Annotation of www/anoncvs.shar, Revision 1.27
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.6 deraadt 8: # Makefile
1.1 deraadt 9: # README
10: # anoncvssh.c
11: #
1.6 deraadt 12: echo x - Makefile
13: sed 's/^X//' >Makefile << 'END-of-Makefile'
14: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
15: XPROG= anoncvssh
16: XBINOWN= root
17: XBINMODE=4111
18: XBINDIR=/open
19: XNOMAN=
20: X
21: X.include <bsd.prog.mk>
22: X
23: END-of-Makefile
1.1 deraadt 24: echo x - README
25: sed 's/^X//' >README << 'END-of-README'
26: X
1.16 millert 27: X So, you want to run an anoncvs server.
1.7 beck 28: X
29: X A summary of the steps you'll need to do is:
30: X
1.16 millert 31: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
1.14 millert 32: X appropriate place.
1.7 beck 33: X
34: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
1.22 landry 35: X Install the cvsync client using 'pkg_add cvsync' command.
36: X ( If you aren't using OpenBSD you'll probably need to compile a cvsync
1.16 millert 37: X client as well. The easier path is to use OpenBSD ;).
1.7 beck 38: X
39: X3) Add the anoncvs user to the password file, with no password, and
1.22 landry 40: X anoncvssh as it's shell. Decide on a user that will run cvsync to maintain
1.16 millert 41: X the archive (this is a different user, NOT the anoncvs user).
1.7 beck 42: X
1.14 millert 43: X4) Make a home directory for the anoncvs user. The anoncvs user's
44: X home directory is a chroot jail in which the anoncvssh processes
45: X run when servicing anoncvs requests. The jail must contain the
46: X cvs binary as well as whatever shared libraries and support files
47: X are needed to run them unless you compile and link everything
1.16 millert 48: X statically. This example shows what is needed for OpenBSD. If you
1.14 millert 49: X use another platform you'll need to be familiar with what needs
50: X to go in a chroot jail for your platform.
1.7 beck 51: X
1.22 landry 52: X5) Get permission to use cvsync to obtain the cvs tree from a server.
1.1 deraadt 53: X
1.22 landry 54: X6) Set up cvsync to retrieve the cvs tree from an appropriate place.
1.6 deraadt 55: X
1.22 landry 56: X7) Run cvsync to retrieve the distribution from the server.
1.3 deraadt 57: X
1.22 landry 58: X8) Once you get the distribution in, set up a cron job to run cvsync
1.7 beck 59: X periodically to keep your server up to date.
1.6 deraadt 60: X
1.7 beck 61: X**********************************************************************
62: XSTEP 1) find enough disk space.
1.25 sthen 63: X You need roughly 6GB.
1.21 landry 64: X Mount it on /open, make sure it doesn't have nosuid and nodev flags.
1.14 millert 65: X If you are not able to mount it as /open, substitute it's location
1.16 millert 66: X throughout the rest of this description.
1.6 deraadt 67: X
1.7 beck 68: X**********************************************************************
1.16 millert 69: XSTEP 2) compile the anoncvssh binary.
70: X In the Makefile, change the variable CVSROOT.
1.14 millert 71: X Install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 72: X
1.7 beck 73: X**********************************************************************
1.22 landry 74: XSTEP 3) Create the anoncvs account and decide who will run "cvsync"
1.14 millert 75: X to maintain the archive. The anoncvs account should *NOT* be the one
1.22 landry 76: X running cvsync to maintain the archive.
1.1 deraadt 77: X
1.9 beck 78: Xcreate an account similar to:
79: X
1.18 millert 80: X anoncvs::32766:32766::0:0:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
1.4 deraadt 81: X
1.16 millert 82: XYes, that is right - the account has no password. Be sure that the
1.14 millert 83: Xuid and gid are unique for your system, if the ones above aren't,
84: Xpick different values.
1.16 millert 85: X
1.22 landry 86: XDecide who will run cvsync to maintain the archive. Call that user
87: X$CVSYNCUSER. Oh, and in case it hasn't been previously mentioned,
88: X$CVSYNCUSER should *NOT* be the anoncvs user :).
1.16 millert 89: X
1.24 dtucker 90: XAdd the following to the end of your /etc/ssh/sshd_config and restart
91: Xyour sshd daemon:
92: X
93: XMatch User anoncvs
94: X PermitEmptyPasswords yes
95: X AllowTcpForwarding no
96: X AllowAgentForwarding no
97: X X11Forwarding no
1.26 sthen 98: X PermitTTY no
1.7 beck 99: X
100: X**********************************************************************
1.14 millert 101: XSTEP 4) Build the anoncvs user's home directory chroot jail. This
102: X example assumes that you're using OpenBSD. If you're not you
103: X may need different files in the chroot.
1.4 deraadt 104: X
1.1 deraadt 105: Xmkdir /open/anoncvs
106: Xmkdir /open/anoncvs/cvs
1.22 landry 107: Xchown -R $CVSYNCUSER /open/anoncvs/cvs /open/anoncvs
1.1 deraadt 108: X
1.14 millert 109: XStart filling the account up with nice stuff. You are building a chroot
1.7 beck 110: Xjail for anoncvs in /open/anoncvs.
111: X
1.1 deraadt 112: X cd /open/anoncvs
113: X touch .hushlogin
114: X touch .profile
115: X mkdir bin dev tmp usr var etc
116: X cp /bin/{cat,pwd,rm,sh} bin/
117: X
1.14 millert 118: XUsing mknod, make a dev/null that has the same major/minor numbers as
1.1 deraadt 119: X your /dev/null, and make it mode 666.
120: X
1.16 millert 121: XSome shared library systems require a dev/zero created in the same way.
1.1 deraadt 122: X
1.14 millert 123: XFill etc space for the account
1.1 deraadt 124: X cp /etc/{group,hosts,passwd,protocols} etc/
125: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
126: X modify these files to suit your idea of system security
127: X
1.14 millert 128: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses
1.16 millert 129: Xa tiny extension provided in the openbsd cvs server code which
130: Xpermits the use of read-only cvs repositories, therefore you MUST
131: Xcompile the openbsd version of cvs. Luckily this is not a problem
132: Xon a non-openbsd machine, since the cvs sources are imported verbatim
133: Xinto the openbsd tree. They are in gnu/usr.bin/cvs. The sources
134: Xare integrated in such way that Makefile.bsd-wrapper knows how to build
1.14 millert 135: Xthe sources on an OpenBSD machine, using obj directories.
1.1 deraadt 136: X
1.14 millert 137: XCreate tmp space for the account
1.16 millert 138: X # (cd var && ln -s ../tmp tmp)
1.13 millert 139: X # chmod a+rwx tmp
1.1 deraadt 140: X
1.13 millert 141: X # mkdir usr/{bin,lib}
142: X # cp /usr/bin/cvs usr/bin/
1.1 deraadt 143: X
1.14 millert 144: XIf your system has ld.so in /usr/libexec,
1.13 millert 145: X # mkdir usr/libexec
146: X # cp /usr/libexec/ld.so usr/libexec/
1.1 deraadt 147: X
1.14 millert 148: XIf using shared libraries, use ldd to find out which shared libs you need:
1.13 millert 149: X # ldd /usr/bin/cvs
1.16 millert 150: X /usr/bin/cvs:
1.22 landry 151: X Start End Type Open Ref GrpRef Name
152: X 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs
1.25 sthen 153: X 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.5.0
154: X 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.84.2
1.22 landry 155: X 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so
1.13 millert 156: X
157: X and then copy the required libraries to usr/lib/
1.1 deraadt 158: X
1.14 millert 159: XAs a final pass, make sure that all the files you have just created are
160: Xnot world writable (except dev/null).
1.1 deraadt 161: X
1.7 beck 162: XFor :pserver: support (optional)
163: X - Create an entry in /etc/services
1.16 millert 164: X cvspserver 2401/tcp # CVS client/server operations
1.7 beck 165: X - Create an entry in /etc/inetd.conf
1.16 millert 166: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
1.11 millert 167: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
1.16 millert 168: X anoncvs:AHDysQkJIubEc
1.11 millert 169: X which would be a password of "anoncvs" (as per anoncvs.html)
170: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
1.16 millert 171: X anoncvs
1.11 millert 172: X which tells cvs that user "anoncvs" is allowed readonly access.
173: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
174: X want anyone to be able to write to the mirror.
1.16 millert 175: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
1.7 beck 176: X
177: XSee the example layout below for full details.
178: X
179: X**********************************************************************
1.22 landry 180: XSTEP 5): Get cvsync permission.
1.7 beck 181: Xsend mail to sup@openbsd.org
1.22 landry 182: X1) to have cvsync permissions granted on an appropriate machine for you
183: X to cvsync from. We will need to know your host's real hostname and
1.10 beck 184: X IP address.
1.16 millert 185: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created.
1.22 landry 186: X3) to have your site mentioned in the http://www.openbsd.org/anoncvs.html page.
1.3 deraadt 187: X
1.7 beck 188: X**********************************************************************
1.22 landry 189: XSTEP 6): Configure cvsync.
190: X
191: XYou have to install cvsync package.
1.7 beck 192: X
1.22 landry 193: XThe file /etc/cvsync.conf contains the configuration of cvsync. It will
194: Xnormally contain:
1.7 beck 195: X
1.22 landry 196: Xconfig {
197: X base-prefix /open/anoncvs/
198: X hostname anoncvs.ca.openbsd.org
199: X collection {
200: X name openbsd-cvsroot release rcs
201: X prefix cvs
202: X }
203: X collection {
204: X name openbsd-src release rcs
205: X prefix cvs
206: X }
207: X collection {
208: X name openbsd-ports release rcs
209: X prefix cvs
210: X }
211: X collection {
212: X name openbsd-www release rcs
213: X prefix cvs
214: X }
215: X collection {
216: X name openbsd-xenocara release rcs
217: X prefix cvs
218: X }
219: X}
1.7 beck 220: X
221: X**********************************************************************
1.22 landry 222: XSTEP 7): Run cvsync to retrieve the tree for the first time.
1.7 beck 223: X
1.22 landry 224: XLog in as or become the $CVSYNCUSER, and run
1.7 beck 225: X
1.22 landry 226: Xcvsync > /tmp/cvsynclog &; tail -f /tmp/cvsynclog
1.7 beck 227: X
1.22 landry 228: XIf you have cvsync permission, and have specified the correct host and
229: Xprefix in /etc/cvsync.conf you should see a list of files start
1.7 beck 230: Xcoming in after a short while. Don't panic if nothing happens
1.22 landry 231: Ximmediately. Watch for errors (cvsync can timeout or die). If you can't
232: Xaccess files contact the cvsync server maintainer. If you get a timeout
233: Xor if cvsync dies you can restart and it should continue where it left off.
1.7 beck 234: X
235: XIt can take a good while (and a couple of restarts) to obtain the
236: Xwhole tree for the first time.
237: X
238: X**********************************************************************
239: XSTEP 8): Set up cron to keep the tree up to date.
240: X
1.22 landry 241: XYou run cvsync periodically from the cron by setting up the crontab file
242: Xof the $CVSYNCUSER.
1.7 beck 243: X
1.22 landry 244: XFor example, to update every two hours:
1.7 beck 245: X
1.22 landry 246: X15 */2 * * * /usr/local/bin/cvsync > /dev/null
1.7 beck 247: X
248: X**********************************************************************
1.19 beck 249: X
1.7 beck 250: XEXAMPLE LAYOUT
251: X
1.22 landry 252: XExample layout for OpenBSD. In this example "deraadt" is the $CVSYNCUSER.
1.3 deraadt 253: X
1.22 landry 254: X$ cd /open
255: X$ ls -alF
256: Xtotal 64
257: Xdrwxr-xr-x 5 root wheel 512 Jun 18 22:29 ./
258: Xdrwxr-xr-x 13 root wheel 512 Jun 4 05:14 ../
259: Xdrwxr-xr-x 9 deraadt wheel 512 Jun 3 02:15 anoncvs/
260: X---s--x--x 1 root wheel 14302 Jun 18 22:29 anoncvssh*
261: Xdrwxr-xr-x 4 root wheel 5120 Jun 10 14:34 ftp/
262: X
263: X$ cd anoncvs
264: X$ ls -alF
265: Xtotal 68
266: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ./
267: Xdrwxr-xr-x 5 root wheel 512 Jun 10 14:32 ../
268: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .hushlogin
269: X-rw-r--r-- 1 root wheel 84 Jun 3 01:50 .plan
270: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .profile
271: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 bin/
272: Xdrwxr-xr-x 7 deraadt wheel 512 Jun 18 22:19 cvs/
273: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 dev/
274: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 etc/
275: Xdrwxrwxrwx 10 root wheel 512 Jun 18 17:38 tmp/
276: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 usr/
277: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:54 var/
278: X$ ls -alFR bin usr tmp etc dev
1.3 deraadt 279: Xbin:
1.22 landry 280: Xtotal 1984
281: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 ./
282: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
283: X-r-xr-xr-x 1 root wheel 132368 Jun 3 01:40 cat*
284: X-r-xr-xr-x 1 root wheel 124176 Jun 3 01:40 pwd*
285: X-r-xr-xr-x 1 root wheel 238864 Jun 3 01:40 rm*
286: X-r-xr-xr-x 1 root wheel 460048 Jun 3 01:40 sh*
287: X
1.3 deraadt 288: Xdev:
1.22 landry 289: Xtotal 8
290: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 ./
291: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
292: Xcrw-rw-rw- 1 root wheel 3, 2 Jun 3 01:51 null
293: Xcrw-rw-rw- 1 root wheel 3, 12 Jun 3 01:51 zero
294: X
1.3 deraadt 295: Xetc:
1.22 landry 296: Xtotal 188
297: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 ./
298: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
299: X-r--r--r-- 1 root wheel 64 Jun 3 01:52 group*
300: X-r--r--r-- 1 root wheel 576 Jun 3 01:52 hosts*
301: X-r--r--r-- 1 root wheel 291 Jun 3 01:53 passwd*
302: X-r--r--r-- 1 root wheel 5625 Jun 3 01:52 protocols*
303: X-r--r--r-- 1 root wheel 40960 Jun 3 01:52 pwd.db*
304: X-r--r--r-- 1 root wheel 93 Jun 3 01:52 resolv.conf*
305: X-r--r--r-- 1 root wheel 9875 Jun 3 01:52 services*
306: X-r--r--r-- 1 root wheel 26428 Jun 3 01:52 ttys*
1.3 deraadt 307: X
308: Xusr:
1.22 landry 309: Xtotal 20
310: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ./
311: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
312: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 bin/
313: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 lib/
314: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 libexec/
1.3 deraadt 315: X
316: Xusr/bin:
1.22 landry 317: Xtotal 3016
318: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 ./
319: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
320: X-r-xr-xr-x 1 root wheel 643728 Jun 3 01:54 cvs*
1.3 deraadt 321: X
322: Xusr/lib:
1.22 landry 323: Xtotal 42344
324: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./
325: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
1.26 sthen 326: X-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.84.2
327: X-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.5.0
1.3 deraadt 328: X
329: Xusr/libexec:
1.22 landry 330: Xtotal 120
331: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 ./
332: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
333: X-r-xr-xr-x 1 root wheel 55683 Jun 3 01:55 ld.so*
334: X$ ls cvs
335: XCVSROOT ports src www xenocara
336: X
1.1 deraadt 337: END-of-README
338: echo x - anoncvssh.c
339: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
340: X/*
1.15 millert 341: X * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
342: X * Copyright (c) 1997 Bob Beck <beck@obtuse.com>
343: X * Copyright (c) 1996 Thorsten Lockert <tholo@sigmasoft.com>
344: X *
345: X * Permission to use, copy, modify, and distribute this software for any
346: X * purpose with or without fee is hereby granted, provided that the above
347: X * copyright notice and this permission notice appear in all copies.
348: X *
349: X * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
350: X * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
351: X * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
352: X * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
353: X * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
354: X * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
355: X * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.1 deraadt 356: X */
357: X
1.4 deraadt 358: X#include <stdio.h>
359: X#include <stdlib.h>
360: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
361: X#include <paths.h>
362: X#endif
363: X#include <pwd.h>
364: X#include <unistd.h>
365: X#include <sys/types.h>
366: X
367: X#ifndef __P
368: X#if defined(__STDC__) || defined(__cplusplus)
369: X#define __P(protos) protos /* full-blown ANSI C */
370: X#else
371: X#define __P(protos) () /* traditional C preprocessor */
372: X#endif
373: X#endif
374: X
375: X/*
376: X * You may need to change this path to ensure that RCS, CVS and diff
377: X * can be found
378: X */
379: X#ifndef _PATH_DEFPATH
380: X#define _PATH_DEFPATH "/bin:/usr/bin"
381: X#endif
382: X
383: X/*
384: X * This should not normally have to be changed
385: X */
386: X#ifndef _PATH_BSHELL
387: X#define _PATH_BSHELL "/bin/sh"
388: X#endif
389: X
390: X/*
391: X * Location of CVS tree, relative to the anonymous CVS user's
392: X * home directory
393: X */
394: X#ifndef LOCALROOT
395: X#define LOCALROOT "/cvs"
396: X#endif
397: X
398: X/*
1.19 beck 399: X * Hostname to be used when accessing the remote repository.
1.4 deraadt 400: X */
401: X#ifndef HOSTNAME
1.19 beck 402: X#define HOSTNAME "anoncvs1.usa.openbsd.org"
403: X#endif
404: X
405: X/*
406: X * Username to be used when accessing the remote repository.
407: X */
408: X#ifndef USERNAME
409: X#define USERNAME "anoncvs"
1.4 deraadt 410: X#endif
411: X
412: X/*
1.19 beck 413: X * $CVSROOT is created based on USERNAME HOSTNAME and LOCALROOT above
1.4 deraadt 414: X */
1.1 deraadt 415: X#ifndef CVSROOT
1.19 beck 416: X#define CVSROOT USERNAME "@" HOSTNAME ":"LOCALROOT
1.1 deraadt 417: X#endif
418: X
1.8 beck 419: X/*
420: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
421: X * You may undefine this if you aren't going to be running pserver.
422: X */
423: X#ifndef PSERVER_SUPPORT
424: X#define PSERVER_SUPPORT
425: X#endif
426: X
427: X/*
428: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
429: X * using syslog()
430: X */
431: X#define USE_SYSLOG
432: X
433: X#ifdef USE_SYSLOG
434: X#include <string.h>
435: X#include <syslog.h>
436: X#include <netinet/in.h>
437: X#include <sys/socket.h>
438: X#include <arpa/inet.h>
439: X#define LOG_FACILITY LOG_DAEMON
440: X#define LOG_PRIO LOG_INFO
441: X#endif
442: X
443: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
444: X * anyone other than root or ANONCVS_USER.
445: X */
1.19 beck 446: X/* #define ANONCVS_USER USERNAME */
447: X
1.4 deraadt 448: Xint main __P((int, char *[]));
449: X
450: Xchar * const env[] = {
1.17 espie 451: X "PATH="_PATH_DEFPATH,
452: X "SHELL="_PATH_BSHELL,
453: X "CVSROOT="LOCALROOT,
1.4 deraadt 454: X "HOME=/",
455: X "CVSREADONLYFS=1",
456: X NULL
457: X};
1.1 deraadt 458: X
459: Xint
460: Xmain(argc, argv)
461: Xint argc;
462: Xchar *argv[];
463: X{
464: X struct passwd *pw;
1.5 deraadt 465: X#ifdef DEBUG
466: X int i;
467: X#endif /* DEBUG */
1.1 deraadt 468: X
469: X pw = getpwuid(getuid());
470: X if (pw == NULL) {
471: X fprintf(stderr, "no user for uid %d\n", getuid());
472: X exit(1);
473: X }
474: X if (pw->pw_dir == NULL) {
475: X fprintf(stderr, "no directory\n");
476: X exit(1);
477: X }
1.8 beck 478: X
479: X#ifdef USE_SYSLOG
480: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
481: X#endif /* USE_SYSLOG */
482: X
483: X#ifdef ANONCVS_USER
484: X /*
485: X * I love lusers who have to test every setuid binary on my machine.
486: X */
487: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
488: X fprintf(stderr, "You're not supposed to be running me!\n");
489: X#ifdef USE_SYSLOG
490: X syslog(LOG_NOTICE,
491: X "User %s(%d) invoked anoncvssh - Possible twink?",
492: X pw->pw_name, pw->pw_uid);
493: X#endif /* USE_SYSLOG */
494: X exit(1);
495: X }
496: X#endif /* ANONCVS_USER */
497: X
498: X
1.11 millert 499: X setuid(0);
1.1 deraadt 500: X if (chroot(pw->pw_dir) == -1) {
501: X perror("chroot");
502: X exit (1);
503: X }
504: X chdir("/");
1.11 millert 505: X setuid(pw->pw_uid);
1.1 deraadt 506: X
507: X /*
508: X * program now "safe"
509: X */
1.6 deraadt 510: X
1.8 beck 511: X#ifdef PSERVER_SUPPORT
1.6 deraadt 512: X /* If we want pserver functionality */
1.8 beck 513: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
514: X#ifdef USE_SYSLOG
515: X int slen;
516: X struct sockaddr_in my_sa, peer_sa;
517: X char *us, *them;
1.19 beck 518: X
1.8 beck 519: X slen = sizeof(my_sa);
520: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
521: X != 0) {
522: X perror("getsockname");
523: X exit(1);
524: X }
525: X us = strdup(inet_ntoa(my_sa.sin_addr));
526: X if (us == NULL) {
527: X fprintf(stderr, "malloc failed\n");
528: X exit(1);
529: X }
530: X slen = sizeof(peer_sa);
531: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
532: X != 0) {
533: X perror("getpeername");
534: X exit(1);
535: X }
536: X them=strdup(inet_ntoa(peer_sa.sin_addr));
537: X if (them == NULL) {
538: X fprintf(stderr, "malloc failed\n");
539: X exit(1);
540: X }
541: X syslog(LOG_PRIO,
542: X "pserver connection from %s:%d to %s:%d\n",
543: X them, ntohs(peer_sa.sin_port),
544: X us, ntohs(my_sa.sin_port));
545: X#endif /* USE_SYSLOG */
1.11 millert 546: X execle("/usr/bin/cvs", "cvs",
1.17 espie 547: X "--allow-root="LOCALROOT, "pserver", (char *)NULL, env);
1.6 deraadt 548: X perror("execle: cvs");
549: X fprintf(stderr, "unable to exec CVS pserver!\n");
550: X exit(1);
551: X /* NOTREACHED */
552: X }
1.8 beck 553: X#endif
1.1 deraadt 554: X
555: X if (argc != 3 ||
556: X strcmp("anoncvssh", argv[0]) != 0 ||
557: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 558: X (strcmp("cvs server", argv[2]) != 0 &&
1.17 espie 559: X strcmp("cvs -d "LOCALROOT" server", argv[2]) != 0)) {
1.1 deraadt 560: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
561: X fprintf(stderr,"version of CVS on your local machine.\n");
562: X fprintf(stderr,"Then set your CVSROOT environment variable ");
563: X fprintf(stderr,"to the following value:\n");
564: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 565: X#ifdef DEBUG
566: X fprintf(stderr, "argc = %d\n", argc);
567: X for (i = 0 ; i < argc ; i++)
568: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
569: X#endif /* DEBUG */
1.1 deraadt 570: X sleep(10);
571: X exit(0);
572: X }
1.19 beck 573: X
574: X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env);
575: X
1.4 deraadt 576: X perror("execle: cvs");
1.1 deraadt 577: X fprintf(stderr, "unable to exec CVS server!\n");
578: X exit(1);
1.5 deraadt 579: X /* NOTREACHED */
1.1 deraadt 580: X}
581: X
582: END-of-anoncvssh.c
583: exit
584: