Annotation of www/anoncvs.shar, Revision 1.25
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.6 deraadt 8: # Makefile
1.1 deraadt 9: # README
10: # anoncvssh.c
11: #
1.6 deraadt 12: echo x - Makefile
13: sed 's/^X//' >Makefile << 'END-of-Makefile'
14: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
15: XPROG= anoncvssh
16: XBINOWN= root
17: XBINMODE=4111
18: XBINDIR=/open
19: XNOMAN=
20: X
21: X.include <bsd.prog.mk>
22: X
23: END-of-Makefile
1.1 deraadt 24: echo x - README
25: sed 's/^X//' >README << 'END-of-README'
26: X
1.16 millert 27: X So, you want to run an anoncvs server.
1.7 beck 28: X
29: X A summary of the steps you'll need to do is:
30: X
1.16 millert 31: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
1.14 millert 32: X appropriate place.
1.7 beck 33: X
34: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
1.22 landry 35: X Install the cvsync client using 'pkg_add cvsync' command.
36: X ( If you aren't using OpenBSD you'll probably need to compile a cvsync
1.16 millert 37: X client as well. The easier path is to use OpenBSD ;).
1.7 beck 38: X
39: X3) Add the anoncvs user to the password file, with no password, and
1.22 landry 40: X anoncvssh as it's shell. Decide on a user that will run cvsync to maintain
1.16 millert 41: X the archive (this is a different user, NOT the anoncvs user).
1.7 beck 42: X
1.14 millert 43: X4) Make a home directory for the anoncvs user. The anoncvs user's
44: X home directory is a chroot jail in which the anoncvssh processes
45: X run when servicing anoncvs requests. The jail must contain the
46: X cvs binary as well as whatever shared libraries and support files
47: X are needed to run them unless you compile and link everything
1.16 millert 48: X statically. This example shows what is needed for OpenBSD. If you
1.14 millert 49: X use another platform you'll need to be familiar with what needs
50: X to go in a chroot jail for your platform.
1.7 beck 51: X
1.22 landry 52: X5) Get permission to use cvsync to obtain the cvs tree from a server.
1.1 deraadt 53: X
1.22 landry 54: X6) Set up cvsync to retrieve the cvs tree from an appropriate place.
1.6 deraadt 55: X
1.22 landry 56: X7) Run cvsync to retrieve the distribution from the server.
1.3 deraadt 57: X
1.22 landry 58: X8) Once you get the distribution in, set up a cron job to run cvsync
1.7 beck 59: X periodically to keep your server up to date.
1.6 deraadt 60: X
1.7 beck 61: X**********************************************************************
62: XSTEP 1) find enough disk space.
1.25 ! sthen 63: X You need roughly 6GB.
1.21 landry 64: X Mount it on /open, make sure it doesn't have nosuid and nodev flags.
1.14 millert 65: X If you are not able to mount it as /open, substitute it's location
1.16 millert 66: X throughout the rest of this description.
1.6 deraadt 67: X
1.7 beck 68: X**********************************************************************
1.16 millert 69: XSTEP 2) compile the anoncvssh binary.
70: X In the Makefile, change the variable CVSROOT.
1.14 millert 71: X Install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 72: X
1.7 beck 73: X**********************************************************************
1.22 landry 74: XSTEP 3) Create the anoncvs account and decide who will run "cvsync"
1.14 millert 75: X to maintain the archive. The anoncvs account should *NOT* be the one
1.22 landry 76: X running cvsync to maintain the archive.
1.1 deraadt 77: X
1.9 beck 78: Xcreate an account similar to:
79: X
1.18 millert 80: X anoncvs::32766:32766::0:0:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
1.4 deraadt 81: X
1.16 millert 82: XYes, that is right - the account has no password. Be sure that the
1.14 millert 83: Xuid and gid are unique for your system, if the ones above aren't,
84: Xpick different values.
1.16 millert 85: X
1.22 landry 86: XDecide who will run cvsync to maintain the archive. Call that user
87: X$CVSYNCUSER. Oh, and in case it hasn't been previously mentioned,
88: X$CVSYNCUSER should *NOT* be the anoncvs user :).
1.16 millert 89: X
1.24 dtucker 90: XAdd the following to the end of your /etc/ssh/sshd_config and restart
91: Xyour sshd daemon:
92: X
93: XMatch User anoncvs
94: X PermitEmptyPasswords yes
95: X AllowTcpForwarding no
96: X AllowAgentForwarding no
97: X X11Forwarding no
1.7 beck 98: X
99: X**********************************************************************
1.14 millert 100: XSTEP 4) Build the anoncvs user's home directory chroot jail. This
101: X example assumes that you're using OpenBSD. If you're not you
102: X may need different files in the chroot.
1.4 deraadt 103: X
1.1 deraadt 104: Xmkdir /open/anoncvs
105: Xmkdir /open/anoncvs/cvs
1.22 landry 106: Xchown -R $CVSYNCUSER /open/anoncvs/cvs /open/anoncvs
1.1 deraadt 107: X
1.14 millert 108: XStart filling the account up with nice stuff. You are building a chroot
1.7 beck 109: Xjail for anoncvs in /open/anoncvs.
110: X
1.1 deraadt 111: X cd /open/anoncvs
112: X touch .hushlogin
113: X touch .profile
114: X
1.14 millert 115: XPut a message like the following in .plan:
1.16 millert 116: X To use anonymous CVS install the latest version of CVS on your local
1.6 deraadt 117: X machine.
1.1 deraadt 118: X Then set your CVSROOT environment variable to the following value:
119: X anoncvs@anoncvs.openbsd.org:/cvs
120: X
121: X mkdir bin dev tmp usr var etc
122: X cp /bin/{cat,pwd,rm,sh} bin/
123: X
1.14 millert 124: XUsing mknod, make a dev/null that has the same major/minor numbers as
1.1 deraadt 125: X your /dev/null, and make it mode 666.
126: X
1.16 millert 127: XSome shared library systems require a dev/zero created in the same way.
1.1 deraadt 128: X
1.14 millert 129: XFill etc space for the account
1.1 deraadt 130: X cp /etc/{group,hosts,passwd,protocols} etc/
131: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
132: X modify these files to suit your idea of system security
133: X
1.14 millert 134: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses
1.16 millert 135: Xa tiny extension provided in the openbsd cvs server code which
136: Xpermits the use of read-only cvs repositories, therefore you MUST
137: Xcompile the openbsd version of cvs. Luckily this is not a problem
138: Xon a non-openbsd machine, since the cvs sources are imported verbatim
139: Xinto the openbsd tree. They are in gnu/usr.bin/cvs. The sources
140: Xare integrated in such way that Makefile.bsd-wrapper knows how to build
1.14 millert 141: Xthe sources on an OpenBSD machine, using obj directories.
1.1 deraadt 142: X
1.14 millert 143: XCreate tmp space for the account
1.16 millert 144: X # (cd var && ln -s ../tmp tmp)
1.13 millert 145: X # chmod a+rwx tmp
1.1 deraadt 146: X
1.13 millert 147: X # mkdir usr/{bin,lib}
148: X # cp /usr/bin/cvs usr/bin/
1.1 deraadt 149: X
1.14 millert 150: XIf your system has ld.so in /usr/libexec,
1.13 millert 151: X # mkdir usr/libexec
152: X # cp /usr/libexec/ld.so usr/libexec/
1.1 deraadt 153: X
1.14 millert 154: XIf using shared libraries, use ldd to find out which shared libs you need:
1.13 millert 155: X # ldd /usr/bin/cvs
1.16 millert 156: X /usr/bin/cvs:
1.22 landry 157: X Start End Type Open Ref GrpRef Name
158: X 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs
1.25 ! sthen 159: X 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.5.0
! 160: X 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.84.2
1.22 landry 161: X 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so
1.13 millert 162: X
163: X and then copy the required libraries to usr/lib/
1.1 deraadt 164: X
1.14 millert 165: XAs a final pass, make sure that all the files you have just created are
166: Xnot world writable (except dev/null).
1.1 deraadt 167: X
1.7 beck 168: XFor :pserver: support (optional)
169: X - Create an entry in /etc/services
1.16 millert 170: X cvspserver 2401/tcp # CVS client/server operations
1.7 beck 171: X - Create an entry in /etc/inetd.conf
1.16 millert 172: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
1.11 millert 173: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
1.16 millert 174: X anoncvs:AHDysQkJIubEc
1.11 millert 175: X which would be a password of "anoncvs" (as per anoncvs.html)
176: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
1.16 millert 177: X anoncvs
1.11 millert 178: X which tells cvs that user "anoncvs" is allowed readonly access.
179: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
180: X want anyone to be able to write to the mirror.
1.16 millert 181: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
1.7 beck 182: X
183: XSee the example layout below for full details.
184: X
185: X**********************************************************************
1.22 landry 186: XSTEP 5): Get cvsync permission.
1.7 beck 187: Xsend mail to sup@openbsd.org
1.22 landry 188: X1) to have cvsync permissions granted on an appropriate machine for you
189: X to cvsync from. We will need to know your host's real hostname and
1.10 beck 190: X IP address.
1.16 millert 191: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created.
1.22 landry 192: X3) to have your site mentioned in the http://www.openbsd.org/anoncvs.html page.
1.3 deraadt 193: X
1.7 beck 194: X**********************************************************************
1.22 landry 195: XSTEP 6): Configure cvsync.
196: X
197: XYou have to install cvsync package.
1.7 beck 198: X
1.22 landry 199: XThe file /etc/cvsync.conf contains the configuration of cvsync. It will
200: Xnormally contain:
1.7 beck 201: X
1.22 landry 202: Xconfig {
203: X base-prefix /open/anoncvs/
204: X hostname anoncvs.ca.openbsd.org
205: X collection {
206: X name openbsd-cvsroot release rcs
207: X prefix cvs
208: X }
209: X collection {
210: X name openbsd-src release rcs
211: X prefix cvs
212: X }
213: X collection {
214: X name openbsd-ports release rcs
215: X prefix cvs
216: X }
217: X collection {
218: X name openbsd-www release rcs
219: X prefix cvs
220: X }
221: X collection {
222: X name openbsd-xenocara release rcs
223: X prefix cvs
224: X }
225: X}
1.7 beck 226: X
227: X**********************************************************************
1.22 landry 228: XSTEP 7): Run cvsync to retrieve the tree for the first time.
1.7 beck 229: X
1.22 landry 230: XLog in as or become the $CVSYNCUSER, and run
1.7 beck 231: X
1.22 landry 232: Xcvsync > /tmp/cvsynclog &; tail -f /tmp/cvsynclog
1.7 beck 233: X
1.22 landry 234: XIf you have cvsync permission, and have specified the correct host and
235: Xprefix in /etc/cvsync.conf you should see a list of files start
1.7 beck 236: Xcoming in after a short while. Don't panic if nothing happens
1.22 landry 237: Ximmediately. Watch for errors (cvsync can timeout or die). If you can't
238: Xaccess files contact the cvsync server maintainer. If you get a timeout
239: Xor if cvsync dies you can restart and it should continue where it left off.
1.7 beck 240: X
241: XIt can take a good while (and a couple of restarts) to obtain the
242: Xwhole tree for the first time.
243: X
244: X**********************************************************************
245: XSTEP 8): Set up cron to keep the tree up to date.
246: X
1.22 landry 247: XYou run cvsync periodically from the cron by setting up the crontab file
248: Xof the $CVSYNCUSER.
1.7 beck 249: X
1.22 landry 250: XFor example, to update every two hours:
1.7 beck 251: X
1.22 landry 252: X15 */2 * * * /usr/local/bin/cvsync > /dev/null
1.7 beck 253: X
254: X**********************************************************************
1.19 beck 255: X
1.7 beck 256: XEXAMPLE LAYOUT
257: X
1.22 landry 258: XExample layout for OpenBSD. In this example "deraadt" is the $CVSYNCUSER.
1.3 deraadt 259: X
1.22 landry 260: X$ cd /open
261: X$ ls -alF
262: Xtotal 64
263: Xdrwxr-xr-x 5 root wheel 512 Jun 18 22:29 ./
264: Xdrwxr-xr-x 13 root wheel 512 Jun 4 05:14 ../
265: Xdrwxr-xr-x 9 deraadt wheel 512 Jun 3 02:15 anoncvs/
266: X---s--x--x 1 root wheel 14302 Jun 18 22:29 anoncvssh*
267: Xdrwxr-xr-x 4 root wheel 5120 Jun 10 14:34 ftp/
268: X
269: X$ cd anoncvs
270: X$ ls -alF
271: Xtotal 68
272: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ./
273: Xdrwxr-xr-x 5 root wheel 512 Jun 10 14:32 ../
274: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .hushlogin
275: X-rw-r--r-- 1 root wheel 84 Jun 3 01:50 .plan
276: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .profile
277: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 bin/
278: Xdrwxr-xr-x 7 deraadt wheel 512 Jun 18 22:19 cvs/
279: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 dev/
280: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 etc/
281: Xdrwxrwxrwx 10 root wheel 512 Jun 18 17:38 tmp/
282: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 usr/
283: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:54 var/
284: X$ ls -alFR bin usr tmp etc dev
1.3 deraadt 285: Xbin:
1.22 landry 286: Xtotal 1984
287: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 ./
288: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
289: X-r-xr-xr-x 1 root wheel 132368 Jun 3 01:40 cat*
290: X-r-xr-xr-x 1 root wheel 124176 Jun 3 01:40 pwd*
291: X-r-xr-xr-x 1 root wheel 238864 Jun 3 01:40 rm*
292: X-r-xr-xr-x 1 root wheel 460048 Jun 3 01:40 sh*
293: X
1.3 deraadt 294: Xdev:
1.22 landry 295: Xtotal 8
296: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 ./
297: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
298: Xcrw-rw-rw- 1 root wheel 3, 2 Jun 3 01:51 null
299: Xcrw-rw-rw- 1 root wheel 3, 12 Jun 3 01:51 zero
300: X
1.3 deraadt 301: Xetc:
1.22 landry 302: Xtotal 188
303: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 ./
304: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
305: X-r--r--r-- 1 root wheel 64 Jun 3 01:52 group*
306: X-r--r--r-- 1 root wheel 576 Jun 3 01:52 hosts*
307: X-r--r--r-- 1 root wheel 291 Jun 3 01:53 passwd*
308: X-r--r--r-- 1 root wheel 5625 Jun 3 01:52 protocols*
309: X-r--r--r-- 1 root wheel 40960 Jun 3 01:52 pwd.db*
310: X-r--r--r-- 1 root wheel 93 Jun 3 01:52 resolv.conf*
311: X-r--r--r-- 1 root wheel 9875 Jun 3 01:52 services*
312: X-r--r--r-- 1 root wheel 26428 Jun 3 01:52 ttys*
1.3 deraadt 313: X
314: Xusr:
1.22 landry 315: Xtotal 20
316: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ./
317: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
318: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 bin/
319: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 lib/
320: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 libexec/
1.3 deraadt 321: X
322: Xusr/bin:
1.22 landry 323: Xtotal 3016
324: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 ./
325: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
326: X-r-xr-xr-x 1 root wheel 643728 Jun 3 01:54 cvs*
1.3 deraadt 327: X
328: Xusr/lib:
1.22 landry 329: Xtotal 42344
330: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./
331: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
332: X-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.50.1
333: X-r--r--r-- 1 root wheel 9659802 Jun 3 01:56 libcrypto.so.18.0
334: X-r--r--r-- 1 root wheel 190814 Jun 3 01:56 libdes.so.9.0
335: X-r--r--r-- 1 root wheel 1593303 Jun 3 01:55 libgssapi.so.5.0
336: X-r--r--r-- 1 root wheel 5337583 Jun 3 01:56 libkrb5.so.16.0
337: X-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.4.1
1.3 deraadt 338: X
339: Xusr/libexec:
1.22 landry 340: Xtotal 120
341: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 ./
342: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
343: X-r-xr-xr-x 1 root wheel 55683 Jun 3 01:55 ld.so*
344: X$ ls cvs
345: XCVSROOT ports src www xenocara
346: X
1.1 deraadt 347: END-of-README
348: echo x - anoncvssh.c
349: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
350: X/*
1.15 millert 351: X * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
352: X * Copyright (c) 1997 Bob Beck <beck@obtuse.com>
353: X * Copyright (c) 1996 Thorsten Lockert <tholo@sigmasoft.com>
354: X *
355: X * Permission to use, copy, modify, and distribute this software for any
356: X * purpose with or without fee is hereby granted, provided that the above
357: X * copyright notice and this permission notice appear in all copies.
358: X *
359: X * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
360: X * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
361: X * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
362: X * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
363: X * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
364: X * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
365: X * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.1 deraadt 366: X */
367: X
1.4 deraadt 368: X#include <stdio.h>
369: X#include <stdlib.h>
370: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
371: X#include <paths.h>
372: X#endif
373: X#include <pwd.h>
374: X#include <unistd.h>
375: X#include <sys/types.h>
376: X
377: X#ifndef __P
378: X#if defined(__STDC__) || defined(__cplusplus)
379: X#define __P(protos) protos /* full-blown ANSI C */
380: X#else
381: X#define __P(protos) () /* traditional C preprocessor */
382: X#endif
383: X#endif
384: X
385: X/*
386: X * You may need to change this path to ensure that RCS, CVS and diff
387: X * can be found
388: X */
389: X#ifndef _PATH_DEFPATH
390: X#define _PATH_DEFPATH "/bin:/usr/bin"
391: X#endif
392: X
393: X/*
394: X * This should not normally have to be changed
395: X */
396: X#ifndef _PATH_BSHELL
397: X#define _PATH_BSHELL "/bin/sh"
398: X#endif
399: X
400: X/*
401: X * Location of CVS tree, relative to the anonymous CVS user's
402: X * home directory
403: X */
404: X#ifndef LOCALROOT
405: X#define LOCALROOT "/cvs"
406: X#endif
407: X
408: X/*
1.19 beck 409: X * Hostname to be used when accessing the remote repository.
1.4 deraadt 410: X */
411: X#ifndef HOSTNAME
1.19 beck 412: X#define HOSTNAME "anoncvs1.usa.openbsd.org"
413: X#endif
414: X
415: X/*
416: X * Username to be used when accessing the remote repository.
417: X */
418: X#ifndef USERNAME
419: X#define USERNAME "anoncvs"
1.4 deraadt 420: X#endif
421: X
422: X/*
1.19 beck 423: X * $CVSROOT is created based on USERNAME HOSTNAME and LOCALROOT above
1.4 deraadt 424: X */
1.1 deraadt 425: X#ifndef CVSROOT
1.19 beck 426: X#define CVSROOT USERNAME "@" HOSTNAME ":"LOCALROOT
1.1 deraadt 427: X#endif
428: X
1.8 beck 429: X/*
430: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
431: X * You may undefine this if you aren't going to be running pserver.
432: X */
433: X#ifndef PSERVER_SUPPORT
434: X#define PSERVER_SUPPORT
435: X#endif
436: X
437: X/*
438: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
439: X * using syslog()
440: X */
441: X#define USE_SYSLOG
442: X
443: X#ifdef USE_SYSLOG
444: X#include <string.h>
445: X#include <syslog.h>
446: X#include <netinet/in.h>
447: X#include <sys/socket.h>
448: X#include <arpa/inet.h>
449: X#define LOG_FACILITY LOG_DAEMON
450: X#define LOG_PRIO LOG_INFO
451: X#endif
452: X
453: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
454: X * anyone other than root or ANONCVS_USER.
455: X */
1.19 beck 456: X/* #define ANONCVS_USER USERNAME */
457: X
458: X/*
459: X * If you want to be able to run an alternate OpenCVS binary on your
460: X * anoncvs server, define OPENCVS_USER as the user who will invoke it.
461: X */
462: X#define OPENCVS_USER "opencvs"
1.8 beck 463: X
1.4 deraadt 464: Xint main __P((int, char *[]));
465: X
466: Xchar * const env[] = {
1.17 espie 467: X "PATH="_PATH_DEFPATH,
468: X "SHELL="_PATH_BSHELL,
469: X "CVSROOT="LOCALROOT,
1.4 deraadt 470: X "HOME=/",
471: X "CVSREADONLYFS=1",
472: X NULL
473: X};
1.1 deraadt 474: X
475: Xint
476: Xmain(argc, argv)
477: Xint argc;
478: Xchar *argv[];
479: X{
480: X struct passwd *pw;
1.5 deraadt 481: X#ifdef DEBUG
482: X int i;
483: X#endif /* DEBUG */
1.19 beck 484: X#if defined(OPENCVS_USER)
485: X int opencvs;
486: X#endif
1.1 deraadt 487: X
488: X pw = getpwuid(getuid());
489: X if (pw == NULL) {
490: X fprintf(stderr, "no user for uid %d\n", getuid());
491: X exit(1);
492: X }
493: X if (pw->pw_dir == NULL) {
494: X fprintf(stderr, "no directory\n");
495: X exit(1);
496: X }
1.8 beck 497: X
498: X#ifdef USE_SYSLOG
499: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
500: X#endif /* USE_SYSLOG */
501: X
502: X#ifdef ANONCVS_USER
503: X /*
504: X * I love lusers who have to test every setuid binary on my machine.
505: X */
506: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
507: X fprintf(stderr, "You're not supposed to be running me!\n");
508: X#ifdef USE_SYSLOG
509: X syslog(LOG_NOTICE,
510: X "User %s(%d) invoked anoncvssh - Possible twink?",
511: X pw->pw_name, pw->pw_uid);
512: X#endif /* USE_SYSLOG */
513: X exit(1);
514: X }
515: X#endif /* ANONCVS_USER */
516: X
517: X
1.11 millert 518: X setuid(0);
1.1 deraadt 519: X if (chroot(pw->pw_dir) == -1) {
520: X perror("chroot");
521: X exit (1);
522: X }
523: X chdir("/");
1.11 millert 524: X setuid(pw->pw_uid);
1.1 deraadt 525: X
1.19 beck 526: X#if defined(OPENCVS_USER)
527: X if (!strcmp(pw->pw_name, OPENCVS_USER))
528: X opencvs = 1;
529: X else
530: X opencvs = 0;
531: X#endif
532: X
1.1 deraadt 533: X /*
534: X * program now "safe"
535: X */
1.6 deraadt 536: X
1.8 beck 537: X#ifdef PSERVER_SUPPORT
1.6 deraadt 538: X /* If we want pserver functionality */
1.8 beck 539: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
540: X#ifdef USE_SYSLOG
541: X int slen;
542: X struct sockaddr_in my_sa, peer_sa;
543: X char *us, *them;
1.19 beck 544: X
545: X#if defined(OPENCVS_USER)
546: X if (opencvs == 1) {
547: X fprintf(stderr, "OpenCVS does not support pserver\n");
548: X sleep(10);
549: X exit(1);
550: X }
551: X#endif
552: X
1.8 beck 553: X slen = sizeof(my_sa);
554: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
555: X != 0) {
556: X perror("getsockname");
557: X exit(1);
558: X }
559: X us = strdup(inet_ntoa(my_sa.sin_addr));
560: X if (us == NULL) {
561: X fprintf(stderr, "malloc failed\n");
562: X exit(1);
563: X }
564: X slen = sizeof(peer_sa);
565: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
566: X != 0) {
567: X perror("getpeername");
568: X exit(1);
569: X }
570: X them=strdup(inet_ntoa(peer_sa.sin_addr));
571: X if (them == NULL) {
572: X fprintf(stderr, "malloc failed\n");
573: X exit(1);
574: X }
575: X syslog(LOG_PRIO,
576: X "pserver connection from %s:%d to %s:%d\n",
577: X them, ntohs(peer_sa.sin_port),
578: X us, ntohs(my_sa.sin_port));
579: X#endif /* USE_SYSLOG */
1.11 millert 580: X execle("/usr/bin/cvs", "cvs",
1.17 espie 581: X "--allow-root="LOCALROOT, "pserver", (char *)NULL, env);
1.6 deraadt 582: X perror("execle: cvs");
583: X fprintf(stderr, "unable to exec CVS pserver!\n");
584: X exit(1);
585: X /* NOTREACHED */
586: X }
1.8 beck 587: X#endif
1.1 deraadt 588: X
589: X if (argc != 3 ||
590: X strcmp("anoncvssh", argv[0]) != 0 ||
591: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 592: X (strcmp("cvs server", argv[2]) != 0 &&
1.17 espie 593: X strcmp("cvs -d "LOCALROOT" server", argv[2]) != 0)) {
1.1 deraadt 594: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
595: X fprintf(stderr,"version of CVS on your local machine.\n");
596: X fprintf(stderr,"Then set your CVSROOT environment variable ");
597: X fprintf(stderr,"to the following value:\n");
1.19 beck 598: X#if defined(OPENCVS_USER)
599: X fprintf(stderr, "\t%s@%s:%s for OpenCVS\n", OPENCVS_USER,
600: X HOSTNAME, LOCALROOT);
601: X#endif
1.1 deraadt 602: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 603: X#ifdef DEBUG
604: X fprintf(stderr, "argc = %d\n", argc);
605: X for (i = 0 ; i < argc ; i++)
606: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
607: X#endif /* DEBUG */
1.1 deraadt 608: X sleep(10);
609: X exit(0);
610: X }
1.19 beck 611: X
612: X#if defined(OPENCVS_USER)
613: X if (opencvs == 1) {
614: X execle("/usr/bin/opencvs", "opencvs",
615: X "server", (char *)NULL, env);
616: X } else {
617: X#endif
618: X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env);
619: X#if defined(OPENCVS_USER)
620: X }
621: X#endif
622: X
1.4 deraadt 623: X perror("execle: cvs");
1.1 deraadt 624: X fprintf(stderr, "unable to exec CVS server!\n");
625: X exit(1);
1.5 deraadt 626: X /* NOTREACHED */
1.1 deraadt 627: X}
628: X
629: END-of-anoncvssh.c
630: exit
631: