Annotation of www/anoncvs.shar, Revision 1.22
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.19 beck 8: # anoncvs.shar
1.6 deraadt 9: # Makefile
1.1 deraadt 10: # README
11: # anoncvssh.c
12: #
1.6 deraadt 13: echo x - Makefile
14: sed 's/^X//' >Makefile << 'END-of-Makefile'
15: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
16: XPROG= anoncvssh
17: XBINOWN= root
18: XBINMODE=4111
19: XBINDIR=/open
20: XNOMAN=
21: X
22: X.include <bsd.prog.mk>
23: X
24: END-of-Makefile
1.1 deraadt 25: echo x - README
26: sed 's/^X//' >README << 'END-of-README'
27: X
1.16 millert 28: X So, you want to run an anoncvs server.
1.7 beck 29: X
30: X A summary of the steps you'll need to do is:
31: X
1.16 millert 32: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
1.14 millert 33: X appropriate place.
1.7 beck 34: X
35: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
1.22 ! landry 36: X Install the cvsync client using 'pkg_add cvsync' command.
! 37: X ( If you aren't using OpenBSD you'll probably need to compile a cvsync
1.16 millert 38: X client as well. The easier path is to use OpenBSD ;).
1.7 beck 39: X
40: X3) Add the anoncvs user to the password file, with no password, and
1.22 ! landry 41: X anoncvssh as it's shell. Decide on a user that will run cvsync to maintain
1.16 millert 42: X the archive (this is a different user, NOT the anoncvs user).
1.7 beck 43: X
1.14 millert 44: X4) Make a home directory for the anoncvs user. The anoncvs user's
45: X home directory is a chroot jail in which the anoncvssh processes
46: X run when servicing anoncvs requests. The jail must contain the
47: X cvs binary as well as whatever shared libraries and support files
48: X are needed to run them unless you compile and link everything
1.16 millert 49: X statically. This example shows what is needed for OpenBSD. If you
1.14 millert 50: X use another platform you'll need to be familiar with what needs
51: X to go in a chroot jail for your platform.
1.7 beck 52: X
1.22 ! landry 53: X5) Get permission to use cvsync to obtain the cvs tree from a server.
1.1 deraadt 54: X
1.22 ! landry 55: X6) Set up cvsync to retrieve the cvs tree from an appropriate place.
1.6 deraadt 56: X
1.22 ! landry 57: X7) Run cvsync to retrieve the distribution from the server.
1.3 deraadt 58: X
1.22 ! landry 59: X8) Once you get the distribution in, set up a cron job to run cvsync
1.7 beck 60: X periodically to keep your server up to date.
1.6 deraadt 61: X
1.19 beck 62: X9) Enabling OpenCVS anoncvs.
63: X
1.7 beck 64: X**********************************************************************
65: XSTEP 1) find enough disk space.
1.16 millert 66: X You need roughly 2GB.
1.21 landry 67: X Mount it on /open, make sure it doesn't have nosuid and nodev flags.
1.14 millert 68: X If you are not able to mount it as /open, substitute it's location
1.16 millert 69: X throughout the rest of this description.
1.6 deraadt 70: X
1.7 beck 71: X**********************************************************************
1.16 millert 72: XSTEP 2) compile the anoncvssh binary.
73: X In the Makefile, change the variable CVSROOT.
1.14 millert 74: X Install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 75: X
1.7 beck 76: X**********************************************************************
1.22 ! landry 77: XSTEP 3) Create the anoncvs account and decide who will run "cvsync"
1.14 millert 78: X to maintain the archive. The anoncvs account should *NOT* be the one
1.22 ! landry 79: X running cvsync to maintain the archive.
1.1 deraadt 80: X
1.9 beck 81: Xcreate an account similar to:
82: X
1.18 millert 83: X anoncvs::32766:32766::0:0:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
1.4 deraadt 84: X
1.16 millert 85: XYes, that is right - the account has no password. Be sure that the
1.14 millert 86: Xuid and gid are unique for your system, if the ones above aren't,
87: Xpick different values.
1.16 millert 88: X
1.22 ! landry 89: XDecide who will run cvsync to maintain the archive. Call that user
! 90: X$CVSYNCUSER. Oh, and in case it hasn't been previously mentioned,
! 91: X$CVSYNCUSER should *NOT* be the anoncvs user :).
1.16 millert 92: X
93: XSet "PermitEmptyPasswords yes" option in /etc/ssh/sshd_config and
94: Xrestart your sshd daemon.
1.7 beck 95: X
96: X**********************************************************************
1.14 millert 97: XSTEP 4) Build the anoncvs user's home directory chroot jail. This
98: X example assumes that you're using OpenBSD. If you're not you
99: X may need different files in the chroot.
1.4 deraadt 100: X
1.1 deraadt 101: Xmkdir /open/anoncvs
102: Xmkdir /open/anoncvs/cvs
1.22 ! landry 103: Xchown -R $CVSYNCUSER /open/anoncvs/cvs /open/anoncvs
1.1 deraadt 104: X
1.14 millert 105: XStart filling the account up with nice stuff. You are building a chroot
1.7 beck 106: Xjail for anoncvs in /open/anoncvs.
107: X
1.1 deraadt 108: X cd /open/anoncvs
109: X touch .hushlogin
110: X touch .profile
111: X
1.14 millert 112: XPut a message like the following in .plan:
1.16 millert 113: X To use anonymous CVS install the latest version of CVS on your local
1.6 deraadt 114: X machine.
1.1 deraadt 115: X Then set your CVSROOT environment variable to the following value:
116: X anoncvs@anoncvs.openbsd.org:/cvs
117: X
118: X mkdir bin dev tmp usr var etc
119: X cp /bin/{cat,pwd,rm,sh} bin/
120: X
1.14 millert 121: XUsing mknod, make a dev/null that has the same major/minor numbers as
1.1 deraadt 122: X your /dev/null, and make it mode 666.
123: X
1.16 millert 124: XSome shared library systems require a dev/zero created in the same way.
1.1 deraadt 125: X
1.14 millert 126: XFill etc space for the account
1.1 deraadt 127: X cp /etc/{group,hosts,passwd,protocols} etc/
128: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
129: X modify these files to suit your idea of system security
130: X
1.14 millert 131: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses
1.16 millert 132: Xa tiny extension provided in the openbsd cvs server code which
133: Xpermits the use of read-only cvs repositories, therefore you MUST
134: Xcompile the openbsd version of cvs. Luckily this is not a problem
135: Xon a non-openbsd machine, since the cvs sources are imported verbatim
136: Xinto the openbsd tree. They are in gnu/usr.bin/cvs. The sources
137: Xare integrated in such way that Makefile.bsd-wrapper knows how to build
1.14 millert 138: Xthe sources on an OpenBSD machine, using obj directories.
1.1 deraadt 139: X
1.14 millert 140: XCreate tmp space for the account
1.16 millert 141: X # (cd var && ln -s ../tmp tmp)
1.13 millert 142: X # chmod a+rwx tmp
1.1 deraadt 143: X
1.13 millert 144: X # mkdir usr/{bin,lib}
145: X # cp /usr/bin/cvs usr/bin/
1.1 deraadt 146: X
1.14 millert 147: XIf your system has ld.so in /usr/libexec,
1.13 millert 148: X # mkdir usr/libexec
149: X # cp /usr/libexec/ld.so usr/libexec/
1.1 deraadt 150: X
1.14 millert 151: XIf using shared libraries, use ldd to find out which shared libs you need:
1.13 millert 152: X # ldd /usr/bin/cvs
1.16 millert 153: X /usr/bin/cvs:
1.22 ! landry 154: X Start End Type Open Ref GrpRef Name
! 155: X 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs
! 156: X 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.4.1
! 157: X 020f3000 220f8000 rlib 0 1 0 /usr/lib/libgssapi.so.5.0
! 158: X 0530c000 2531c000 rlib 0 1 0 /usr/lib/libkrb5.so.17.0
! 159: X 03801000 23841000 rlib 0 1 0 /usr/lib/libcrypto.so.18.0
! 160: X 0a8fb000 2a900000 rlib 0 1 0 /usr/lib/libdes.so.9.0
! 161: X 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.51.0
! 162: X 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so
1.13 millert 163: X
164: X and then copy the required libraries to usr/lib/
1.1 deraadt 165: X
1.14 millert 166: XAs a final pass, make sure that all the files you have just created are
167: Xnot world writable (except dev/null).
1.1 deraadt 168: X
1.7 beck 169: XFor :pserver: support (optional)
170: X - Create an entry in /etc/services
1.16 millert 171: X cvspserver 2401/tcp # CVS client/server operations
1.7 beck 172: X - Create an entry in /etc/inetd.conf
1.16 millert 173: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
1.11 millert 174: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
1.16 millert 175: X anoncvs:AHDysQkJIubEc
1.11 millert 176: X which would be a password of "anoncvs" (as per anoncvs.html)
177: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
1.16 millert 178: X anoncvs
1.11 millert 179: X which tells cvs that user "anoncvs" is allowed readonly access.
180: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
181: X want anyone to be able to write to the mirror.
1.16 millert 182: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
1.7 beck 183: X
184: XSee the example layout below for full details.
185: X
186: X**********************************************************************
1.22 ! landry 187: XSTEP 5): Get cvsync permission.
1.7 beck 188: Xsend mail to sup@openbsd.org
1.22 ! landry 189: X1) to have cvsync permissions granted on an appropriate machine for you
! 190: X to cvsync from. We will need to know your host's real hostname and
1.10 beck 191: X IP address.
1.16 millert 192: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created.
1.22 ! landry 193: X3) to have your site mentioned in the http://www.openbsd.org/anoncvs.html page.
1.3 deraadt 194: X
1.7 beck 195: X**********************************************************************
1.22 ! landry 196: XSTEP 6): Configure cvsync.
! 197: X
! 198: XYou have to install cvsync package.
1.7 beck 199: X
1.22 ! landry 200: XThe file /etc/cvsync.conf contains the configuration of cvsync. It will
! 201: Xnormally contain:
1.7 beck 202: X
1.22 ! landry 203: Xconfig {
! 204: X base-prefix /open/anoncvs/
! 205: X hostname anoncvs.ca.openbsd.org
! 206: X collection {
! 207: X name openbsd-cvsroot release rcs
! 208: X prefix cvs
! 209: X }
! 210: X collection {
! 211: X name openbsd-src release rcs
! 212: X prefix cvs
! 213: X }
! 214: X collection {
! 215: X name openbsd-ports release rcs
! 216: X prefix cvs
! 217: X }
! 218: X collection {
! 219: X name openbsd-www release rcs
! 220: X prefix cvs
! 221: X }
! 222: X collection {
! 223: X name openbsd-xenocara release rcs
! 224: X prefix cvs
! 225: X }
! 226: X}
1.7 beck 227: X
228: X**********************************************************************
1.22 ! landry 229: XSTEP 7): Run cvsync to retrieve the tree for the first time.
1.7 beck 230: X
1.22 ! landry 231: XLog in as or become the $CVSYNCUSER, and run
1.7 beck 232: X
1.22 ! landry 233: Xcvsync > /tmp/cvsynclog &; tail -f /tmp/cvsynclog
1.7 beck 234: X
1.22 ! landry 235: XIf you have cvsync permission, and have specified the correct host and
! 236: Xprefix in /etc/cvsync.conf you should see a list of files start
1.7 beck 237: Xcoming in after a short while. Don't panic if nothing happens
1.22 ! landry 238: Ximmediately. Watch for errors (cvsync can timeout or die). If you can't
! 239: Xaccess files contact the cvsync server maintainer. If you get a timeout
! 240: Xor if cvsync dies you can restart and it should continue where it left off.
1.7 beck 241: X
242: XIt can take a good while (and a couple of restarts) to obtain the
243: Xwhole tree for the first time.
244: X
245: X**********************************************************************
246: XSTEP 8): Set up cron to keep the tree up to date.
247: X
1.22 ! landry 248: XYou run cvsync periodically from the cron by setting up the crontab file
! 249: Xof the $CVSYNCUSER.
1.7 beck 250: X
1.22 ! landry 251: XFor example, to update every two hours:
1.7 beck 252: X
1.22 ! landry 253: X15 */2 * * * /usr/local/bin/cvsync > /dev/null
1.7 beck 254: X
255: X**********************************************************************
1.19 beck 256: XSTEP 9): Enabling OpenCVS anoncvs.
257: X
258: XThe next step is to enable OpenCVS, which will run on your system next
259: Xto the normal GNU cvs server. This will become the default in the
260: Xfuture.
261: X
262: XFirst off, create a new user account "opencvs" like you did for your
263: Xnormal anoncvs user:
264: X
265: Xopencvs::32766:32766::0:0:Anonymous OpenCVS User:/open/anoncvs:/open/anoncvssh
266: X
267: XBe sure that the uid and gid are unique for your system, if the ones
268: Xabove aren't, pick different values.
269: X
270: X#define OPENCVS_USER "opencvs"
271: X
272: XRecompile anoncvssh.c and install the binary setuid-root in /open/anoncvssh.
273: X
274: XCompile and install a current /usr/bin/opencvs.
275: X
276: XCopy /usr/bin/opencvs to /open/anoncvs/usr/bin/opencvs
277: X
278: XYou can now use OpenCVS anoncvs by using the correct CVSROOT:
279: X
280: X opencvs@anoncvs.openbsd.org:/cvs
281: X
282: XIf you encounter bugs, send them to joris@openbsd.org
283: X
284: X**********************************************************************
1.7 beck 285: XEXAMPLE LAYOUT
286: X
1.22 ! landry 287: XExample layout for OpenBSD. In this example "deraadt" is the $CVSYNCUSER.
1.3 deraadt 288: X
1.22 ! landry 289: X$ cd /open
! 290: X$ ls -alF
! 291: Xtotal 64
! 292: Xdrwxr-xr-x 5 root wheel 512 Jun 18 22:29 ./
! 293: Xdrwxr-xr-x 13 root wheel 512 Jun 4 05:14 ../
! 294: Xdrwxr-xr-x 9 deraadt wheel 512 Jun 3 02:15 anoncvs/
! 295: X---s--x--x 1 root wheel 14302 Jun 18 22:29 anoncvssh*
! 296: Xdrwxr-xr-x 4 root wheel 5120 Jun 10 14:34 ftp/
! 297: X
! 298: X$ cd anoncvs
! 299: X$ ls -alF
! 300: Xtotal 68
! 301: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ./
! 302: Xdrwxr-xr-x 5 root wheel 512 Jun 10 14:32 ../
! 303: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .hushlogin
! 304: X-rw-r--r-- 1 root wheel 84 Jun 3 01:50 .plan
! 305: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .profile
! 306: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 bin/
! 307: Xdrwxr-xr-x 7 deraadt wheel 512 Jun 18 22:19 cvs/
! 308: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 dev/
! 309: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 etc/
! 310: Xdrwxrwxrwx 10 root wheel 512 Jun 18 17:38 tmp/
! 311: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 usr/
! 312: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:54 var/
! 313: X$ ls -alFR bin usr tmp etc dev
1.3 deraadt 314: Xbin:
1.22 ! landry 315: Xtotal 1984
! 316: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 ./
! 317: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
! 318: X-r-xr-xr-x 1 root wheel 132368 Jun 3 01:40 cat*
! 319: X-r-xr-xr-x 1 root wheel 124176 Jun 3 01:40 pwd*
! 320: X-r-xr-xr-x 1 root wheel 238864 Jun 3 01:40 rm*
! 321: X-r-xr-xr-x 1 root wheel 460048 Jun 3 01:40 sh*
! 322: X
1.3 deraadt 323: Xdev:
1.22 ! landry 324: Xtotal 8
! 325: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 ./
! 326: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
! 327: Xcrw-rw-rw- 1 root wheel 3, 2 Jun 3 01:51 null
! 328: Xcrw-rw-rw- 1 root wheel 3, 12 Jun 3 01:51 zero
! 329: X
1.3 deraadt 330: Xetc:
1.22 ! landry 331: Xtotal 188
! 332: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 ./
! 333: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
! 334: X-r--r--r-- 1 root wheel 64 Jun 3 01:52 group*
! 335: X-r--r--r-- 1 root wheel 576 Jun 3 01:52 hosts*
! 336: X-r--r--r-- 1 root wheel 291 Jun 3 01:53 passwd*
! 337: X-r--r--r-- 1 root wheel 5625 Jun 3 01:52 protocols*
! 338: X-r--r--r-- 1 root wheel 40960 Jun 3 01:52 pwd.db*
! 339: X-r--r--r-- 1 root wheel 93 Jun 3 01:52 resolv.conf*
! 340: X-r--r--r-- 1 root wheel 9875 Jun 3 01:52 services*
! 341: X-r--r--r-- 1 root wheel 26428 Jun 3 01:52 ttys*
1.3 deraadt 342: X
343: Xusr:
1.22 ! landry 344: Xtotal 20
! 345: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ./
! 346: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
! 347: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 bin/
! 348: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 lib/
! 349: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 libexec/
1.3 deraadt 350: X
351: Xusr/bin:
1.22 ! landry 352: Xtotal 3016
! 353: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 ./
! 354: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
! 355: X-r-xr-xr-x 1 root wheel 643728 Jun 3 01:54 cvs*
! 356: X-r-xr-xr-x 1 root wheel 841240 Jun 3 01:57 opencvs*
1.3 deraadt 357: X
358: Xusr/lib:
1.22 ! landry 359: Xtotal 42344
! 360: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./
! 361: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
! 362: X-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.50.1
! 363: X-r--r--r-- 1 root wheel 9659802 Jun 3 01:56 libcrypto.so.18.0
! 364: X-r--r--r-- 1 root wheel 190814 Jun 3 01:56 libdes.so.9.0
! 365: X-r--r--r-- 1 root wheel 1593303 Jun 3 01:55 libgssapi.so.5.0
! 366: X-r--r--r-- 1 root wheel 5337583 Jun 3 01:56 libkrb5.so.16.0
! 367: X-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.4.1
1.3 deraadt 368: X
369: Xusr/libexec:
1.22 ! landry 370: Xtotal 120
! 371: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 ./
! 372: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
! 373: X-r-xr-xr-x 1 root wheel 55683 Jun 3 01:55 ld.so*
! 374: X$ ls cvs
! 375: XCVSROOT ports src www xenocara
! 376: X
1.1 deraadt 377: END-of-README
378: echo x - anoncvssh.c
379: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
380: X/*
1.15 millert 381: X * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
382: X * Copyright (c) 1997 Bob Beck <beck@obtuse.com>
383: X * Copyright (c) 1996 Thorsten Lockert <tholo@sigmasoft.com>
384: X *
385: X * Permission to use, copy, modify, and distribute this software for any
386: X * purpose with or without fee is hereby granted, provided that the above
387: X * copyright notice and this permission notice appear in all copies.
388: X *
389: X * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
390: X * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
391: X * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
392: X * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
393: X * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
394: X * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
395: X * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.1 deraadt 396: X */
397: X
1.4 deraadt 398: X#include <stdio.h>
399: X#include <stdlib.h>
400: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
401: X#include <paths.h>
402: X#endif
403: X#include <pwd.h>
404: X#include <unistd.h>
405: X#include <sys/types.h>
406: X
407: X#ifndef __P
408: X#if defined(__STDC__) || defined(__cplusplus)
409: X#define __P(protos) protos /* full-blown ANSI C */
410: X#else
411: X#define __P(protos) () /* traditional C preprocessor */
412: X#endif
413: X#endif
414: X
415: X/*
416: X * You may need to change this path to ensure that RCS, CVS and diff
417: X * can be found
418: X */
419: X#ifndef _PATH_DEFPATH
420: X#define _PATH_DEFPATH "/bin:/usr/bin"
421: X#endif
422: X
423: X/*
424: X * This should not normally have to be changed
425: X */
426: X#ifndef _PATH_BSHELL
427: X#define _PATH_BSHELL "/bin/sh"
428: X#endif
429: X
430: X/*
431: X * Location of CVS tree, relative to the anonymous CVS user's
432: X * home directory
433: X */
434: X#ifndef LOCALROOT
435: X#define LOCALROOT "/cvs"
436: X#endif
437: X
438: X/*
1.19 beck 439: X * Hostname to be used when accessing the remote repository.
1.4 deraadt 440: X */
441: X#ifndef HOSTNAME
1.19 beck 442: X#define HOSTNAME "anoncvs1.usa.openbsd.org"
443: X#endif
444: X
445: X/*
446: X * Username to be used when accessing the remote repository.
447: X */
448: X#ifndef USERNAME
449: X#define USERNAME "anoncvs"
1.4 deraadt 450: X#endif
451: X
452: X/*
1.19 beck 453: X * $CVSROOT is created based on USERNAME HOSTNAME and LOCALROOT above
1.4 deraadt 454: X */
1.1 deraadt 455: X#ifndef CVSROOT
1.19 beck 456: X#define CVSROOT USERNAME "@" HOSTNAME ":"LOCALROOT
1.1 deraadt 457: X#endif
458: X
1.8 beck 459: X/*
460: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
461: X * You may undefine this if you aren't going to be running pserver.
462: X */
463: X#ifndef PSERVER_SUPPORT
464: X#define PSERVER_SUPPORT
465: X#endif
466: X
467: X/*
468: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
469: X * using syslog()
470: X */
471: X#define USE_SYSLOG
472: X
473: X#ifdef USE_SYSLOG
474: X#include <string.h>
475: X#include <syslog.h>
476: X#include <netinet/in.h>
477: X#include <sys/socket.h>
478: X#include <arpa/inet.h>
479: X#define LOG_FACILITY LOG_DAEMON
480: X#define LOG_PRIO LOG_INFO
481: X#endif
482: X
483: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
484: X * anyone other than root or ANONCVS_USER.
485: X */
1.19 beck 486: X/* #define ANONCVS_USER USERNAME */
487: X
488: X/*
489: X * If you want to be able to run an alternate OpenCVS binary on your
490: X * anoncvs server, define OPENCVS_USER as the user who will invoke it.
491: X */
492: X#define OPENCVS_USER "opencvs"
1.8 beck 493: X
1.4 deraadt 494: Xint main __P((int, char *[]));
495: X
496: Xchar * const env[] = {
1.17 espie 497: X "PATH="_PATH_DEFPATH,
498: X "SHELL="_PATH_BSHELL,
499: X "CVSROOT="LOCALROOT,
1.4 deraadt 500: X "HOME=/",
501: X "CVSREADONLYFS=1",
502: X NULL
503: X};
1.1 deraadt 504: X
505: Xint
506: Xmain(argc, argv)
507: Xint argc;
508: Xchar *argv[];
509: X{
510: X struct passwd *pw;
1.5 deraadt 511: X#ifdef DEBUG
512: X int i;
513: X#endif /* DEBUG */
1.19 beck 514: X#if defined(OPENCVS_USER)
515: X int opencvs;
516: X#endif
1.1 deraadt 517: X
518: X pw = getpwuid(getuid());
519: X if (pw == NULL) {
520: X fprintf(stderr, "no user for uid %d\n", getuid());
521: X exit(1);
522: X }
523: X if (pw->pw_dir == NULL) {
524: X fprintf(stderr, "no directory\n");
525: X exit(1);
526: X }
1.8 beck 527: X
528: X#ifdef USE_SYSLOG
529: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
530: X#endif /* USE_SYSLOG */
531: X
532: X#ifdef ANONCVS_USER
533: X /*
534: X * I love lusers who have to test every setuid binary on my machine.
535: X */
536: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
537: X fprintf(stderr, "You're not supposed to be running me!\n");
538: X#ifdef USE_SYSLOG
539: X syslog(LOG_NOTICE,
540: X "User %s(%d) invoked anoncvssh - Possible twink?",
541: X pw->pw_name, pw->pw_uid);
542: X#endif /* USE_SYSLOG */
543: X exit(1);
544: X }
545: X#endif /* ANONCVS_USER */
546: X
547: X
1.11 millert 548: X setuid(0);
1.1 deraadt 549: X if (chroot(pw->pw_dir) == -1) {
550: X perror("chroot");
551: X exit (1);
552: X }
553: X chdir("/");
1.11 millert 554: X setuid(pw->pw_uid);
1.1 deraadt 555: X
1.19 beck 556: X#if defined(OPENCVS_USER)
557: X if (!strcmp(pw->pw_name, OPENCVS_USER))
558: X opencvs = 1;
559: X else
560: X opencvs = 0;
561: X#endif
562: X
1.1 deraadt 563: X /*
564: X * program now "safe"
565: X */
1.6 deraadt 566: X
1.8 beck 567: X#ifdef PSERVER_SUPPORT
1.6 deraadt 568: X /* If we want pserver functionality */
1.8 beck 569: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
570: X#ifdef USE_SYSLOG
571: X int slen;
572: X struct sockaddr_in my_sa, peer_sa;
573: X char *us, *them;
1.19 beck 574: X
575: X#if defined(OPENCVS_USER)
576: X if (opencvs == 1) {
577: X fprintf(stderr, "OpenCVS does not support pserver\n");
578: X sleep(10);
579: X exit(1);
580: X }
581: X#endif
582: X
1.8 beck 583: X slen = sizeof(my_sa);
584: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
585: X != 0) {
586: X perror("getsockname");
587: X exit(1);
588: X }
589: X us = strdup(inet_ntoa(my_sa.sin_addr));
590: X if (us == NULL) {
591: X fprintf(stderr, "malloc failed\n");
592: X exit(1);
593: X }
594: X slen = sizeof(peer_sa);
595: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
596: X != 0) {
597: X perror("getpeername");
598: X exit(1);
599: X }
600: X them=strdup(inet_ntoa(peer_sa.sin_addr));
601: X if (them == NULL) {
602: X fprintf(stderr, "malloc failed\n");
603: X exit(1);
604: X }
605: X syslog(LOG_PRIO,
606: X "pserver connection from %s:%d to %s:%d\n",
607: X them, ntohs(peer_sa.sin_port),
608: X us, ntohs(my_sa.sin_port));
609: X#endif /* USE_SYSLOG */
1.11 millert 610: X execle("/usr/bin/cvs", "cvs",
1.17 espie 611: X "--allow-root="LOCALROOT, "pserver", (char *)NULL, env);
1.6 deraadt 612: X perror("execle: cvs");
613: X fprintf(stderr, "unable to exec CVS pserver!\n");
614: X exit(1);
615: X /* NOTREACHED */
616: X }
1.8 beck 617: X#endif
1.1 deraadt 618: X
619: X if (argc != 3 ||
620: X strcmp("anoncvssh", argv[0]) != 0 ||
621: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 622: X (strcmp("cvs server", argv[2]) != 0 &&
1.17 espie 623: X strcmp("cvs -d "LOCALROOT" server", argv[2]) != 0)) {
1.1 deraadt 624: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
625: X fprintf(stderr,"version of CVS on your local machine.\n");
626: X fprintf(stderr,"Then set your CVSROOT environment variable ");
627: X fprintf(stderr,"to the following value:\n");
1.19 beck 628: X#if defined(OPENCVS_USER)
629: X fprintf(stderr, "\t%s@%s:%s for OpenCVS\n", OPENCVS_USER,
630: X HOSTNAME, LOCALROOT);
631: X#endif
1.1 deraadt 632: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 633: X#ifdef DEBUG
634: X fprintf(stderr, "argc = %d\n", argc);
635: X for (i = 0 ; i < argc ; i++)
636: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
637: X#endif /* DEBUG */
1.1 deraadt 638: X sleep(10);
639: X exit(0);
640: X }
1.19 beck 641: X
642: X#if defined(OPENCVS_USER)
643: X if (opencvs == 1) {
644: X execle("/usr/bin/opencvs", "opencvs",
645: X "server", (char *)NULL, env);
646: X } else {
647: X#endif
648: X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env);
649: X#if defined(OPENCVS_USER)
650: X }
651: X#endif
652: X
1.4 deraadt 653: X perror("execle: cvs");
1.1 deraadt 654: X fprintf(stderr, "unable to exec CVS server!\n");
655: X exit(1);
1.5 deraadt 656: X /* NOTREACHED */
1.1 deraadt 657: X}
658: X
659: END-of-anoncvssh.c
660: exit
661: