Annotation of www/anoncvs.shar, Revision 1.24
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.6 deraadt 8: # Makefile
1.1 deraadt 9: # README
10: # anoncvssh.c
11: #
1.6 deraadt 12: echo x - Makefile
13: sed 's/^X//' >Makefile << 'END-of-Makefile'
14: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
15: XPROG= anoncvssh
16: XBINOWN= root
17: XBINMODE=4111
18: XBINDIR=/open
19: XNOMAN=
20: X
21: X.include <bsd.prog.mk>
22: X
23: END-of-Makefile
1.1 deraadt 24: echo x - README
25: sed 's/^X//' >README << 'END-of-README'
26: X
1.16 millert 27: X So, you want to run an anoncvs server.
1.7 beck 28: X
29: X A summary of the steps you'll need to do is:
30: X
1.16 millert 31: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
1.14 millert 32: X appropriate place.
1.7 beck 33: X
34: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
1.22 landry 35: X Install the cvsync client using 'pkg_add cvsync' command.
36: X ( If you aren't using OpenBSD you'll probably need to compile a cvsync
1.16 millert 37: X client as well. The easier path is to use OpenBSD ;).
1.7 beck 38: X
39: X3) Add the anoncvs user to the password file, with no password, and
1.22 landry 40: X anoncvssh as it's shell. Decide on a user that will run cvsync to maintain
1.16 millert 41: X the archive (this is a different user, NOT the anoncvs user).
1.7 beck 42: X
1.14 millert 43: X4) Make a home directory for the anoncvs user. The anoncvs user's
44: X home directory is a chroot jail in which the anoncvssh processes
45: X run when servicing anoncvs requests. The jail must contain the
46: X cvs binary as well as whatever shared libraries and support files
47: X are needed to run them unless you compile and link everything
1.16 millert 48: X statically. This example shows what is needed for OpenBSD. If you
1.14 millert 49: X use another platform you'll need to be familiar with what needs
50: X to go in a chroot jail for your platform.
1.7 beck 51: X
1.22 landry 52: X5) Get permission to use cvsync to obtain the cvs tree from a server.
1.1 deraadt 53: X
1.22 landry 54: X6) Set up cvsync to retrieve the cvs tree from an appropriate place.
1.6 deraadt 55: X
1.22 landry 56: X7) Run cvsync to retrieve the distribution from the server.
1.3 deraadt 57: X
1.22 landry 58: X8) Once you get the distribution in, set up a cron job to run cvsync
1.7 beck 59: X periodically to keep your server up to date.
1.6 deraadt 60: X
1.7 beck 61: X**********************************************************************
62: XSTEP 1) find enough disk space.
1.16 millert 63: X You need roughly 2GB.
1.21 landry 64: X Mount it on /open, make sure it doesn't have nosuid and nodev flags.
1.14 millert 65: X If you are not able to mount it as /open, substitute it's location
1.16 millert 66: X throughout the rest of this description.
1.6 deraadt 67: X
1.7 beck 68: X**********************************************************************
1.16 millert 69: XSTEP 2) compile the anoncvssh binary.
70: X In the Makefile, change the variable CVSROOT.
1.14 millert 71: X Install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 72: X
1.7 beck 73: X**********************************************************************
1.22 landry 74: XSTEP 3) Create the anoncvs account and decide who will run "cvsync"
1.14 millert 75: X to maintain the archive. The anoncvs account should *NOT* be the one
1.22 landry 76: X running cvsync to maintain the archive.
1.1 deraadt 77: X
1.9 beck 78: Xcreate an account similar to:
79: X
1.18 millert 80: X anoncvs::32766:32766::0:0:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
1.4 deraadt 81: X
1.16 millert 82: XYes, that is right - the account has no password. Be sure that the
1.14 millert 83: Xuid and gid are unique for your system, if the ones above aren't,
84: Xpick different values.
1.16 millert 85: X
1.22 landry 86: XDecide who will run cvsync to maintain the archive. Call that user
87: X$CVSYNCUSER. Oh, and in case it hasn't been previously mentioned,
88: X$CVSYNCUSER should *NOT* be the anoncvs user :).
1.16 millert 89: X
1.24 ! dtucker 90: XAdd the following to the end of your /etc/ssh/sshd_config and restart
! 91: Xyour sshd daemon:
! 92: X
! 93: XMatch User anoncvs
! 94: X PermitEmptyPasswords yes
! 95: X AllowTcpForwarding no
! 96: X AllowAgentForwarding no
! 97: X X11Forwarding no
1.7 beck 98: X
99: X**********************************************************************
1.14 millert 100: XSTEP 4) Build the anoncvs user's home directory chroot jail. This
101: X example assumes that you're using OpenBSD. If you're not you
102: X may need different files in the chroot.
1.4 deraadt 103: X
1.1 deraadt 104: Xmkdir /open/anoncvs
105: Xmkdir /open/anoncvs/cvs
1.22 landry 106: Xchown -R $CVSYNCUSER /open/anoncvs/cvs /open/anoncvs
1.1 deraadt 107: X
1.14 millert 108: XStart filling the account up with nice stuff. You are building a chroot
1.7 beck 109: Xjail for anoncvs in /open/anoncvs.
110: X
1.1 deraadt 111: X cd /open/anoncvs
112: X touch .hushlogin
113: X touch .profile
114: X
1.14 millert 115: XPut a message like the following in .plan:
1.16 millert 116: X To use anonymous CVS install the latest version of CVS on your local
1.6 deraadt 117: X machine.
1.1 deraadt 118: X Then set your CVSROOT environment variable to the following value:
119: X anoncvs@anoncvs.openbsd.org:/cvs
120: X
121: X mkdir bin dev tmp usr var etc
122: X cp /bin/{cat,pwd,rm,sh} bin/
123: X
1.14 millert 124: XUsing mknod, make a dev/null that has the same major/minor numbers as
1.1 deraadt 125: X your /dev/null, and make it mode 666.
126: X
1.16 millert 127: XSome shared library systems require a dev/zero created in the same way.
1.1 deraadt 128: X
1.14 millert 129: XFill etc space for the account
1.1 deraadt 130: X cp /etc/{group,hosts,passwd,protocols} etc/
131: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
132: X modify these files to suit your idea of system security
133: X
1.14 millert 134: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses
1.16 millert 135: Xa tiny extension provided in the openbsd cvs server code which
136: Xpermits the use of read-only cvs repositories, therefore you MUST
137: Xcompile the openbsd version of cvs. Luckily this is not a problem
138: Xon a non-openbsd machine, since the cvs sources are imported verbatim
139: Xinto the openbsd tree. They are in gnu/usr.bin/cvs. The sources
140: Xare integrated in such way that Makefile.bsd-wrapper knows how to build
1.14 millert 141: Xthe sources on an OpenBSD machine, using obj directories.
1.1 deraadt 142: X
1.14 millert 143: XCreate tmp space for the account
1.16 millert 144: X # (cd var && ln -s ../tmp tmp)
1.13 millert 145: X # chmod a+rwx tmp
1.1 deraadt 146: X
1.13 millert 147: X # mkdir usr/{bin,lib}
148: X # cp /usr/bin/cvs usr/bin/
1.1 deraadt 149: X
1.14 millert 150: XIf your system has ld.so in /usr/libexec,
1.13 millert 151: X # mkdir usr/libexec
152: X # cp /usr/libexec/ld.so usr/libexec/
1.1 deraadt 153: X
1.14 millert 154: XIf using shared libraries, use ldd to find out which shared libs you need:
1.13 millert 155: X # ldd /usr/bin/cvs
1.16 millert 156: X /usr/bin/cvs:
1.22 landry 157: X Start End Type Open Ref GrpRef Name
158: X 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs
159: X 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.4.1
160: X 020f3000 220f8000 rlib 0 1 0 /usr/lib/libgssapi.so.5.0
161: X 0530c000 2531c000 rlib 0 1 0 /usr/lib/libkrb5.so.17.0
162: X 03801000 23841000 rlib 0 1 0 /usr/lib/libcrypto.so.18.0
163: X 0a8fb000 2a900000 rlib 0 1 0 /usr/lib/libdes.so.9.0
164: X 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.51.0
165: X 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so
1.13 millert 166: X
167: X and then copy the required libraries to usr/lib/
1.1 deraadt 168: X
1.14 millert 169: XAs a final pass, make sure that all the files you have just created are
170: Xnot world writable (except dev/null).
1.1 deraadt 171: X
1.7 beck 172: XFor :pserver: support (optional)
173: X - Create an entry in /etc/services
1.16 millert 174: X cvspserver 2401/tcp # CVS client/server operations
1.7 beck 175: X - Create an entry in /etc/inetd.conf
1.16 millert 176: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
1.11 millert 177: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
1.16 millert 178: X anoncvs:AHDysQkJIubEc
1.11 millert 179: X which would be a password of "anoncvs" (as per anoncvs.html)
180: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
1.16 millert 181: X anoncvs
1.11 millert 182: X which tells cvs that user "anoncvs" is allowed readonly access.
183: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
184: X want anyone to be able to write to the mirror.
1.16 millert 185: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
1.7 beck 186: X
187: XSee the example layout below for full details.
188: X
189: X**********************************************************************
1.22 landry 190: XSTEP 5): Get cvsync permission.
1.7 beck 191: Xsend mail to sup@openbsd.org
1.22 landry 192: X1) to have cvsync permissions granted on an appropriate machine for you
193: X to cvsync from. We will need to know your host's real hostname and
1.10 beck 194: X IP address.
1.16 millert 195: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created.
1.22 landry 196: X3) to have your site mentioned in the http://www.openbsd.org/anoncvs.html page.
1.3 deraadt 197: X
1.7 beck 198: X**********************************************************************
1.22 landry 199: XSTEP 6): Configure cvsync.
200: X
201: XYou have to install cvsync package.
1.7 beck 202: X
1.22 landry 203: XThe file /etc/cvsync.conf contains the configuration of cvsync. It will
204: Xnormally contain:
1.7 beck 205: X
1.22 landry 206: Xconfig {
207: X base-prefix /open/anoncvs/
208: X hostname anoncvs.ca.openbsd.org
209: X collection {
210: X name openbsd-cvsroot release rcs
211: X prefix cvs
212: X }
213: X collection {
214: X name openbsd-src release rcs
215: X prefix cvs
216: X }
217: X collection {
218: X name openbsd-ports release rcs
219: X prefix cvs
220: X }
221: X collection {
222: X name openbsd-www release rcs
223: X prefix cvs
224: X }
225: X collection {
226: X name openbsd-xenocara release rcs
227: X prefix cvs
228: X }
229: X}
1.7 beck 230: X
231: X**********************************************************************
1.22 landry 232: XSTEP 7): Run cvsync to retrieve the tree for the first time.
1.7 beck 233: X
1.22 landry 234: XLog in as or become the $CVSYNCUSER, and run
1.7 beck 235: X
1.22 landry 236: Xcvsync > /tmp/cvsynclog &; tail -f /tmp/cvsynclog
1.7 beck 237: X
1.22 landry 238: XIf you have cvsync permission, and have specified the correct host and
239: Xprefix in /etc/cvsync.conf you should see a list of files start
1.7 beck 240: Xcoming in after a short while. Don't panic if nothing happens
1.22 landry 241: Ximmediately. Watch for errors (cvsync can timeout or die). If you can't
242: Xaccess files contact the cvsync server maintainer. If you get a timeout
243: Xor if cvsync dies you can restart and it should continue where it left off.
1.7 beck 244: X
245: XIt can take a good while (and a couple of restarts) to obtain the
246: Xwhole tree for the first time.
247: X
248: X**********************************************************************
249: XSTEP 8): Set up cron to keep the tree up to date.
250: X
1.22 landry 251: XYou run cvsync periodically from the cron by setting up the crontab file
252: Xof the $CVSYNCUSER.
1.7 beck 253: X
1.22 landry 254: XFor example, to update every two hours:
1.7 beck 255: X
1.22 landry 256: X15 */2 * * * /usr/local/bin/cvsync > /dev/null
1.7 beck 257: X
258: X**********************************************************************
1.19 beck 259: X
1.7 beck 260: XEXAMPLE LAYOUT
261: X
1.22 landry 262: XExample layout for OpenBSD. In this example "deraadt" is the $CVSYNCUSER.
1.3 deraadt 263: X
1.22 landry 264: X$ cd /open
265: X$ ls -alF
266: Xtotal 64
267: Xdrwxr-xr-x 5 root wheel 512 Jun 18 22:29 ./
268: Xdrwxr-xr-x 13 root wheel 512 Jun 4 05:14 ../
269: Xdrwxr-xr-x 9 deraadt wheel 512 Jun 3 02:15 anoncvs/
270: X---s--x--x 1 root wheel 14302 Jun 18 22:29 anoncvssh*
271: Xdrwxr-xr-x 4 root wheel 5120 Jun 10 14:34 ftp/
272: X
273: X$ cd anoncvs
274: X$ ls -alF
275: Xtotal 68
276: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ./
277: Xdrwxr-xr-x 5 root wheel 512 Jun 10 14:32 ../
278: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .hushlogin
279: X-rw-r--r-- 1 root wheel 84 Jun 3 01:50 .plan
280: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .profile
281: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 bin/
282: Xdrwxr-xr-x 7 deraadt wheel 512 Jun 18 22:19 cvs/
283: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 dev/
284: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 etc/
285: Xdrwxrwxrwx 10 root wheel 512 Jun 18 17:38 tmp/
286: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 usr/
287: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:54 var/
288: X$ ls -alFR bin usr tmp etc dev
1.3 deraadt 289: Xbin:
1.22 landry 290: Xtotal 1984
291: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 ./
292: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
293: X-r-xr-xr-x 1 root wheel 132368 Jun 3 01:40 cat*
294: X-r-xr-xr-x 1 root wheel 124176 Jun 3 01:40 pwd*
295: X-r-xr-xr-x 1 root wheel 238864 Jun 3 01:40 rm*
296: X-r-xr-xr-x 1 root wheel 460048 Jun 3 01:40 sh*
297: X
1.3 deraadt 298: Xdev:
1.22 landry 299: Xtotal 8
300: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 ./
301: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
302: Xcrw-rw-rw- 1 root wheel 3, 2 Jun 3 01:51 null
303: Xcrw-rw-rw- 1 root wheel 3, 12 Jun 3 01:51 zero
304: X
1.3 deraadt 305: Xetc:
1.22 landry 306: Xtotal 188
307: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 ./
308: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
309: X-r--r--r-- 1 root wheel 64 Jun 3 01:52 group*
310: X-r--r--r-- 1 root wheel 576 Jun 3 01:52 hosts*
311: X-r--r--r-- 1 root wheel 291 Jun 3 01:53 passwd*
312: X-r--r--r-- 1 root wheel 5625 Jun 3 01:52 protocols*
313: X-r--r--r-- 1 root wheel 40960 Jun 3 01:52 pwd.db*
314: X-r--r--r-- 1 root wheel 93 Jun 3 01:52 resolv.conf*
315: X-r--r--r-- 1 root wheel 9875 Jun 3 01:52 services*
316: X-r--r--r-- 1 root wheel 26428 Jun 3 01:52 ttys*
1.3 deraadt 317: X
318: Xusr:
1.22 landry 319: Xtotal 20
320: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ./
321: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
322: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 bin/
323: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 lib/
324: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 libexec/
1.3 deraadt 325: X
326: Xusr/bin:
1.22 landry 327: Xtotal 3016
328: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 ./
329: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
330: X-r-xr-xr-x 1 root wheel 643728 Jun 3 01:54 cvs*
1.3 deraadt 331: X
332: Xusr/lib:
1.22 landry 333: Xtotal 42344
334: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./
335: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
336: X-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.50.1
337: X-r--r--r-- 1 root wheel 9659802 Jun 3 01:56 libcrypto.so.18.0
338: X-r--r--r-- 1 root wheel 190814 Jun 3 01:56 libdes.so.9.0
339: X-r--r--r-- 1 root wheel 1593303 Jun 3 01:55 libgssapi.so.5.0
340: X-r--r--r-- 1 root wheel 5337583 Jun 3 01:56 libkrb5.so.16.0
341: X-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.4.1
1.3 deraadt 342: X
343: Xusr/libexec:
1.22 landry 344: Xtotal 120
345: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 ./
346: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
347: X-r-xr-xr-x 1 root wheel 55683 Jun 3 01:55 ld.so*
348: X$ ls cvs
349: XCVSROOT ports src www xenocara
350: X
1.1 deraadt 351: END-of-README
352: echo x - anoncvssh.c
353: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
354: X/*
1.15 millert 355: X * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
356: X * Copyright (c) 1997 Bob Beck <beck@obtuse.com>
357: X * Copyright (c) 1996 Thorsten Lockert <tholo@sigmasoft.com>
358: X *
359: X * Permission to use, copy, modify, and distribute this software for any
360: X * purpose with or without fee is hereby granted, provided that the above
361: X * copyright notice and this permission notice appear in all copies.
362: X *
363: X * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
364: X * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
365: X * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
366: X * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
367: X * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
368: X * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
369: X * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.1 deraadt 370: X */
371: X
1.4 deraadt 372: X#include <stdio.h>
373: X#include <stdlib.h>
374: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
375: X#include <paths.h>
376: X#endif
377: X#include <pwd.h>
378: X#include <unistd.h>
379: X#include <sys/types.h>
380: X
381: X#ifndef __P
382: X#if defined(__STDC__) || defined(__cplusplus)
383: X#define __P(protos) protos /* full-blown ANSI C */
384: X#else
385: X#define __P(protos) () /* traditional C preprocessor */
386: X#endif
387: X#endif
388: X
389: X/*
390: X * You may need to change this path to ensure that RCS, CVS and diff
391: X * can be found
392: X */
393: X#ifndef _PATH_DEFPATH
394: X#define _PATH_DEFPATH "/bin:/usr/bin"
395: X#endif
396: X
397: X/*
398: X * This should not normally have to be changed
399: X */
400: X#ifndef _PATH_BSHELL
401: X#define _PATH_BSHELL "/bin/sh"
402: X#endif
403: X
404: X/*
405: X * Location of CVS tree, relative to the anonymous CVS user's
406: X * home directory
407: X */
408: X#ifndef LOCALROOT
409: X#define LOCALROOT "/cvs"
410: X#endif
411: X
412: X/*
1.19 beck 413: X * Hostname to be used when accessing the remote repository.
1.4 deraadt 414: X */
415: X#ifndef HOSTNAME
1.19 beck 416: X#define HOSTNAME "anoncvs1.usa.openbsd.org"
417: X#endif
418: X
419: X/*
420: X * Username to be used when accessing the remote repository.
421: X */
422: X#ifndef USERNAME
423: X#define USERNAME "anoncvs"
1.4 deraadt 424: X#endif
425: X
426: X/*
1.19 beck 427: X * $CVSROOT is created based on USERNAME HOSTNAME and LOCALROOT above
1.4 deraadt 428: X */
1.1 deraadt 429: X#ifndef CVSROOT
1.19 beck 430: X#define CVSROOT USERNAME "@" HOSTNAME ":"LOCALROOT
1.1 deraadt 431: X#endif
432: X
1.8 beck 433: X/*
434: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
435: X * You may undefine this if you aren't going to be running pserver.
436: X */
437: X#ifndef PSERVER_SUPPORT
438: X#define PSERVER_SUPPORT
439: X#endif
440: X
441: X/*
442: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
443: X * using syslog()
444: X */
445: X#define USE_SYSLOG
446: X
447: X#ifdef USE_SYSLOG
448: X#include <string.h>
449: X#include <syslog.h>
450: X#include <netinet/in.h>
451: X#include <sys/socket.h>
452: X#include <arpa/inet.h>
453: X#define LOG_FACILITY LOG_DAEMON
454: X#define LOG_PRIO LOG_INFO
455: X#endif
456: X
457: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
458: X * anyone other than root or ANONCVS_USER.
459: X */
1.19 beck 460: X/* #define ANONCVS_USER USERNAME */
461: X
462: X/*
463: X * If you want to be able to run an alternate OpenCVS binary on your
464: X * anoncvs server, define OPENCVS_USER as the user who will invoke it.
465: X */
466: X#define OPENCVS_USER "opencvs"
1.8 beck 467: X
1.4 deraadt 468: Xint main __P((int, char *[]));
469: X
470: Xchar * const env[] = {
1.17 espie 471: X "PATH="_PATH_DEFPATH,
472: X "SHELL="_PATH_BSHELL,
473: X "CVSROOT="LOCALROOT,
1.4 deraadt 474: X "HOME=/",
475: X "CVSREADONLYFS=1",
476: X NULL
477: X};
1.1 deraadt 478: X
479: Xint
480: Xmain(argc, argv)
481: Xint argc;
482: Xchar *argv[];
483: X{
484: X struct passwd *pw;
1.5 deraadt 485: X#ifdef DEBUG
486: X int i;
487: X#endif /* DEBUG */
1.19 beck 488: X#if defined(OPENCVS_USER)
489: X int opencvs;
490: X#endif
1.1 deraadt 491: X
492: X pw = getpwuid(getuid());
493: X if (pw == NULL) {
494: X fprintf(stderr, "no user for uid %d\n", getuid());
495: X exit(1);
496: X }
497: X if (pw->pw_dir == NULL) {
498: X fprintf(stderr, "no directory\n");
499: X exit(1);
500: X }
1.8 beck 501: X
502: X#ifdef USE_SYSLOG
503: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
504: X#endif /* USE_SYSLOG */
505: X
506: X#ifdef ANONCVS_USER
507: X /*
508: X * I love lusers who have to test every setuid binary on my machine.
509: X */
510: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
511: X fprintf(stderr, "You're not supposed to be running me!\n");
512: X#ifdef USE_SYSLOG
513: X syslog(LOG_NOTICE,
514: X "User %s(%d) invoked anoncvssh - Possible twink?",
515: X pw->pw_name, pw->pw_uid);
516: X#endif /* USE_SYSLOG */
517: X exit(1);
518: X }
519: X#endif /* ANONCVS_USER */
520: X
521: X
1.11 millert 522: X setuid(0);
1.1 deraadt 523: X if (chroot(pw->pw_dir) == -1) {
524: X perror("chroot");
525: X exit (1);
526: X }
527: X chdir("/");
1.11 millert 528: X setuid(pw->pw_uid);
1.1 deraadt 529: X
1.19 beck 530: X#if defined(OPENCVS_USER)
531: X if (!strcmp(pw->pw_name, OPENCVS_USER))
532: X opencvs = 1;
533: X else
534: X opencvs = 0;
535: X#endif
536: X
1.1 deraadt 537: X /*
538: X * program now "safe"
539: X */
1.6 deraadt 540: X
1.8 beck 541: X#ifdef PSERVER_SUPPORT
1.6 deraadt 542: X /* If we want pserver functionality */
1.8 beck 543: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
544: X#ifdef USE_SYSLOG
545: X int slen;
546: X struct sockaddr_in my_sa, peer_sa;
547: X char *us, *them;
1.19 beck 548: X
549: X#if defined(OPENCVS_USER)
550: X if (opencvs == 1) {
551: X fprintf(stderr, "OpenCVS does not support pserver\n");
552: X sleep(10);
553: X exit(1);
554: X }
555: X#endif
556: X
1.8 beck 557: X slen = sizeof(my_sa);
558: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
559: X != 0) {
560: X perror("getsockname");
561: X exit(1);
562: X }
563: X us = strdup(inet_ntoa(my_sa.sin_addr));
564: X if (us == NULL) {
565: X fprintf(stderr, "malloc failed\n");
566: X exit(1);
567: X }
568: X slen = sizeof(peer_sa);
569: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
570: X != 0) {
571: X perror("getpeername");
572: X exit(1);
573: X }
574: X them=strdup(inet_ntoa(peer_sa.sin_addr));
575: X if (them == NULL) {
576: X fprintf(stderr, "malloc failed\n");
577: X exit(1);
578: X }
579: X syslog(LOG_PRIO,
580: X "pserver connection from %s:%d to %s:%d\n",
581: X them, ntohs(peer_sa.sin_port),
582: X us, ntohs(my_sa.sin_port));
583: X#endif /* USE_SYSLOG */
1.11 millert 584: X execle("/usr/bin/cvs", "cvs",
1.17 espie 585: X "--allow-root="LOCALROOT, "pserver", (char *)NULL, env);
1.6 deraadt 586: X perror("execle: cvs");
587: X fprintf(stderr, "unable to exec CVS pserver!\n");
588: X exit(1);
589: X /* NOTREACHED */
590: X }
1.8 beck 591: X#endif
1.1 deraadt 592: X
593: X if (argc != 3 ||
594: X strcmp("anoncvssh", argv[0]) != 0 ||
595: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 596: X (strcmp("cvs server", argv[2]) != 0 &&
1.17 espie 597: X strcmp("cvs -d "LOCALROOT" server", argv[2]) != 0)) {
1.1 deraadt 598: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
599: X fprintf(stderr,"version of CVS on your local machine.\n");
600: X fprintf(stderr,"Then set your CVSROOT environment variable ");
601: X fprintf(stderr,"to the following value:\n");
1.19 beck 602: X#if defined(OPENCVS_USER)
603: X fprintf(stderr, "\t%s@%s:%s for OpenCVS\n", OPENCVS_USER,
604: X HOSTNAME, LOCALROOT);
605: X#endif
1.1 deraadt 606: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 607: X#ifdef DEBUG
608: X fprintf(stderr, "argc = %d\n", argc);
609: X for (i = 0 ; i < argc ; i++)
610: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
611: X#endif /* DEBUG */
1.1 deraadt 612: X sleep(10);
613: X exit(0);
614: X }
1.19 beck 615: X
616: X#if defined(OPENCVS_USER)
617: X if (opencvs == 1) {
618: X execle("/usr/bin/opencvs", "opencvs",
619: X "server", (char *)NULL, env);
620: X } else {
621: X#endif
622: X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env);
623: X#if defined(OPENCVS_USER)
624: X }
625: X#endif
626: X
1.4 deraadt 627: X perror("execle: cvs");
1.1 deraadt 628: X fprintf(stderr, "unable to exec CVS server!\n");
629: X exit(1);
1.5 deraadt 630: X /* NOTREACHED */
1.1 deraadt 631: X}
632: X
633: END-of-anoncvssh.c
634: exit
635: