Annotation of www/anoncvs.shar, Revision 1.21
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.19 beck 8: # anoncvs.shar
1.6 deraadt 9: # Makefile
1.1 deraadt 10: # README
11: # anoncvssh.c
12: #
1.6 deraadt 13: echo x - Makefile
14: sed 's/^X//' >Makefile << 'END-of-Makefile'
15: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
16: XPROG= anoncvssh
17: XBINOWN= root
18: XBINMODE=4111
19: XBINDIR=/open
20: XNOMAN=
21: X
22: X.include <bsd.prog.mk>
23: X
24: END-of-Makefile
1.1 deraadt 25: echo x - README
26: sed 's/^X//' >README << 'END-of-README'
27: X
1.16 millert 28: X So, you want to run an anoncvs server.
1.7 beck 29: X
30: X A summary of the steps you'll need to do is:
31: X
1.16 millert 32: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
1.14 millert 33: X appropriate place.
1.7 beck 34: X
35: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
36: X ( If you aren't using OpenBSD you'll probably need to compile a sup
1.16 millert 37: X client as well. The easier path is to use OpenBSD ;).
1.7 beck 38: X
39: X3) Add the anoncvs user to the password file, with no password, and
1.14 millert 40: X anoncvssh as it's shell. Decide on a user that will run sup to maintain
1.16 millert 41: X the archive (this is a different user, NOT the anoncvs user).
1.7 beck 42: X
1.14 millert 43: X4) Make a home directory for the anoncvs user. The anoncvs user's
44: X home directory is a chroot jail in which the anoncvssh processes
45: X run when servicing anoncvs requests. The jail must contain the
46: X cvs binary as well as whatever shared libraries and support files
47: X are needed to run them unless you compile and link everything
1.16 millert 48: X statically. This example shows what is needed for OpenBSD. If you
1.14 millert 49: X use another platform you'll need to be familiar with what needs
50: X to go in a chroot jail for your platform.
1.7 beck 51: X
52: X5) Get permission to use sup to obtain the cvs tree from a server.
1.1 deraadt 53: X
1.16 millert 54: X6) Set up sup to retrieve the cvs tree from an appropriate place.
1.7 beck 55: X (If you aren't using OpenBSD you will need to compile and install
56: X a sup client).
1.6 deraadt 57: X
1.16 millert 58: X7) Run sup to retrieve the distribution from the server.
1.3 deraadt 59: X
1.16 millert 60: X8) Once you get the distribution in, set up a cron job to run sup
1.7 beck 61: X periodically to keep your server up to date.
1.6 deraadt 62: X
1.19 beck 63: X9) Enabling OpenCVS anoncvs.
64: X
1.7 beck 65: X**********************************************************************
66: XSTEP 1) find enough disk space.
1.16 millert 67: X You need roughly 2GB.
1.21 ! landry 68: X Mount it on /open, make sure it doesn't have nosuid and nodev flags.
1.14 millert 69: X If you are not able to mount it as /open, substitute it's location
1.16 millert 70: X throughout the rest of this description.
1.6 deraadt 71: X
1.7 beck 72: X**********************************************************************
1.16 millert 73: XSTEP 2) compile the anoncvssh binary.
74: X In the Makefile, change the variable CVSROOT.
1.14 millert 75: X Install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 76: X
1.7 beck 77: X**********************************************************************
1.16 millert 78: XSTEP 3) Create the anoncvs account and decide who will run "sup"
1.14 millert 79: X to maintain the archive. The anoncvs account should *NOT* be the one
80: X running sup to maintain the archive.
1.1 deraadt 81: X
1.9 beck 82: Xcreate an account similar to:
83: X
1.18 millert 84: X anoncvs::32766:32766::0:0:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
1.4 deraadt 85: X
1.16 millert 86: XYes, that is right - the account has no password. Be sure that the
1.14 millert 87: Xuid and gid are unique for your system, if the ones above aren't,
88: Xpick different values.
1.16 millert 89: X
90: XDecide who will run sup to maintain the archive. Call that user
1.14 millert 91: X$SUPUSER. Oh, and in case it hasn't been previously mentioned,
1.16 millert 92: X$SUPUSER should *NOT* be the anoncvs user :).
93: X
94: XSet "PermitEmptyPasswords yes" option in /etc/ssh/sshd_config and
95: Xrestart your sshd daemon.
1.7 beck 96: X
97: X**********************************************************************
1.14 millert 98: XSTEP 4) Build the anoncvs user's home directory chroot jail. This
99: X example assumes that you're using OpenBSD. If you're not you
100: X may need different files in the chroot.
1.4 deraadt 101: X
1.1 deraadt 102: Xmkdir /open/anoncvs
103: Xmkdir /open/anoncvs/cvs
1.6 deraadt 104: Xmkdir /open/anoncvs/sup
105: Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs
1.1 deraadt 106: X
1.14 millert 107: XStart filling the account up with nice stuff. You are building a chroot
1.7 beck 108: Xjail for anoncvs in /open/anoncvs.
109: X
1.1 deraadt 110: X cd /open/anoncvs
111: X touch .hushlogin
112: X touch .profile
113: X
1.14 millert 114: XPut a message like the following in .plan:
1.16 millert 115: X To use anonymous CVS install the latest version of CVS on your local
1.6 deraadt 116: X machine.
1.1 deraadt 117: X Then set your CVSROOT environment variable to the following value:
118: X anoncvs@anoncvs.openbsd.org:/cvs
119: X
1.14 millert 120: X chown root:wheel .hushlogin .profile .plan
1.1 deraadt 121: X
122: X mkdir bin dev tmp usr var etc
123: X cp /bin/{cat,pwd,rm,sh} bin/
124: X
1.14 millert 125: XUsing mknod, make a dev/null that has the same major/minor numbers as
1.1 deraadt 126: X your /dev/null, and make it mode 666.
127: X
1.16 millert 128: XSome shared library systems require a dev/zero created in the same way.
1.1 deraadt 129: X
1.14 millert 130: XFill etc space for the account
1.1 deraadt 131: X cp /etc/{group,hosts,passwd,protocols} etc/
132: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
133: X modify these files to suit your idea of system security
134: X
1.14 millert 135: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses
1.16 millert 136: Xa tiny extension provided in the openbsd cvs server code which
137: Xpermits the use of read-only cvs repositories, therefore you MUST
138: Xcompile the openbsd version of cvs. Luckily this is not a problem
139: Xon a non-openbsd machine, since the cvs sources are imported verbatim
140: Xinto the openbsd tree. They are in gnu/usr.bin/cvs. The sources
141: Xare integrated in such way that Makefile.bsd-wrapper knows how to build
1.14 millert 142: Xthe sources on an OpenBSD machine, using obj directories.
1.1 deraadt 143: X
1.14 millert 144: XCreate tmp space for the account
1.16 millert 145: X # (cd var && ln -s ../tmp tmp)
1.13 millert 146: X # chmod a+rwx tmp
1.1 deraadt 147: X
1.13 millert 148: X # mkdir usr/{bin,lib}
149: X # cp /usr/bin/cvs usr/bin/
1.1 deraadt 150: X
1.14 millert 151: XIf your system has ld.so in /usr/libexec,
1.13 millert 152: X # mkdir usr/libexec
153: X # cp /usr/libexec/ld.so usr/libexec/
1.1 deraadt 154: X
1.14 millert 155: XIf using shared libraries, use ldd to find out which shared libs you need:
1.13 millert 156: X # ldd /usr/bin/cvs
1.16 millert 157: X /usr/bin/cvs:
158: X Start End Type Ref Name
159: X 00000000 00000000 exe 1 /usr/bin/cvs
160: X 0015f000 20165000 rlib 1 /usr/lib/libz.so.2.0
161: X 0016d000 20172000 rlib 1 /usr/lib/libgssapi.so.2.0
162: X 0017f000 2018d000 rlib 1 /usr/lib/libkrb5.so.5.2
163: X 00141000 20145000 rlib 1 /usr/lib/libasn1.so.3.1
164: X 00089000 200ba000 rlib 1 /usr/lib/libcrypto.so.10.0
165: X 00177000 2017c000 rlib 1 /usr/lib/libdes.so.8.0
166: X 00169000 2016d000 rlib 1 /usr/lib/libcom_err.so.1.0
167: X 00009000 20053000 rlib 1 /usr/lib/libc.so.30.0
168: X 00002000 00002000 rtld 1 /usr/libexec/ld.so
1.13 millert 169: X
170: X and then copy the required libraries to usr/lib/
1.1 deraadt 171: X
1.14 millert 172: XAs a final pass, make sure that all the files you have just created are
173: Xnot world writable (except dev/null).
1.1 deraadt 174: X
1.7 beck 175: XFor :pserver: support (optional)
176: X - Create an entry in /etc/services
1.16 millert 177: X cvspserver 2401/tcp # CVS client/server operations
1.7 beck 178: X - Create an entry in /etc/inetd.conf
1.16 millert 179: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
1.11 millert 180: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
1.16 millert 181: X anoncvs:AHDysQkJIubEc
1.11 millert 182: X which would be a password of "anoncvs" (as per anoncvs.html)
183: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
1.16 millert 184: X anoncvs
1.11 millert 185: X which tells cvs that user "anoncvs" is allowed readonly access.
186: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
187: X want anyone to be able to write to the mirror.
1.16 millert 188: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
1.7 beck 189: X
190: XSee the example layout below for full details.
191: X
192: X**********************************************************************
1.16 millert 193: XSTEP 5): Get sup permission.
1.7 beck 194: Xsend mail to sup@openbsd.org
195: X1) to have sup permissions granted on an appropriate machine for you
1.10 beck 196: X to sup from. We will need to know your host's real hostname and
197: X IP address.
1.16 millert 198: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created.
1.3 deraadt 199: X3) to have your site mentioned in the http://www.openbsd.org page.
200: X
1.7 beck 201: X**********************************************************************
1.16 millert 202: XSTEP 6): Configure sup.
1.7 beck 203: X
204: XIf you're running OpenBSD, you already have a sup client in
205: X/usr/bin/sup. If not you may need to build it. On an IRIX or other
1.14 millert 206: XSYSV machine, ensure that your kernel does not allow a user to chown
1.16 millert 207: Xa file to another user (you may have heard of this particular brand
208: Xof evil referred to as "chown giveaway"). This will cause sup to
1.14 millert 209: Xgive away the files to root before chmod'ing them readable.
210: Xmichaels@openbsd.org knows how to fix this.
1.7 beck 211: X
1.14 millert 212: XThe file /open/anoncvs/sup/ss contains a line that tells sup where
1.16 millert 213: Xto get the cvs tree from. It will normally contain:
1.7 beck 214: X
1.14 millert 215: X cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete
1.7 beck 216: X
1.14 millert 217: XThe file /open/anoncvs/sup/cvs/refuse tells sup what files it should not get.
1.11 millert 218: XIt should contain the following lines:
1.7 beck 219: X
220: X cvs/CVSROOT/history
1.11 millert 221: X cvs/CVSROOT/readers
222: X cvs/CVSROOT/writers
223: X cvs/CVSROOT/passwd
1.7 beck 224: X
1.16 millert 225: XIf you ever fetch the file cvs/CVSROOT/history, delete it. It will
1.7 beck 226: Xcause you problems.
227: X
228: X**********************************************************************
1.16 millert 229: XSTEP 7): Run sup to retrieve the tree for the first time.
1.7 beck 230: X
1.16 millert 231: XLog in as or become the $SUPUSER, and run
1.7 beck 232: X
233: Xsup -v /open/anoncvs/sup/ss > /tmp/suplog &; tail -f /tmp/suplog
234: X
235: XIf you have sup permission, and have specified the correct host and
236: Xhostbase in /open/anoncvs/sup/ss you should see a list of files start
237: Xcoming in after a short while. Don't panic if nothing happens
238: Ximmediately. Watch for errors (sup can timeout or die). If you can't
1.16 millert 239: Xaccess files contact the sup server maintainer. If you get a timeout
1.7 beck 240: Xor if sup dies you can restart and it should continue where it left off.
241: X
242: XIt can take a good while (and a couple of restarts) to obtain the
243: Xwhole tree for the first time.
244: X
245: X**********************************************************************
246: XSTEP 8): Set up cron to keep the tree up to date.
247: X
248: XYou run sup periodically from the cron by setting up the crontab file
249: Xof the $SUPUSER.
250: X
251: XFor example: To run every three hours 'sup -v supfile', and thrice
252: Xweekly 'sup -vo supfile' .. because sup is not reliable ..
253: X
254: X0 0,3,6,9,12,15,18,21 * * 0,2,4,5 sup -v /open/anoncvs/sup/ss > /dev/null
255: X0 0,12,15,18,21 * * 1,3,6 sup -v /open/anoncvs/sup/ss > /dev/null
256: X0 3 * * 1,3,6 sup -vo /open/anoncvs/sup/ss > /dev/null
257: X
258: Xanoncvs5.usa.openbsd.org uses this particular set of entries. A `sup
259: X-o' is done every few days because sup is not very robust.
260: X
261: X**********************************************************************
1.19 beck 262: XSTEP 9): Enabling OpenCVS anoncvs.
263: X
264: XThe next step is to enable OpenCVS, which will run on your system next
265: Xto the normal GNU cvs server. This will become the default in the
266: Xfuture.
267: X
268: XFirst off, create a new user account "opencvs" like you did for your
269: Xnormal anoncvs user:
270: X
271: Xopencvs::32766:32766::0:0:Anonymous OpenCVS User:/open/anoncvs:/open/anoncvssh
272: X
273: XBe sure that the uid and gid are unique for your system, if the ones
274: Xabove aren't, pick different values.
275: X
276: X#define OPENCVS_USER "opencvs"
277: X
278: XRecompile anoncvssh.c and install the binary setuid-root in /open/anoncvssh.
279: X
280: XCompile and install a current /usr/bin/opencvs.
281: X
282: XCopy /usr/bin/opencvs to /open/anoncvs/usr/bin/opencvs
283: X
284: XYou can now use OpenCVS anoncvs by using the correct CVSROOT:
285: X
286: X opencvs@anoncvs.openbsd.org:/cvs
287: X
288: XIf you encounter bugs, send them to joris@openbsd.org
289: X
290: X**********************************************************************
1.7 beck 291: XEXAMPLE LAYOUT
292: X
293: XExample layout for OpenBSD. In this example "deraadt" is the $SUPUSER.
1.3 deraadt 294: X
295: X[eap open 5 ]> cd /open
1.16 millert 296: X[eap open 6 ]> ls -alF
1.3 deraadt 297: Xtotal 46
298: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./
299: Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../
300: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/
301: X---s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh*
302: Xlrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs
303: Xdrwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/
304: Xdrwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/
305: Xdrwxr-xr-x 4 root wheel 512 Nov 30 1995 src/
306: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/
307: X[eap open 7 ]> cd anoncvs
308: X[eap anoncvs 8 ]> ls -alF
309: Xtotal 20
310: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./
311: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
312: X-r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin
313: X-r--r--r-- 1 root wheel 188 Nov 30 1995 .plan
314: X-r--r--r-- 1 root wheel 0 Nov 29 1995 .profile
1.10 beck 315: Xdrwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 bin/
1.3 deraadt 316: Xdrwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/
317: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/
318: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/
319: Xdrwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/
320: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/
321: Xdrwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/
322: X[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev
323: Xbin:
324: Xtotal 948
1.10 beck 325: Xdrwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 ./
1.3 deraadt 326: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
327: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat*
328: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd*
329: X--wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm*
330: X--wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh*
331: X
332: Xdev:
333: Xtotal 4
334: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 ./
335: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
336: Xcrw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null
337: X
338: Xetc:
339: Xtotal 112
340: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 ./
341: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
342: X-rw-r--r-- 1 root wheel 252 Nov 29 1995 group
343: X-rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts
344: X-rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd
345: X-rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols
346: X-rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db
347: X-rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf
348: X-rw-r--r-- 1 root wheel 5529 Nov 29 1995 services
349: X-rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys
350: X
351: Xusr:
352: Xtotal 10
353: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./
354: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
355: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/
356: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/
357: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/
358: X
359: Xusr/bin:
360: Xtotal 1968
361: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./
362: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
363: X--wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs*
364: X
365: Xusr/lib:
366: Xtotal 5594
367: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./
368: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
1.13 millert 369: X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libasn1.so.2.0
370: X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.28.5
371: X-rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypto.so.6.0
372: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libdes.so.7.0
373: X-rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libgssapi.so.1.0
374: X-rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libkafs.so.10.0
375: X-rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libkrb.so.10.0
376: X-rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libkrb5.so.4.0
377: X-rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libz.so.1.4
1.3 deraadt 378: X
379: Xusr/libexec:
380: Xtotal 100
381: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./
382: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
383: X-rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so*
384: X
385: X[eap anoncvs 14 ]> ls cvs
386: XCVSROOT/ src/ sup/ www/
1.6 deraadt 387: X[eap anoncvs 15 ]> cd /open
1.3 deraadt 388: X[eap anoncvs 16 ]> ls -alF sup
389: Xtotal 8
390: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./
391: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
392: Xdrwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/
393: X-rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss
394: X
395: X
1.7 beck 396: X***************************************************************
397: XNOTES FOR OTHER PLATFORMS:
398: X
399: XIf you're not that familiar with your other platform (i.e. you haven't
1.13 millert 400: Xbuilt a chroot jail for a server on it) you may be better off
1.16 millert 401: Xfinding an OpenBSD machine to use and duplicating the example above.
1.7 beck 402: X
403: X**SunOS 5)
1.10 beck 404: XBob Beck <Bob.Beck@ualberta.ca> has done this. E-mail for
1.7 beck 405: Xhelp if you need it.
1.6 deraadt 406: X
1.7 beck 407: X**OSF 1)
1.6 deraadt 408: XFrom Todd Fries <toddf@acm.org> to the adventurous.
409: XA note for those installing anoncvs on non-OpenBSD operating systems.
410: XYou are in for some fun.
411: X
412: XFor OSF1, on a DEC alpha, I had to do the following in addition to the
413: Xabove:
414: X
415: X- I do not know how to setup dynamic libraries on osf1 and as a result
416: X everything had to be compiled statically.
417: X- Therefore, everything but /bin/sh I had to recmpile in order to
418: X get the chroot setup. In order that there be no guesswork
419: X involved, the following packages' binaries must exist in the chroot
420: X environment:
421: X
422: X GNU
423: X cvs (from the OpenBSD source tree)
424: X
425: XSome notes on compiling.
426: X
427: X cvs fails to install if you don't have makeinfo ... just search for the
428: X string ' install-info$' with regex and remove it from the Makefile for the
429: X install and you'll be fine, or install 'texinfo', your choice.
1.1 deraadt 430: END-of-README
431: echo x - anoncvssh.c
432: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
433: X/*
1.15 millert 434: X * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
435: X * Copyright (c) 1997 Bob Beck <beck@obtuse.com>
436: X * Copyright (c) 1996 Thorsten Lockert <tholo@sigmasoft.com>
437: X *
438: X * Permission to use, copy, modify, and distribute this software for any
439: X * purpose with or without fee is hereby granted, provided that the above
440: X * copyright notice and this permission notice appear in all copies.
441: X *
442: X * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
443: X * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
444: X * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
445: X * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
446: X * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
447: X * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
448: X * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.1 deraadt 449: X */
450: X
1.4 deraadt 451: X#include <stdio.h>
452: X#include <stdlib.h>
453: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
454: X#include <paths.h>
455: X#endif
456: X#include <pwd.h>
457: X#include <unistd.h>
458: X#include <sys/types.h>
459: X
460: X#ifndef __P
461: X#if defined(__STDC__) || defined(__cplusplus)
462: X#define __P(protos) protos /* full-blown ANSI C */
463: X#else
464: X#define __P(protos) () /* traditional C preprocessor */
465: X#endif
466: X#endif
467: X
468: X/*
469: X * You may need to change this path to ensure that RCS, CVS and diff
470: X * can be found
471: X */
472: X#ifndef _PATH_DEFPATH
473: X#define _PATH_DEFPATH "/bin:/usr/bin"
474: X#endif
475: X
476: X/*
477: X * This should not normally have to be changed
478: X */
479: X#ifndef _PATH_BSHELL
480: X#define _PATH_BSHELL "/bin/sh"
481: X#endif
482: X
483: X/*
484: X * Location of CVS tree, relative to the anonymous CVS user's
485: X * home directory
486: X */
487: X#ifndef LOCALROOT
488: X#define LOCALROOT "/cvs"
489: X#endif
490: X
491: X/*
1.19 beck 492: X * Hostname to be used when accessing the remote repository.
1.4 deraadt 493: X */
494: X#ifndef HOSTNAME
1.19 beck 495: X#define HOSTNAME "anoncvs1.usa.openbsd.org"
496: X#endif
497: X
498: X/*
499: X * Username to be used when accessing the remote repository.
500: X */
501: X#ifndef USERNAME
502: X#define USERNAME "anoncvs"
1.4 deraadt 503: X#endif
504: X
505: X/*
1.19 beck 506: X * $CVSROOT is created based on USERNAME HOSTNAME and LOCALROOT above
1.4 deraadt 507: X */
1.1 deraadt 508: X#ifndef CVSROOT
1.19 beck 509: X#define CVSROOT USERNAME "@" HOSTNAME ":"LOCALROOT
1.1 deraadt 510: X#endif
511: X
1.8 beck 512: X/*
513: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
514: X * You may undefine this if you aren't going to be running pserver.
515: X */
516: X#ifndef PSERVER_SUPPORT
517: X#define PSERVER_SUPPORT
518: X#endif
519: X
520: X/*
521: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
522: X * using syslog()
523: X */
524: X#define USE_SYSLOG
525: X
526: X#ifdef USE_SYSLOG
527: X#include <string.h>
528: X#include <syslog.h>
529: X#include <netinet/in.h>
530: X#include <sys/socket.h>
531: X#include <arpa/inet.h>
532: X#define LOG_FACILITY LOG_DAEMON
533: X#define LOG_PRIO LOG_INFO
534: X#endif
535: X
536: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
537: X * anyone other than root or ANONCVS_USER.
538: X */
1.19 beck 539: X/* #define ANONCVS_USER USERNAME */
540: X
541: X/*
542: X * If you want to be able to run an alternate OpenCVS binary on your
543: X * anoncvs server, define OPENCVS_USER as the user who will invoke it.
544: X */
545: X#define OPENCVS_USER "opencvs"
1.8 beck 546: X
1.4 deraadt 547: Xint main __P((int, char *[]));
548: X
549: Xchar * const env[] = {
1.17 espie 550: X "PATH="_PATH_DEFPATH,
551: X "SHELL="_PATH_BSHELL,
552: X "CVSROOT="LOCALROOT,
1.4 deraadt 553: X "HOME=/",
554: X "CVSREADONLYFS=1",
555: X NULL
556: X};
1.1 deraadt 557: X
558: Xint
559: Xmain(argc, argv)
560: Xint argc;
561: Xchar *argv[];
562: X{
563: X struct passwd *pw;
1.5 deraadt 564: X#ifdef DEBUG
565: X int i;
566: X#endif /* DEBUG */
1.19 beck 567: X#if defined(OPENCVS_USER)
568: X int opencvs;
569: X#endif
1.1 deraadt 570: X
571: X pw = getpwuid(getuid());
572: X if (pw == NULL) {
573: X fprintf(stderr, "no user for uid %d\n", getuid());
574: X exit(1);
575: X }
576: X if (pw->pw_dir == NULL) {
577: X fprintf(stderr, "no directory\n");
578: X exit(1);
579: X }
1.8 beck 580: X
581: X#ifdef USE_SYSLOG
582: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
583: X#endif /* USE_SYSLOG */
584: X
585: X#ifdef ANONCVS_USER
586: X /*
587: X * I love lusers who have to test every setuid binary on my machine.
588: X */
589: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
590: X fprintf(stderr, "You're not supposed to be running me!\n");
591: X#ifdef USE_SYSLOG
592: X syslog(LOG_NOTICE,
593: X "User %s(%d) invoked anoncvssh - Possible twink?",
594: X pw->pw_name, pw->pw_uid);
595: X#endif /* USE_SYSLOG */
596: X exit(1);
597: X }
598: X#endif /* ANONCVS_USER */
599: X
600: X
1.11 millert 601: X setuid(0);
1.1 deraadt 602: X if (chroot(pw->pw_dir) == -1) {
603: X perror("chroot");
604: X exit (1);
605: X }
606: X chdir("/");
1.11 millert 607: X setuid(pw->pw_uid);
1.1 deraadt 608: X
1.19 beck 609: X#if defined(OPENCVS_USER)
610: X if (!strcmp(pw->pw_name, OPENCVS_USER))
611: X opencvs = 1;
612: X else
613: X opencvs = 0;
614: X#endif
615: X
1.1 deraadt 616: X /*
617: X * program now "safe"
618: X */
1.6 deraadt 619: X
1.8 beck 620: X#ifdef PSERVER_SUPPORT
1.6 deraadt 621: X /* If we want pserver functionality */
1.8 beck 622: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
623: X#ifdef USE_SYSLOG
624: X int slen;
625: X struct sockaddr_in my_sa, peer_sa;
626: X char *us, *them;
1.19 beck 627: X
628: X#if defined(OPENCVS_USER)
629: X if (opencvs == 1) {
630: X fprintf(stderr, "OpenCVS does not support pserver\n");
631: X sleep(10);
632: X exit(1);
633: X }
634: X#endif
635: X
1.8 beck 636: X slen = sizeof(my_sa);
637: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
638: X != 0) {
639: X perror("getsockname");
640: X exit(1);
641: X }
642: X us = strdup(inet_ntoa(my_sa.sin_addr));
643: X if (us == NULL) {
644: X fprintf(stderr, "malloc failed\n");
645: X exit(1);
646: X }
647: X slen = sizeof(peer_sa);
648: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
649: X != 0) {
650: X perror("getpeername");
651: X exit(1);
652: X }
653: X them=strdup(inet_ntoa(peer_sa.sin_addr));
654: X if (them == NULL) {
655: X fprintf(stderr, "malloc failed\n");
656: X exit(1);
657: X }
658: X syslog(LOG_PRIO,
659: X "pserver connection from %s:%d to %s:%d\n",
660: X them, ntohs(peer_sa.sin_port),
661: X us, ntohs(my_sa.sin_port));
662: X#endif /* USE_SYSLOG */
1.11 millert 663: X execle("/usr/bin/cvs", "cvs",
1.17 espie 664: X "--allow-root="LOCALROOT, "pserver", (char *)NULL, env);
1.6 deraadt 665: X perror("execle: cvs");
666: X fprintf(stderr, "unable to exec CVS pserver!\n");
667: X exit(1);
668: X /* NOTREACHED */
669: X }
1.8 beck 670: X#endif
1.1 deraadt 671: X
672: X if (argc != 3 ||
673: X strcmp("anoncvssh", argv[0]) != 0 ||
674: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 675: X (strcmp("cvs server", argv[2]) != 0 &&
1.17 espie 676: X strcmp("cvs -d "LOCALROOT" server", argv[2]) != 0)) {
1.1 deraadt 677: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
678: X fprintf(stderr,"version of CVS on your local machine.\n");
679: X fprintf(stderr,"Then set your CVSROOT environment variable ");
680: X fprintf(stderr,"to the following value:\n");
1.19 beck 681: X#if defined(OPENCVS_USER)
682: X fprintf(stderr, "\t%s@%s:%s for OpenCVS\n", OPENCVS_USER,
683: X HOSTNAME, LOCALROOT);
684: X#endif
1.1 deraadt 685: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 686: X#ifdef DEBUG
687: X fprintf(stderr, "argc = %d\n", argc);
688: X for (i = 0 ; i < argc ; i++)
689: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
690: X#endif /* DEBUG */
1.1 deraadt 691: X sleep(10);
692: X exit(0);
693: X }
1.19 beck 694: X
695: X#if defined(OPENCVS_USER)
696: X if (opencvs == 1) {
697: X execle("/usr/bin/opencvs", "opencvs",
698: X "server", (char *)NULL, env);
699: X } else {
700: X#endif
701: X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env);
702: X#if defined(OPENCVS_USER)
703: X }
704: X#endif
705: X
1.4 deraadt 706: X perror("execle: cvs");
1.1 deraadt 707: X fprintf(stderr, "unable to exec CVS server!\n");
708: X exit(1);
1.5 deraadt 709: X /* NOTREACHED */
1.1 deraadt 710: X}
711: X
712: END-of-anoncvssh.c
713: exit
714: