;
126: X
127: X pw = getpwuid(getuid());
128: X if (pw == NULL) {
129: X fprintf(stderr, "no user for uid %d\n", getuid());
130: X exit(1);
131: X }
132: X if (pw->pw_dir == NULL) {
133: X fprintf(stderr, "no directory\n");
134: X exit(1);
135: X }
136: X seteuid(0);
137: X if (chroot(pw->pw_dir) == -1) {
138: X perror("chroot");
139: X exit (1);
140: X }
141: X chdir("/");
142: X seteuid(getuid());
143: X
144: X /*
145: X * program now "safe"
146: X */
147: X
148: X if (argc != 3 ||
149: X strcmp("anoncvssh", argv[0]) != 0 ||
150: X strcmp("-c", argv[1]) != 0 ||
151: X strcmp("cvs server", argv[2]) != 0) {
152: X
153: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
154: X fprintf(stderr,"version of CVS on your local machine.\n");
155: X fprintf(stderr,"Then set your CVSROOT environment variable ");
156: X fprintf(stderr,"to the following value:\n");
157: X fprintf(stderr,"\t%s\n\n", CVSROOT);
158: X sleep(10);
159: X exit(0);
160: X }
161: X
162: X /*
163: X * since the only things in annocvs's bin entire chroot space will
164: X * be "safe commands", this is not a big deal
165: X */
166: X putenv("SHELL=/bin/sh");
167: X putenv("CVSROOT=/cvs");
168: X putenv("HOME=/");
169: X putenv("CVSREADONLYFS=");
170: X
171: X execl("/usr/bin/cvs", "cvs", "server", NULL);
172: X perror("execl: cvs");
173: X fprintf(stderr, "unable to exec CVS server!\n");
174: X exit(1);
175: X}
176: X
177: END-of-anoncvssh.c
178: exit
179: