Annotation of www/anoncvs.shar, Revision 1.26
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.6 deraadt 8: # Makefile
1.1 deraadt 9: # README
10: # anoncvssh.c
11: #
1.6 deraadt 12: echo x - Makefile
13: sed 's/^X//' >Makefile << 'END-of-Makefile'
14: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
15: XPROG= anoncvssh
16: XBINOWN= root
17: XBINMODE=4111
18: XBINDIR=/open
19: XNOMAN=
20: X
21: X.include <bsd.prog.mk>
22: X
23: END-of-Makefile
1.1 deraadt 24: echo x - README
25: sed 's/^X//' >README << 'END-of-README'
26: X
1.16 millert 27: X So, you want to run an anoncvs server.
1.7 beck 28: X
29: X A summary of the steps you'll need to do is:
30: X
1.16 millert 31: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
1.14 millert 32: X appropriate place.
1.7 beck 33: X
34: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
1.22 landry 35: X Install the cvsync client using 'pkg_add cvsync' command.
36: X ( If you aren't using OpenBSD you'll probably need to compile a cvsync
1.16 millert 37: X client as well. The easier path is to use OpenBSD ;).
1.7 beck 38: X
39: X3) Add the anoncvs user to the password file, with no password, and
1.22 landry 40: X anoncvssh as it's shell. Decide on a user that will run cvsync to maintain
1.16 millert 41: X the archive (this is a different user, NOT the anoncvs user).
1.7 beck 42: X
1.14 millert 43: X4) Make a home directory for the anoncvs user. The anoncvs user's
44: X home directory is a chroot jail in which the anoncvssh processes
45: X run when servicing anoncvs requests. The jail must contain the
46: X cvs binary as well as whatever shared libraries and support files
47: X are needed to run them unless you compile and link everything
1.16 millert 48: X statically. This example shows what is needed for OpenBSD. If you
1.14 millert 49: X use another platform you'll need to be familiar with what needs
50: X to go in a chroot jail for your platform.
1.7 beck 51: X
1.22 landry 52: X5) Get permission to use cvsync to obtain the cvs tree from a server.
1.1 deraadt 53: X
1.22 landry 54: X6) Set up cvsync to retrieve the cvs tree from an appropriate place.
1.6 deraadt 55: X
1.22 landry 56: X7) Run cvsync to retrieve the distribution from the server.
1.3 deraadt 57: X
1.22 landry 58: X8) Once you get the distribution in, set up a cron job to run cvsync
1.7 beck 59: X periodically to keep your server up to date.
1.6 deraadt 60: X
1.7 beck 61: X**********************************************************************
62: XSTEP 1) find enough disk space.
1.25 sthen 63: X You need roughly 6GB.
1.21 landry 64: X Mount it on /open, make sure it doesn't have nosuid and nodev flags.
1.14 millert 65: X If you are not able to mount it as /open, substitute it's location
1.16 millert 66: X throughout the rest of this description.
1.6 deraadt 67: X
1.7 beck 68: X**********************************************************************
1.16 millert 69: XSTEP 2) compile the anoncvssh binary.
70: X In the Makefile, change the variable CVSROOT.
1.14 millert 71: X Install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 72: X
1.7 beck 73: X**********************************************************************
1.22 landry 74: XSTEP 3) Create the anoncvs account and decide who will run "cvsync"
1.14 millert 75: X to maintain the archive. The anoncvs account should *NOT* be the one
1.22 landry 76: X running cvsync to maintain the archive.
1.1 deraadt 77: X
1.9 beck 78: Xcreate an account similar to:
79: X
1.18 millert 80: X anoncvs::32766:32766::0:0:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
1.4 deraadt 81: X
1.16 millert 82: XYes, that is right - the account has no password. Be sure that the
1.14 millert 83: Xuid and gid are unique for your system, if the ones above aren't,
84: Xpick different values.
1.16 millert 85: X
1.22 landry 86: XDecide who will run cvsync to maintain the archive. Call that user
87: X$CVSYNCUSER. Oh, and in case it hasn't been previously mentioned,
88: X$CVSYNCUSER should *NOT* be the anoncvs user :).
1.16 millert 89: X
1.24 dtucker 90: XAdd the following to the end of your /etc/ssh/sshd_config and restart
91: Xyour sshd daemon:
92: X
93: XMatch User anoncvs
94: X PermitEmptyPasswords yes
95: X AllowTcpForwarding no
96: X AllowAgentForwarding no
97: X X11Forwarding no
1.26 ! sthen 98: X PermitTTY no
1.7 beck 99: X
100: X**********************************************************************
1.14 millert 101: XSTEP 4) Build the anoncvs user's home directory chroot jail. This
102: X example assumes that you're using OpenBSD. If you're not you
103: X may need different files in the chroot.
1.4 deraadt 104: X
1.1 deraadt 105: Xmkdir /open/anoncvs
106: Xmkdir /open/anoncvs/cvs
1.22 landry 107: Xchown -R $CVSYNCUSER /open/anoncvs/cvs /open/anoncvs
1.1 deraadt 108: X
1.14 millert 109: XStart filling the account up with nice stuff. You are building a chroot
1.7 beck 110: Xjail for anoncvs in /open/anoncvs.
111: X
1.1 deraadt 112: X cd /open/anoncvs
113: X touch .hushlogin
114: X touch .profile
115: X
1.14 millert 116: XPut a message like the following in .plan:
1.16 millert 117: X To use anonymous CVS install the latest version of CVS on your local
1.6 deraadt 118: X machine.
1.1 deraadt 119: X Then set your CVSROOT environment variable to the following value:
120: X anoncvs@anoncvs.openbsd.org:/cvs
121: X
122: X mkdir bin dev tmp usr var etc
123: X cp /bin/{cat,pwd,rm,sh} bin/
124: X
1.14 millert 125: XUsing mknod, make a dev/null that has the same major/minor numbers as
1.1 deraadt 126: X your /dev/null, and make it mode 666.
127: X
1.16 millert 128: XSome shared library systems require a dev/zero created in the same way.
1.1 deraadt 129: X
1.14 millert 130: XFill etc space for the account
1.1 deraadt 131: X cp /etc/{group,hosts,passwd,protocols} etc/
132: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
133: X modify these files to suit your idea of system security
134: X
1.14 millert 135: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses
1.16 millert 136: Xa tiny extension provided in the openbsd cvs server code which
137: Xpermits the use of read-only cvs repositories, therefore you MUST
138: Xcompile the openbsd version of cvs. Luckily this is not a problem
139: Xon a non-openbsd machine, since the cvs sources are imported verbatim
140: Xinto the openbsd tree. They are in gnu/usr.bin/cvs. The sources
141: Xare integrated in such way that Makefile.bsd-wrapper knows how to build
1.14 millert 142: Xthe sources on an OpenBSD machine, using obj directories.
1.1 deraadt 143: X
1.14 millert 144: XCreate tmp space for the account
1.16 millert 145: X # (cd var && ln -s ../tmp tmp)
1.13 millert 146: X # chmod a+rwx tmp
1.1 deraadt 147: X
1.13 millert 148: X # mkdir usr/{bin,lib}
149: X # cp /usr/bin/cvs usr/bin/
1.1 deraadt 150: X
1.14 millert 151: XIf your system has ld.so in /usr/libexec,
1.13 millert 152: X # mkdir usr/libexec
153: X # cp /usr/libexec/ld.so usr/libexec/
1.1 deraadt 154: X
1.14 millert 155: XIf using shared libraries, use ldd to find out which shared libs you need:
1.13 millert 156: X # ldd /usr/bin/cvs
1.16 millert 157: X /usr/bin/cvs:
1.22 landry 158: X Start End Type Open Ref GrpRef Name
159: X 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs
1.25 sthen 160: X 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.5.0
161: X 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.84.2
1.22 landry 162: X 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so
1.13 millert 163: X
164: X and then copy the required libraries to usr/lib/
1.1 deraadt 165: X
1.14 millert 166: XAs a final pass, make sure that all the files you have just created are
167: Xnot world writable (except dev/null).
1.1 deraadt 168: X
1.7 beck 169: XFor :pserver: support (optional)
170: X - Create an entry in /etc/services
1.16 millert 171: X cvspserver 2401/tcp # CVS client/server operations
1.7 beck 172: X - Create an entry in /etc/inetd.conf
1.16 millert 173: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
1.11 millert 174: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
1.16 millert 175: X anoncvs:AHDysQkJIubEc
1.11 millert 176: X which would be a password of "anoncvs" (as per anoncvs.html)
177: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
1.16 millert 178: X anoncvs
1.11 millert 179: X which tells cvs that user "anoncvs" is allowed readonly access.
180: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
181: X want anyone to be able to write to the mirror.
1.16 millert 182: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
1.7 beck 183: X
184: XSee the example layout below for full details.
185: X
186: X**********************************************************************
1.22 landry 187: XSTEP 5): Get cvsync permission.
1.7 beck 188: Xsend mail to sup@openbsd.org
1.22 landry 189: X1) to have cvsync permissions granted on an appropriate machine for you
190: X to cvsync from. We will need to know your host's real hostname and
1.10 beck 191: X IP address.
1.16 millert 192: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created.
1.22 landry 193: X3) to have your site mentioned in the http://www.openbsd.org/anoncvs.html page.
1.3 deraadt 194: X
1.7 beck 195: X**********************************************************************
1.22 landry 196: XSTEP 6): Configure cvsync.
197: X
198: XYou have to install cvsync package.
1.7 beck 199: X
1.22 landry 200: XThe file /etc/cvsync.conf contains the configuration of cvsync. It will
201: Xnormally contain:
1.7 beck 202: X
1.22 landry 203: Xconfig {
204: X base-prefix /open/anoncvs/
205: X hostname anoncvs.ca.openbsd.org
206: X collection {
207: X name openbsd-cvsroot release rcs
208: X prefix cvs
209: X }
210: X collection {
211: X name openbsd-src release rcs
212: X prefix cvs
213: X }
214: X collection {
215: X name openbsd-ports release rcs
216: X prefix cvs
217: X }
218: X collection {
219: X name openbsd-www release rcs
220: X prefix cvs
221: X }
222: X collection {
223: X name openbsd-xenocara release rcs
224: X prefix cvs
225: X }
226: X}
1.7 beck 227: X
228: X**********************************************************************
1.22 landry 229: XSTEP 7): Run cvsync to retrieve the tree for the first time.
1.7 beck 230: X
1.22 landry 231: XLog in as or become the $CVSYNCUSER, and run
1.7 beck 232: X
1.22 landry 233: Xcvsync > /tmp/cvsynclog &; tail -f /tmp/cvsynclog
1.7 beck 234: X
1.22 landry 235: XIf you have cvsync permission, and have specified the correct host and
236: Xprefix in /etc/cvsync.conf you should see a list of files start
1.7 beck 237: Xcoming in after a short while. Don't panic if nothing happens
1.22 landry 238: Ximmediately. Watch for errors (cvsync can timeout or die). If you can't
239: Xaccess files contact the cvsync server maintainer. If you get a timeout
240: Xor if cvsync dies you can restart and it should continue where it left off.
1.7 beck 241: X
242: XIt can take a good while (and a couple of restarts) to obtain the
243: Xwhole tree for the first time.
244: X
245: X**********************************************************************
246: XSTEP 8): Set up cron to keep the tree up to date.
247: X
1.22 landry 248: XYou run cvsync periodically from the cron by setting up the crontab file
249: Xof the $CVSYNCUSER.
1.7 beck 250: X
1.22 landry 251: XFor example, to update every two hours:
1.7 beck 252: X
1.22 landry 253: X15 */2 * * * /usr/local/bin/cvsync > /dev/null
1.7 beck 254: X
255: X**********************************************************************
1.19 beck 256: X
1.7 beck 257: XEXAMPLE LAYOUT
258: X
1.22 landry 259: XExample layout for OpenBSD. In this example "deraadt" is the $CVSYNCUSER.
1.3 deraadt 260: X
1.22 landry 261: X$ cd /open
262: X$ ls -alF
263: Xtotal 64
264: Xdrwxr-xr-x 5 root wheel 512 Jun 18 22:29 ./
265: Xdrwxr-xr-x 13 root wheel 512 Jun 4 05:14 ../
266: Xdrwxr-xr-x 9 deraadt wheel 512 Jun 3 02:15 anoncvs/
267: X---s--x--x 1 root wheel 14302 Jun 18 22:29 anoncvssh*
268: Xdrwxr-xr-x 4 root wheel 5120 Jun 10 14:34 ftp/
269: X
270: X$ cd anoncvs
271: X$ ls -alF
272: Xtotal 68
273: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ./
274: Xdrwxr-xr-x 5 root wheel 512 Jun 10 14:32 ../
275: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .hushlogin
276: X-rw-r--r-- 1 root wheel 84 Jun 3 01:50 .plan
277: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .profile
278: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 bin/
279: Xdrwxr-xr-x 7 deraadt wheel 512 Jun 18 22:19 cvs/
280: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 dev/
281: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 etc/
282: Xdrwxrwxrwx 10 root wheel 512 Jun 18 17:38 tmp/
283: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 usr/
284: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:54 var/
285: X$ ls -alFR bin usr tmp etc dev
1.3 deraadt 286: Xbin:
1.22 landry 287: Xtotal 1984
288: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 ./
289: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
290: X-r-xr-xr-x 1 root wheel 132368 Jun 3 01:40 cat*
291: X-r-xr-xr-x 1 root wheel 124176 Jun 3 01:40 pwd*
292: X-r-xr-xr-x 1 root wheel 238864 Jun 3 01:40 rm*
293: X-r-xr-xr-x 1 root wheel 460048 Jun 3 01:40 sh*
294: X
1.3 deraadt 295: Xdev:
1.22 landry 296: Xtotal 8
297: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 ./
298: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
299: Xcrw-rw-rw- 1 root wheel 3, 2 Jun 3 01:51 null
300: Xcrw-rw-rw- 1 root wheel 3, 12 Jun 3 01:51 zero
301: X
1.3 deraadt 302: Xetc:
1.22 landry 303: Xtotal 188
304: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 ./
305: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
306: X-r--r--r-- 1 root wheel 64 Jun 3 01:52 group*
307: X-r--r--r-- 1 root wheel 576 Jun 3 01:52 hosts*
308: X-r--r--r-- 1 root wheel 291 Jun 3 01:53 passwd*
309: X-r--r--r-- 1 root wheel 5625 Jun 3 01:52 protocols*
310: X-r--r--r-- 1 root wheel 40960 Jun 3 01:52 pwd.db*
311: X-r--r--r-- 1 root wheel 93 Jun 3 01:52 resolv.conf*
312: X-r--r--r-- 1 root wheel 9875 Jun 3 01:52 services*
313: X-r--r--r-- 1 root wheel 26428 Jun 3 01:52 ttys*
1.3 deraadt 314: X
315: Xusr:
1.22 landry 316: Xtotal 20
317: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ./
318: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
319: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 bin/
320: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 lib/
321: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 libexec/
1.3 deraadt 322: X
323: Xusr/bin:
1.22 landry 324: Xtotal 3016
325: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 ./
326: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
327: X-r-xr-xr-x 1 root wheel 643728 Jun 3 01:54 cvs*
1.3 deraadt 328: X
329: Xusr/lib:
1.22 landry 330: Xtotal 42344
331: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./
332: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
1.26 ! sthen 333: X-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.84.2
! 334: X-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.5.0
1.3 deraadt 335: X
336: Xusr/libexec:
1.22 landry 337: Xtotal 120
338: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 ./
339: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
340: X-r-xr-xr-x 1 root wheel 55683 Jun 3 01:55 ld.so*
341: X$ ls cvs
342: XCVSROOT ports src www xenocara
343: X
1.1 deraadt 344: END-of-README
345: echo x - anoncvssh.c
346: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
347: X/*
1.15 millert 348: X * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
349: X * Copyright (c) 1997 Bob Beck <beck@obtuse.com>
350: X * Copyright (c) 1996 Thorsten Lockert <tholo@sigmasoft.com>
351: X *
352: X * Permission to use, copy, modify, and distribute this software for any
353: X * purpose with or without fee is hereby granted, provided that the above
354: X * copyright notice and this permission notice appear in all copies.
355: X *
356: X * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
357: X * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
358: X * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
359: X * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
360: X * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
361: X * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
362: X * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.1 deraadt 363: X */
364: X
1.4 deraadt 365: X#include <stdio.h>
366: X#include <stdlib.h>
367: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
368: X#include <paths.h>
369: X#endif
370: X#include <pwd.h>
371: X#include <unistd.h>
372: X#include <sys/types.h>
373: X
374: X#ifndef __P
375: X#if defined(__STDC__) || defined(__cplusplus)
376: X#define __P(protos) protos /* full-blown ANSI C */
377: X#else
378: X#define __P(protos) () /* traditional C preprocessor */
379: X#endif
380: X#endif
381: X
382: X/*
383: X * You may need to change this path to ensure that RCS, CVS and diff
384: X * can be found
385: X */
386: X#ifndef _PATH_DEFPATH
387: X#define _PATH_DEFPATH "/bin:/usr/bin"
388: X#endif
389: X
390: X/*
391: X * This should not normally have to be changed
392: X */
393: X#ifndef _PATH_BSHELL
394: X#define _PATH_BSHELL "/bin/sh"
395: X#endif
396: X
397: X/*
398: X * Location of CVS tree, relative to the anonymous CVS user's
399: X * home directory
400: X */
401: X#ifndef LOCALROOT
402: X#define LOCALROOT "/cvs"
403: X#endif
404: X
405: X/*
1.19 beck 406: X * Hostname to be used when accessing the remote repository.
1.4 deraadt 407: X */
408: X#ifndef HOSTNAME
1.19 beck 409: X#define HOSTNAME "anoncvs1.usa.openbsd.org"
410: X#endif
411: X
412: X/*
413: X * Username to be used when accessing the remote repository.
414: X */
415: X#ifndef USERNAME
416: X#define USERNAME "anoncvs"
1.4 deraadt 417: X#endif
418: X
419: X/*
1.19 beck 420: X * $CVSROOT is created based on USERNAME HOSTNAME and LOCALROOT above
1.4 deraadt 421: X */
1.1 deraadt 422: X#ifndef CVSROOT
1.19 beck 423: X#define CVSROOT USERNAME "@" HOSTNAME ":"LOCALROOT
1.1 deraadt 424: X#endif
425: X
1.8 beck 426: X/*
427: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
428: X * You may undefine this if you aren't going to be running pserver.
429: X */
430: X#ifndef PSERVER_SUPPORT
431: X#define PSERVER_SUPPORT
432: X#endif
433: X
434: X/*
435: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
436: X * using syslog()
437: X */
438: X#define USE_SYSLOG
439: X
440: X#ifdef USE_SYSLOG
441: X#include <string.h>
442: X#include <syslog.h>
443: X#include <netinet/in.h>
444: X#include <sys/socket.h>
445: X#include <arpa/inet.h>
446: X#define LOG_FACILITY LOG_DAEMON
447: X#define LOG_PRIO LOG_INFO
448: X#endif
449: X
450: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
451: X * anyone other than root or ANONCVS_USER.
452: X */
1.19 beck 453: X/* #define ANONCVS_USER USERNAME */
454: X
455: X/*
456: X * If you want to be able to run an alternate OpenCVS binary on your
457: X * anoncvs server, define OPENCVS_USER as the user who will invoke it.
458: X */
459: X#define OPENCVS_USER "opencvs"
1.8 beck 460: X
1.4 deraadt 461: Xint main __P((int, char *[]));
462: X
463: Xchar * const env[] = {
1.17 espie 464: X "PATH="_PATH_DEFPATH,
465: X "SHELL="_PATH_BSHELL,
466: X "CVSROOT="LOCALROOT,
1.4 deraadt 467: X "HOME=/",
468: X "CVSREADONLYFS=1",
469: X NULL
470: X};
1.1 deraadt 471: X
472: Xint
473: Xmain(argc, argv)
474: Xint argc;
475: Xchar *argv[];
476: X{
477: X struct passwd *pw;
1.5 deraadt 478: X#ifdef DEBUG
479: X int i;
480: X#endif /* DEBUG */
1.19 beck 481: X#if defined(OPENCVS_USER)
482: X int opencvs;
483: X#endif
1.1 deraadt 484: X
485: X pw = getpwuid(getuid());
486: X if (pw == NULL) {
487: X fprintf(stderr, "no user for uid %d\n", getuid());
488: X exit(1);
489: X }
490: X if (pw->pw_dir == NULL) {
491: X fprintf(stderr, "no directory\n");
492: X exit(1);
493: X }
1.8 beck 494: X
495: X#ifdef USE_SYSLOG
496: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
497: X#endif /* USE_SYSLOG */
498: X
499: X#ifdef ANONCVS_USER
500: X /*
501: X * I love lusers who have to test every setuid binary on my machine.
502: X */
503: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
504: X fprintf(stderr, "You're not supposed to be running me!\n");
505: X#ifdef USE_SYSLOG
506: X syslog(LOG_NOTICE,
507: X "User %s(%d) invoked anoncvssh - Possible twink?",
508: X pw->pw_name, pw->pw_uid);
509: X#endif /* USE_SYSLOG */
510: X exit(1);
511: X }
512: X#endif /* ANONCVS_USER */
513: X
514: X
1.11 millert 515: X setuid(0);
1.1 deraadt 516: X if (chroot(pw->pw_dir) == -1) {
517: X perror("chroot");
518: X exit (1);
519: X }
520: X chdir("/");
1.11 millert 521: X setuid(pw->pw_uid);
1.1 deraadt 522: X
1.19 beck 523: X#if defined(OPENCVS_USER)
524: X if (!strcmp(pw->pw_name, OPENCVS_USER))
525: X opencvs = 1;
526: X else
527: X opencvs = 0;
528: X#endif
529: X
1.1 deraadt 530: X /*
531: X * program now "safe"
532: X */
1.6 deraadt 533: X
1.8 beck 534: X#ifdef PSERVER_SUPPORT
1.6 deraadt 535: X /* If we want pserver functionality */
1.8 beck 536: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
537: X#ifdef USE_SYSLOG
538: X int slen;
539: X struct sockaddr_in my_sa, peer_sa;
540: X char *us, *them;
1.19 beck 541: X
542: X#if defined(OPENCVS_USER)
543: X if (opencvs == 1) {
544: X fprintf(stderr, "OpenCVS does not support pserver\n");
545: X sleep(10);
546: X exit(1);
547: X }
548: X#endif
549: X
1.8 beck 550: X slen = sizeof(my_sa);
551: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
552: X != 0) {
553: X perror("getsockname");
554: X exit(1);
555: X }
556: X us = strdup(inet_ntoa(my_sa.sin_addr));
557: X if (us == NULL) {
558: X fprintf(stderr, "malloc failed\n");
559: X exit(1);
560: X }
561: X slen = sizeof(peer_sa);
562: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
563: X != 0) {
564: X perror("getpeername");
565: X exit(1);
566: X }
567: X them=strdup(inet_ntoa(peer_sa.sin_addr));
568: X if (them == NULL) {
569: X fprintf(stderr, "malloc failed\n");
570: X exit(1);
571: X }
572: X syslog(LOG_PRIO,
573: X "pserver connection from %s:%d to %s:%d\n",
574: X them, ntohs(peer_sa.sin_port),
575: X us, ntohs(my_sa.sin_port));
576: X#endif /* USE_SYSLOG */
1.11 millert 577: X execle("/usr/bin/cvs", "cvs",
1.17 espie 578: X "--allow-root="LOCALROOT, "pserver", (char *)NULL, env);
1.6 deraadt 579: X perror("execle: cvs");
580: X fprintf(stderr, "unable to exec CVS pserver!\n");
581: X exit(1);
582: X /* NOTREACHED */
583: X }
1.8 beck 584: X#endif
1.1 deraadt 585: X
586: X if (argc != 3 ||
587: X strcmp("anoncvssh", argv[0]) != 0 ||
588: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 589: X (strcmp("cvs server", argv[2]) != 0 &&
1.17 espie 590: X strcmp("cvs -d "LOCALROOT" server", argv[2]) != 0)) {
1.1 deraadt 591: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
592: X fprintf(stderr,"version of CVS on your local machine.\n");
593: X fprintf(stderr,"Then set your CVSROOT environment variable ");
594: X fprintf(stderr,"to the following value:\n");
1.19 beck 595: X#if defined(OPENCVS_USER)
596: X fprintf(stderr, "\t%s@%s:%s for OpenCVS\n", OPENCVS_USER,
597: X HOSTNAME, LOCALROOT);
598: X#endif
1.1 deraadt 599: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 600: X#ifdef DEBUG
601: X fprintf(stderr, "argc = %d\n", argc);
602: X for (i = 0 ; i < argc ; i++)
603: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
604: X#endif /* DEBUG */
1.1 deraadt 605: X sleep(10);
606: X exit(0);
607: X }
1.19 beck 608: X
609: X#if defined(OPENCVS_USER)
610: X if (opencvs == 1) {
611: X execle("/usr/bin/opencvs", "opencvs",
612: X "server", (char *)NULL, env);
613: X } else {
614: X#endif
615: X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env);
616: X#if defined(OPENCVS_USER)
617: X }
618: X#endif
619: X
1.4 deraadt 620: X perror("execle: cvs");
1.1 deraadt 621: X fprintf(stderr, "unable to exec CVS server!\n");
622: X exit(1);
1.5 deraadt 623: X /* NOTREACHED */
1.1 deraadt 624: X}
625: X
626: END-of-anoncvssh.c
627: exit
628: