Annotation of www/anoncvs.shar, Revision 1.23
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.6 deraadt 8: # Makefile
1.1 deraadt 9: # README
10: # anoncvssh.c
11: #
1.6 deraadt 12: echo x - Makefile
13: sed 's/^X//' >Makefile << 'END-of-Makefile'
14: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
15: XPROG= anoncvssh
16: XBINOWN= root
17: XBINMODE=4111
18: XBINDIR=/open
19: XNOMAN=
20: X
21: X.include <bsd.prog.mk>
22: X
23: END-of-Makefile
1.1 deraadt 24: echo x - README
25: sed 's/^X//' >README << 'END-of-README'
26: X
1.16 millert 27: X So, you want to run an anoncvs server.
1.7 beck 28: X
29: X A summary of the steps you'll need to do is:
30: X
1.16 millert 31: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
1.14 millert 32: X appropriate place.
1.7 beck 33: X
34: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
1.22 landry 35: X Install the cvsync client using 'pkg_add cvsync' command.
36: X ( If you aren't using OpenBSD you'll probably need to compile a cvsync
1.16 millert 37: X client as well. The easier path is to use OpenBSD ;).
1.7 beck 38: X
39: X3) Add the anoncvs user to the password file, with no password, and
1.22 landry 40: X anoncvssh as it's shell. Decide on a user that will run cvsync to maintain
1.16 millert 41: X the archive (this is a different user, NOT the anoncvs user).
1.7 beck 42: X
1.14 millert 43: X4) Make a home directory for the anoncvs user. The anoncvs user's
44: X home directory is a chroot jail in which the anoncvssh processes
45: X run when servicing anoncvs requests. The jail must contain the
46: X cvs binary as well as whatever shared libraries and support files
47: X are needed to run them unless you compile and link everything
1.16 millert 48: X statically. This example shows what is needed for OpenBSD. If you
1.14 millert 49: X use another platform you'll need to be familiar with what needs
50: X to go in a chroot jail for your platform.
1.7 beck 51: X
1.22 landry 52: X5) Get permission to use cvsync to obtain the cvs tree from a server.
1.1 deraadt 53: X
1.22 landry 54: X6) Set up cvsync to retrieve the cvs tree from an appropriate place.
1.6 deraadt 55: X
1.22 landry 56: X7) Run cvsync to retrieve the distribution from the server.
1.3 deraadt 57: X
1.22 landry 58: X8) Once you get the distribution in, set up a cron job to run cvsync
1.7 beck 59: X periodically to keep your server up to date.
1.6 deraadt 60: X
1.7 beck 61: X**********************************************************************
62: XSTEP 1) find enough disk space.
1.16 millert 63: X You need roughly 2GB.
1.21 landry 64: X Mount it on /open, make sure it doesn't have nosuid and nodev flags.
1.14 millert 65: X If you are not able to mount it as /open, substitute it's location
1.16 millert 66: X throughout the rest of this description.
1.6 deraadt 67: X
1.7 beck 68: X**********************************************************************
1.16 millert 69: XSTEP 2) compile the anoncvssh binary.
70: X In the Makefile, change the variable CVSROOT.
1.14 millert 71: X Install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 72: X
1.7 beck 73: X**********************************************************************
1.22 landry 74: XSTEP 3) Create the anoncvs account and decide who will run "cvsync"
1.14 millert 75: X to maintain the archive. The anoncvs account should *NOT* be the one
1.22 landry 76: X running cvsync to maintain the archive.
1.1 deraadt 77: X
1.9 beck 78: Xcreate an account similar to:
79: X
1.18 millert 80: X anoncvs::32766:32766::0:0:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
1.4 deraadt 81: X
1.16 millert 82: XYes, that is right - the account has no password. Be sure that the
1.14 millert 83: Xuid and gid are unique for your system, if the ones above aren't,
84: Xpick different values.
1.16 millert 85: X
1.22 landry 86: XDecide who will run cvsync to maintain the archive. Call that user
87: X$CVSYNCUSER. Oh, and in case it hasn't been previously mentioned,
88: X$CVSYNCUSER should *NOT* be the anoncvs user :).
1.16 millert 89: X
90: XSet "PermitEmptyPasswords yes" option in /etc/ssh/sshd_config and
91: Xrestart your sshd daemon.
1.7 beck 92: X
93: X**********************************************************************
1.14 millert 94: XSTEP 4) Build the anoncvs user's home directory chroot jail. This
95: X example assumes that you're using OpenBSD. If you're not you
96: X may need different files in the chroot.
1.4 deraadt 97: X
1.1 deraadt 98: Xmkdir /open/anoncvs
99: Xmkdir /open/anoncvs/cvs
1.22 landry 100: Xchown -R $CVSYNCUSER /open/anoncvs/cvs /open/anoncvs
1.1 deraadt 101: X
1.14 millert 102: XStart filling the account up with nice stuff. You are building a chroot
1.7 beck 103: Xjail for anoncvs in /open/anoncvs.
104: X
1.1 deraadt 105: X cd /open/anoncvs
106: X touch .hushlogin
107: X touch .profile
108: X
1.14 millert 109: XPut a message like the following in .plan:
1.16 millert 110: X To use anonymous CVS install the latest version of CVS on your local
1.6 deraadt 111: X machine.
1.1 deraadt 112: X Then set your CVSROOT environment variable to the following value:
113: X anoncvs@anoncvs.openbsd.org:/cvs
114: X
115: X mkdir bin dev tmp usr var etc
116: X cp /bin/{cat,pwd,rm,sh} bin/
117: X
1.14 millert 118: XUsing mknod, make a dev/null that has the same major/minor numbers as
1.1 deraadt 119: X your /dev/null, and make it mode 666.
120: X
1.16 millert 121: XSome shared library systems require a dev/zero created in the same way.
1.1 deraadt 122: X
1.14 millert 123: XFill etc space for the account
1.1 deraadt 124: X cp /etc/{group,hosts,passwd,protocols} etc/
125: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
126: X modify these files to suit your idea of system security
127: X
1.14 millert 128: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses
1.16 millert 129: Xa tiny extension provided in the openbsd cvs server code which
130: Xpermits the use of read-only cvs repositories, therefore you MUST
131: Xcompile the openbsd version of cvs. Luckily this is not a problem
132: Xon a non-openbsd machine, since the cvs sources are imported verbatim
133: Xinto the openbsd tree. They are in gnu/usr.bin/cvs. The sources
134: Xare integrated in such way that Makefile.bsd-wrapper knows how to build
1.14 millert 135: Xthe sources on an OpenBSD machine, using obj directories.
1.1 deraadt 136: X
1.14 millert 137: XCreate tmp space for the account
1.16 millert 138: X # (cd var && ln -s ../tmp tmp)
1.13 millert 139: X # chmod a+rwx tmp
1.1 deraadt 140: X
1.13 millert 141: X # mkdir usr/{bin,lib}
142: X # cp /usr/bin/cvs usr/bin/
1.1 deraadt 143: X
1.14 millert 144: XIf your system has ld.so in /usr/libexec,
1.13 millert 145: X # mkdir usr/libexec
146: X # cp /usr/libexec/ld.so usr/libexec/
1.1 deraadt 147: X
1.14 millert 148: XIf using shared libraries, use ldd to find out which shared libs you need:
1.13 millert 149: X # ldd /usr/bin/cvs
1.16 millert 150: X /usr/bin/cvs:
1.22 landry 151: X Start End Type Open Ref GrpRef Name
152: X 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs
153: X 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.4.1
154: X 020f3000 220f8000 rlib 0 1 0 /usr/lib/libgssapi.so.5.0
155: X 0530c000 2531c000 rlib 0 1 0 /usr/lib/libkrb5.so.17.0
156: X 03801000 23841000 rlib 0 1 0 /usr/lib/libcrypto.so.18.0
157: X 0a8fb000 2a900000 rlib 0 1 0 /usr/lib/libdes.so.9.0
158: X 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.51.0
159: X 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so
1.13 millert 160: X
161: X and then copy the required libraries to usr/lib/
1.1 deraadt 162: X
1.14 millert 163: XAs a final pass, make sure that all the files you have just created are
164: Xnot world writable (except dev/null).
1.1 deraadt 165: X
1.7 beck 166: XFor :pserver: support (optional)
167: X - Create an entry in /etc/services
1.16 millert 168: X cvspserver 2401/tcp # CVS client/server operations
1.7 beck 169: X - Create an entry in /etc/inetd.conf
1.16 millert 170: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
1.11 millert 171: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
1.16 millert 172: X anoncvs:AHDysQkJIubEc
1.11 millert 173: X which would be a password of "anoncvs" (as per anoncvs.html)
174: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
1.16 millert 175: X anoncvs
1.11 millert 176: X which tells cvs that user "anoncvs" is allowed readonly access.
177: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
178: X want anyone to be able to write to the mirror.
1.16 millert 179: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
1.7 beck 180: X
181: XSee the example layout below for full details.
182: X
183: X**********************************************************************
1.22 landry 184: XSTEP 5): Get cvsync permission.
1.7 beck 185: Xsend mail to sup@openbsd.org
1.22 landry 186: X1) to have cvsync permissions granted on an appropriate machine for you
187: X to cvsync from. We will need to know your host's real hostname and
1.10 beck 188: X IP address.
1.16 millert 189: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created.
1.22 landry 190: X3) to have your site mentioned in the http://www.openbsd.org/anoncvs.html page.
1.3 deraadt 191: X
1.7 beck 192: X**********************************************************************
1.22 landry 193: XSTEP 6): Configure cvsync.
194: X
195: XYou have to install cvsync package.
1.7 beck 196: X
1.22 landry 197: XThe file /etc/cvsync.conf contains the configuration of cvsync. It will
198: Xnormally contain:
1.7 beck 199: X
1.22 landry 200: Xconfig {
201: X base-prefix /open/anoncvs/
202: X hostname anoncvs.ca.openbsd.org
203: X collection {
204: X name openbsd-cvsroot release rcs
205: X prefix cvs
206: X }
207: X collection {
208: X name openbsd-src release rcs
209: X prefix cvs
210: X }
211: X collection {
212: X name openbsd-ports release rcs
213: X prefix cvs
214: X }
215: X collection {
216: X name openbsd-www release rcs
217: X prefix cvs
218: X }
219: X collection {
220: X name openbsd-xenocara release rcs
221: X prefix cvs
222: X }
223: X}
1.7 beck 224: X
225: X**********************************************************************
1.22 landry 226: XSTEP 7): Run cvsync to retrieve the tree for the first time.
1.7 beck 227: X
1.22 landry 228: XLog in as or become the $CVSYNCUSER, and run
1.7 beck 229: X
1.22 landry 230: Xcvsync > /tmp/cvsynclog &; tail -f /tmp/cvsynclog
1.7 beck 231: X
1.22 landry 232: XIf you have cvsync permission, and have specified the correct host and
233: Xprefix in /etc/cvsync.conf you should see a list of files start
1.7 beck 234: Xcoming in after a short while. Don't panic if nothing happens
1.22 landry 235: Ximmediately. Watch for errors (cvsync can timeout or die). If you can't
236: Xaccess files contact the cvsync server maintainer. If you get a timeout
237: Xor if cvsync dies you can restart and it should continue where it left off.
1.7 beck 238: X
239: XIt can take a good while (and a couple of restarts) to obtain the
240: Xwhole tree for the first time.
241: X
242: X**********************************************************************
243: XSTEP 8): Set up cron to keep the tree up to date.
244: X
1.22 landry 245: XYou run cvsync periodically from the cron by setting up the crontab file
246: Xof the $CVSYNCUSER.
1.7 beck 247: X
1.22 landry 248: XFor example, to update every two hours:
1.7 beck 249: X
1.22 landry 250: X15 */2 * * * /usr/local/bin/cvsync > /dev/null
1.7 beck 251: X
252: X**********************************************************************
1.19 beck 253: X
1.7 beck 254: XEXAMPLE LAYOUT
255: X
1.22 landry 256: XExample layout for OpenBSD. In this example "deraadt" is the $CVSYNCUSER.
1.3 deraadt 257: X
1.22 landry 258: X$ cd /open
259: X$ ls -alF
260: Xtotal 64
261: Xdrwxr-xr-x 5 root wheel 512 Jun 18 22:29 ./
262: Xdrwxr-xr-x 13 root wheel 512 Jun 4 05:14 ../
263: Xdrwxr-xr-x 9 deraadt wheel 512 Jun 3 02:15 anoncvs/
264: X---s--x--x 1 root wheel 14302 Jun 18 22:29 anoncvssh*
265: Xdrwxr-xr-x 4 root wheel 5120 Jun 10 14:34 ftp/
266: X
267: X$ cd anoncvs
268: X$ ls -alF
269: Xtotal 68
270: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ./
271: Xdrwxr-xr-x 5 root wheel 512 Jun 10 14:32 ../
272: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .hushlogin
273: X-rw-r--r-- 1 root wheel 84 Jun 3 01:50 .plan
274: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .profile
275: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 bin/
276: Xdrwxr-xr-x 7 deraadt wheel 512 Jun 18 22:19 cvs/
277: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 dev/
278: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 etc/
279: Xdrwxrwxrwx 10 root wheel 512 Jun 18 17:38 tmp/
280: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 usr/
281: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:54 var/
282: X$ ls -alFR bin usr tmp etc dev
1.3 deraadt 283: Xbin:
1.22 landry 284: Xtotal 1984
285: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 ./
286: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
287: X-r-xr-xr-x 1 root wheel 132368 Jun 3 01:40 cat*
288: X-r-xr-xr-x 1 root wheel 124176 Jun 3 01:40 pwd*
289: X-r-xr-xr-x 1 root wheel 238864 Jun 3 01:40 rm*
290: X-r-xr-xr-x 1 root wheel 460048 Jun 3 01:40 sh*
291: X
1.3 deraadt 292: Xdev:
1.22 landry 293: Xtotal 8
294: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 ./
295: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
296: Xcrw-rw-rw- 1 root wheel 3, 2 Jun 3 01:51 null
297: Xcrw-rw-rw- 1 root wheel 3, 12 Jun 3 01:51 zero
298: X
1.3 deraadt 299: Xetc:
1.22 landry 300: Xtotal 188
301: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 ./
302: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
303: X-r--r--r-- 1 root wheel 64 Jun 3 01:52 group*
304: X-r--r--r-- 1 root wheel 576 Jun 3 01:52 hosts*
305: X-r--r--r-- 1 root wheel 291 Jun 3 01:53 passwd*
306: X-r--r--r-- 1 root wheel 5625 Jun 3 01:52 protocols*
307: X-r--r--r-- 1 root wheel 40960 Jun 3 01:52 pwd.db*
308: X-r--r--r-- 1 root wheel 93 Jun 3 01:52 resolv.conf*
309: X-r--r--r-- 1 root wheel 9875 Jun 3 01:52 services*
310: X-r--r--r-- 1 root wheel 26428 Jun 3 01:52 ttys*
1.3 deraadt 311: X
312: Xusr:
1.22 landry 313: Xtotal 20
314: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ./
315: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
316: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 bin/
317: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 lib/
318: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 libexec/
1.3 deraadt 319: X
320: Xusr/bin:
1.22 landry 321: Xtotal 3016
322: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 ./
323: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
324: X-r-xr-xr-x 1 root wheel 643728 Jun 3 01:54 cvs*
1.3 deraadt 325: X
326: Xusr/lib:
1.22 landry 327: Xtotal 42344
328: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./
329: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
330: X-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.50.1
331: X-r--r--r-- 1 root wheel 9659802 Jun 3 01:56 libcrypto.so.18.0
332: X-r--r--r-- 1 root wheel 190814 Jun 3 01:56 libdes.so.9.0
333: X-r--r--r-- 1 root wheel 1593303 Jun 3 01:55 libgssapi.so.5.0
334: X-r--r--r-- 1 root wheel 5337583 Jun 3 01:56 libkrb5.so.16.0
335: X-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.4.1
1.3 deraadt 336: X
337: Xusr/libexec:
1.22 landry 338: Xtotal 120
339: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 ./
340: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
341: X-r-xr-xr-x 1 root wheel 55683 Jun 3 01:55 ld.so*
342: X$ ls cvs
343: XCVSROOT ports src www xenocara
344: X
1.1 deraadt 345: END-of-README
346: echo x - anoncvssh.c
347: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
348: X/*
1.15 millert 349: X * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
350: X * Copyright (c) 1997 Bob Beck <beck@obtuse.com>
351: X * Copyright (c) 1996 Thorsten Lockert <tholo@sigmasoft.com>
352: X *
353: X * Permission to use, copy, modify, and distribute this software for any
354: X * purpose with or without fee is hereby granted, provided that the above
355: X * copyright notice and this permission notice appear in all copies.
356: X *
357: X * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
358: X * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
359: X * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
360: X * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
361: X * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
362: X * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
363: X * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.1 deraadt 364: X */
365: X
1.4 deraadt 366: X#include <stdio.h>
367: X#include <stdlib.h>
368: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
369: X#include <paths.h>
370: X#endif
371: X#include <pwd.h>
372: X#include <unistd.h>
373: X#include <sys/types.h>
374: X
375: X#ifndef __P
376: X#if defined(__STDC__) || defined(__cplusplus)
377: X#define __P(protos) protos /* full-blown ANSI C */
378: X#else
379: X#define __P(protos) () /* traditional C preprocessor */
380: X#endif
381: X#endif
382: X
383: X/*
384: X * You may need to change this path to ensure that RCS, CVS and diff
385: X * can be found
386: X */
387: X#ifndef _PATH_DEFPATH
388: X#define _PATH_DEFPATH "/bin:/usr/bin"
389: X#endif
390: X
391: X/*
392: X * This should not normally have to be changed
393: X */
394: X#ifndef _PATH_BSHELL
395: X#define _PATH_BSHELL "/bin/sh"
396: X#endif
397: X
398: X/*
399: X * Location of CVS tree, relative to the anonymous CVS user's
400: X * home directory
401: X */
402: X#ifndef LOCALROOT
403: X#define LOCALROOT "/cvs"
404: X#endif
405: X
406: X/*
1.19 beck 407: X * Hostname to be used when accessing the remote repository.
1.4 deraadt 408: X */
409: X#ifndef HOSTNAME
1.19 beck 410: X#define HOSTNAME "anoncvs1.usa.openbsd.org"
411: X#endif
412: X
413: X/*
414: X * Username to be used when accessing the remote repository.
415: X */
416: X#ifndef USERNAME
417: X#define USERNAME "anoncvs"
1.4 deraadt 418: X#endif
419: X
420: X/*
1.19 beck 421: X * $CVSROOT is created based on USERNAME HOSTNAME and LOCALROOT above
1.4 deraadt 422: X */
1.1 deraadt 423: X#ifndef CVSROOT
1.19 beck 424: X#define CVSROOT USERNAME "@" HOSTNAME ":"LOCALROOT
1.1 deraadt 425: X#endif
426: X
1.8 beck 427: X/*
428: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
429: X * You may undefine this if you aren't going to be running pserver.
430: X */
431: X#ifndef PSERVER_SUPPORT
432: X#define PSERVER_SUPPORT
433: X#endif
434: X
435: X/*
436: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
437: X * using syslog()
438: X */
439: X#define USE_SYSLOG
440: X
441: X#ifdef USE_SYSLOG
442: X#include <string.h>
443: X#include <syslog.h>
444: X#include <netinet/in.h>
445: X#include <sys/socket.h>
446: X#include <arpa/inet.h>
447: X#define LOG_FACILITY LOG_DAEMON
448: X#define LOG_PRIO LOG_INFO
449: X#endif
450: X
451: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
452: X * anyone other than root or ANONCVS_USER.
453: X */
1.19 beck 454: X/* #define ANONCVS_USER USERNAME */
455: X
456: X/*
457: X * If you want to be able to run an alternate OpenCVS binary on your
458: X * anoncvs server, define OPENCVS_USER as the user who will invoke it.
459: X */
460: X#define OPENCVS_USER "opencvs"
1.8 beck 461: X
1.4 deraadt 462: Xint main __P((int, char *[]));
463: X
464: Xchar * const env[] = {
1.17 espie 465: X "PATH="_PATH_DEFPATH,
466: X "SHELL="_PATH_BSHELL,
467: X "CVSROOT="LOCALROOT,
1.4 deraadt 468: X "HOME=/",
469: X "CVSREADONLYFS=1",
470: X NULL
471: X};
1.1 deraadt 472: X
473: Xint
474: Xmain(argc, argv)
475: Xint argc;
476: Xchar *argv[];
477: X{
478: X struct passwd *pw;
1.5 deraadt 479: X#ifdef DEBUG
480: X int i;
481: X#endif /* DEBUG */
1.19 beck 482: X#if defined(OPENCVS_USER)
483: X int opencvs;
484: X#endif
1.1 deraadt 485: X
486: X pw = getpwuid(getuid());
487: X if (pw == NULL) {
488: X fprintf(stderr, "no user for uid %d\n", getuid());
489: X exit(1);
490: X }
491: X if (pw->pw_dir == NULL) {
492: X fprintf(stderr, "no directory\n");
493: X exit(1);
494: X }
1.8 beck 495: X
496: X#ifdef USE_SYSLOG
497: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
498: X#endif /* USE_SYSLOG */
499: X
500: X#ifdef ANONCVS_USER
501: X /*
502: X * I love lusers who have to test every setuid binary on my machine.
503: X */
504: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
505: X fprintf(stderr, "You're not supposed to be running me!\n");
506: X#ifdef USE_SYSLOG
507: X syslog(LOG_NOTICE,
508: X "User %s(%d) invoked anoncvssh - Possible twink?",
509: X pw->pw_name, pw->pw_uid);
510: X#endif /* USE_SYSLOG */
511: X exit(1);
512: X }
513: X#endif /* ANONCVS_USER */
514: X
515: X
1.11 millert 516: X setuid(0);
1.1 deraadt 517: X if (chroot(pw->pw_dir) == -1) {
518: X perror("chroot");
519: X exit (1);
520: X }
521: X chdir("/");
1.11 millert 522: X setuid(pw->pw_uid);
1.1 deraadt 523: X
1.19 beck 524: X#if defined(OPENCVS_USER)
525: X if (!strcmp(pw->pw_name, OPENCVS_USER))
526: X opencvs = 1;
527: X else
528: X opencvs = 0;
529: X#endif
530: X
1.1 deraadt 531: X /*
532: X * program now "safe"
533: X */
1.6 deraadt 534: X
1.8 beck 535: X#ifdef PSERVER_SUPPORT
1.6 deraadt 536: X /* If we want pserver functionality */
1.8 beck 537: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
538: X#ifdef USE_SYSLOG
539: X int slen;
540: X struct sockaddr_in my_sa, peer_sa;
541: X char *us, *them;
1.19 beck 542: X
543: X#if defined(OPENCVS_USER)
544: X if (opencvs == 1) {
545: X fprintf(stderr, "OpenCVS does not support pserver\n");
546: X sleep(10);
547: X exit(1);
548: X }
549: X#endif
550: X
1.8 beck 551: X slen = sizeof(my_sa);
552: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
553: X != 0) {
554: X perror("getsockname");
555: X exit(1);
556: X }
557: X us = strdup(inet_ntoa(my_sa.sin_addr));
558: X if (us == NULL) {
559: X fprintf(stderr, "malloc failed\n");
560: X exit(1);
561: X }
562: X slen = sizeof(peer_sa);
563: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
564: X != 0) {
565: X perror("getpeername");
566: X exit(1);
567: X }
568: X them=strdup(inet_ntoa(peer_sa.sin_addr));
569: X if (them == NULL) {
570: X fprintf(stderr, "malloc failed\n");
571: X exit(1);
572: X }
573: X syslog(LOG_PRIO,
574: X "pserver connection from %s:%d to %s:%d\n",
575: X them, ntohs(peer_sa.sin_port),
576: X us, ntohs(my_sa.sin_port));
577: X#endif /* USE_SYSLOG */
1.11 millert 578: X execle("/usr/bin/cvs", "cvs",
1.17 espie 579: X "--allow-root="LOCALROOT, "pserver", (char *)NULL, env);
1.6 deraadt 580: X perror("execle: cvs");
581: X fprintf(stderr, "unable to exec CVS pserver!\n");
582: X exit(1);
583: X /* NOTREACHED */
584: X }
1.8 beck 585: X#endif
1.1 deraadt 586: X
587: X if (argc != 3 ||
588: X strcmp("anoncvssh", argv[0]) != 0 ||
589: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 590: X (strcmp("cvs server", argv[2]) != 0 &&
1.17 espie 591: X strcmp("cvs -d "LOCALROOT" server", argv[2]) != 0)) {
1.1 deraadt 592: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
593: X fprintf(stderr,"version of CVS on your local machine.\n");
594: X fprintf(stderr,"Then set your CVSROOT environment variable ");
595: X fprintf(stderr,"to the following value:\n");
1.19 beck 596: X#if defined(OPENCVS_USER)
597: X fprintf(stderr, "\t%s@%s:%s for OpenCVS\n", OPENCVS_USER,
598: X HOSTNAME, LOCALROOT);
599: X#endif
1.1 deraadt 600: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 601: X#ifdef DEBUG
602: X fprintf(stderr, "argc = %d\n", argc);
603: X for (i = 0 ; i < argc ; i++)
604: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
605: X#endif /* DEBUG */
1.1 deraadt 606: X sleep(10);
607: X exit(0);
608: X }
1.19 beck 609: X
610: X#if defined(OPENCVS_USER)
611: X if (opencvs == 1) {
612: X execle("/usr/bin/opencvs", "opencvs",
613: X "server", (char *)NULL, env);
614: X } else {
615: X#endif
616: X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env);
617: X#if defined(OPENCVS_USER)
618: X }
619: X#endif
620: X
1.4 deraadt 621: X perror("execle: cvs");
1.1 deraadt 622: X fprintf(stderr, "unable to exec CVS server!\n");
623: X exit(1);
1.5 deraadt 624: X /* NOTREACHED */
1.1 deraadt 625: X}
626: X
627: END-of-anoncvssh.c
628: exit
629: