Annotation of www/anoncvs.shar, Revision 1.29
1.29 ! beck 1: # This is a shell archive. Save it in a file, remove anything before
! 2: # this line, and then unpack it by entering "sh file". Note, it may
! 3: # create directories; files and directories will be owned by you and
! 4: # have default permissions.
! 5: #
! 6: # This archive contains:
! 7: #
! 8: # Makefile
! 9: # README
! 10: # anoncvssh.c
! 11: #
! 12: echo x - Makefile
! 13: sed 's/^X//' >Makefile << 'END-of-Makefile'
! 14: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
! 15: XPROG= anoncvssh
! 16: XBINOWN= root
! 17: XBINMODE=4111
! 18: XBINDIR=/open
! 19: XNOMAN=
! 20: X
! 21: X.include <bsd.prog.mk>
! 22: X
! 23: END-of-Makefile
! 24: echo x - README
! 25: sed 's/^X//' >README << 'END-of-README'
! 26: X
! 27: X So, you want to run an anoncvs server.
! 28: X
! 29: X A summary of the steps you'll need to do is:
! 30: X
! 31: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
! 32: X appropriate place.
! 33: X
! 34: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
! 35: X Install the cvsync client using 'pkg_add cvsync' command.
! 36: X ( If you aren't using OpenBSD you'll probably need to compile a cvsync
! 37: X client as well. The easier path is to use OpenBSD ;).
! 38: X
! 39: X3) Add the anoncvs user to the password file, with no password, and
! 40: X anoncvssh as it's shell. Decide on a user that will run cvsync to maintain
! 41: X the archive (this is a different user, NOT the anoncvs user).
! 42: X
! 43: X4) Make a home directory for the anoncvs user. The anoncvs user's
! 44: X home directory is a chroot jail in which the anoncvssh processes
! 45: X run when servicing anoncvs requests. The jail must contain the
! 46: X cvs binary as well as whatever shared libraries and support files
! 47: X are needed to run them unless you compile and link everything
! 48: X statically. This example shows what is needed for OpenBSD. If you
! 49: X use another platform you'll need to be familiar with what needs
! 50: X to go in a chroot jail for your platform.
! 51: X
! 52: X5) Get permission to use cvsync to obtain the cvs tree from a server.
! 53: X
! 54: X6) Set up cvsync to retrieve the cvs tree from an appropriate place.
! 55: X
! 56: X7) Run cvsync to retrieve the distribution from the server.
! 57: X
! 58: X8) Once you get the distribution in, set up a cron job to run cvsync
! 59: X periodically to keep your server up to date.
! 60: X
! 61: X**********************************************************************
! 62: XSTEP 1) find enough disk space.
! 63: X You need roughly 6GB.
! 64: X Mount it on /open, make sure it doesn't have nosuid and nodev flags.
! 65: X If you are not able to mount it as /open, substitute it's location
! 66: X throughout the rest of this description.
! 67: X
! 68: X**********************************************************************
! 69: XSTEP 2) compile the anoncvssh binary.
! 70: X In the Makefile, change the variable CVSROOT.
! 71: X Install the binary setuid-root in /open/anoncvssh.
! 72: X
! 73: X**********************************************************************
! 74: XSTEP 3) Create the anoncvs account and decide who will run "cvsync"
! 75: X to maintain the archive. The anoncvs account should *NOT* be the one
! 76: X running cvsync to maintain the archive.
! 77: X
! 78: Xcreate an account similar to:
! 79: X
! 80: X anoncvs::32766:32766::0:0:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
! 81: X
! 82: XYes, that is right - the account has no password. Be sure that the
! 83: Xuid and gid are unique for your system, if the ones above aren't,
! 84: Xpick different values.
! 85: X
! 86: XDecide who will run cvsync to maintain the archive. Call that user
! 87: X$CVSYNCUSER. Oh, and in case it hasn't been previously mentioned,
! 88: X$CVSYNCUSER should *NOT* be the anoncvs user :).
! 89: X
! 90: XAdd the following to the end of your /etc/ssh/sshd_config and restart
! 91: Xyour sshd daemon:
! 92: X
! 93: XMatch User anoncvs
! 94: X PermitEmptyPasswords yes
! 95: X AllowTcpForwarding no
! 96: X AllowAgentForwarding no
! 97: X X11Forwarding no
! 98: X PermitTTY no
! 99: X
! 100: X**********************************************************************
! 101: XSTEP 4) Build the anoncvs user's home directory chroot jail. This
! 102: X example assumes that you're using OpenBSD. If you're not you
! 103: X may need different files in the chroot.
! 104: X
! 105: Xmkdir /open/anoncvs
! 106: Xmkdir /open/anoncvs/cvs
! 107: Xchown -R $CVSYNCUSER /open/anoncvs/cvs /open/anoncvs
! 108: X
! 109: XStart filling the account up with nice stuff. You are building a chroot
! 110: Xjail for anoncvs in /open/anoncvs.
! 111: X
! 112: X cd /open/anoncvs
! 113: X touch .hushlogin
! 114: X touch .profile
! 115: X mkdir bin dev tmp usr var etc
! 116: X cp /bin/{cat,pwd,rm,sh} bin/
! 117: X
! 118: XUsing mknod, make a dev/null that has the same major/minor numbers as
! 119: X your /dev/null, and make it mode 666.
! 120: X
! 121: XSome shared library systems require a dev/zero created in the same way.
! 122: X
! 123: XFill etc space for the account
! 124: X cp /etc/{group,hosts,passwd,protocols} etc/
! 125: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
! 126: X modify these files to suit your idea of system security
! 127: X
! 128: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses
! 129: Xa tiny extension provided in the openbsd cvs server code which
! 130: Xpermits the use of read-only cvs repositories, therefore you MUST
! 131: Xcompile the openbsd version of cvs. Luckily this is not a problem
! 132: Xon a non-openbsd machine, since the cvs sources are imported verbatim
! 133: Xinto the openbsd tree. They are in gnu/usr.bin/cvs. The sources
! 134: Xare integrated in such way that Makefile.bsd-wrapper knows how to build
! 135: Xthe sources on an OpenBSD machine, using obj directories.
! 136: X
! 137: XCreate tmp space for the account
! 138: X # (cd var && ln -s ../tmp tmp)
! 139: X # chmod a+rwx tmp
! 140: X
! 141: X # mkdir usr/{bin,lib}
! 142: X # cp /usr/bin/cvs usr/bin/
! 143: X
! 144: XIf your system has ld.so in /usr/libexec,
! 145: X # mkdir usr/libexec
! 146: X # cp /usr/libexec/ld.so usr/libexec/
! 147: X
! 148: XIf using shared libraries, use ldd to find out which shared libs you need:
! 149: X # ldd /usr/bin/cvs
! 150: X /usr/bin/cvs:
! 151: X Start End Type Open Ref GrpRef Name
! 152: X 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs
! 153: X 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.5.0
! 154: X 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.84.2
! 155: X 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so
! 156: X
! 157: X and then copy the required libraries to usr/lib/
! 158: X
! 159: XAs a final pass, make sure that all the files you have just created are
! 160: Xnot world writable (except dev/null).
! 161: X
! 162: XFor :pserver: support (optional)
! 163: X - Create an entry in /etc/services
! 164: X cvspserver 2401/tcp # CVS client/server operations
! 165: X - Create an entry in /etc/inetd.conf
! 166: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
! 167: X - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
! 168: X anoncvs:AHDysQkJIubEc
! 169: X which would be a password of "anoncvs" (as per anoncvs.html)
! 170: X - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
! 171: X anoncvs
! 172: X which tells cvs that user "anoncvs" is allowed readonly access.
! 173: X - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
! 174: X want anyone to be able to write to the mirror.
! 175: X % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
! 176: X
! 177: XSee the example layout below for full details.
! 178: X
! 179: X**********************************************************************
! 180: XSTEP 5): Get cvsync permission.
! 181: Xsend mail to sup@openbsd.org
! 182: X1) to have cvsync permissions granted on an appropriate machine for you
! 183: X to cvsync from. We will need to know your host's real hostname and
! 184: X IP address.
! 185: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created.
! 186: X3) to have your site mentioned in the http://www.openbsd.org/anoncvs.html page.
! 187: X
! 188: X**********************************************************************
! 189: XSTEP 6): Configure cvsync.
! 190: X
! 191: XYou have to install cvsync package.
! 192: X
! 193: XThe file /etc/cvsync.conf contains the configuration of cvsync. It will
! 194: Xnormally contain:
! 195: X
! 196: Xconfig {
! 197: X base-prefix /open/anoncvs/
! 198: X hostname anoncvs.ca.openbsd.org
! 199: X collection {
! 200: X name openbsd-cvsroot release rcs
! 201: X prefix cvs
! 202: X }
! 203: X collection {
! 204: X name openbsd-src release rcs
! 205: X prefix cvs
! 206: X }
! 207: X collection {
! 208: X name openbsd-ports release rcs
! 209: X prefix cvs
! 210: X }
! 211: X collection {
! 212: X name openbsd-www release rcs
! 213: X prefix cvs
! 214: X }
! 215: X collection {
! 216: X name openbsd-xenocara release rcs
! 217: X prefix cvs
! 218: X }
! 219: X}
! 220: X
! 221: X**********************************************************************
! 222: XSTEP 7): Run cvsync to retrieve the tree for the first time.
! 223: X
! 224: XLog in as or become the $CVSYNCUSER, and run
! 225: X
! 226: Xcvsync > /tmp/cvsynclog &; tail -f /tmp/cvsynclog
! 227: X
! 228: XIf you have cvsync permission, and have specified the correct host and
! 229: Xprefix in /etc/cvsync.conf you should see a list of files start
! 230: Xcoming in after a short while. Don't panic if nothing happens
! 231: Ximmediately. Watch for errors (cvsync can timeout or die). If you can't
! 232: Xaccess files contact the cvsync server maintainer. If you get a timeout
! 233: Xor if cvsync dies you can restart and it should continue where it left off.
! 234: X
! 235: XIt can take a good while (and a couple of restarts) to obtain the
! 236: Xwhole tree for the first time.
! 237: X
! 238: X**********************************************************************
! 239: XSTEP 8): Set up cron to keep the tree up to date.
! 240: X
! 241: XYou run cvsync periodically from the cron by setting up the crontab file
! 242: Xof the $CVSYNCUSER.
! 243: X
! 244: XFor example, to update every two hours:
! 245: X
! 246: X15 */2 * * * /usr/local/bin/cvsync > /dev/null
! 247: X
! 248: X**********************************************************************
! 249: X
! 250: XEXAMPLE LAYOUT
! 251: X
! 252: XExample layout for OpenBSD. In this example "deraadt" is the $CVSYNCUSER.
! 253: X
! 254: X$ cd /open
! 255: X$ ls -alF
! 256: Xtotal 64
! 257: Xdrwxr-xr-x 5 root wheel 512 Jun 18 22:29 ./
! 258: Xdrwxr-xr-x 13 root wheel 512 Jun 4 05:14 ../
! 259: Xdrwxr-xr-x 9 deraadt wheel 512 Jun 3 02:15 anoncvs/
! 260: X---s--x--x 1 root wheel 14302 Jun 18 22:29 anoncvssh*
! 261: Xdrwxr-xr-x 4 root wheel 5120 Jun 10 14:34 ftp/
! 262: X
! 263: X$ cd anoncvs
! 264: X$ ls -alF
! 265: Xtotal 68
! 266: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ./
! 267: Xdrwxr-xr-x 5 root wheel 512 Jun 10 14:32 ../
! 268: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .hushlogin
! 269: X-rw-r--r-- 1 root wheel 84 Jun 3 01:50 .plan
! 270: X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .profile
! 271: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 bin/
! 272: Xdrwxr-xr-x 7 deraadt wheel 512 Jun 18 22:19 cvs/
! 273: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 dev/
! 274: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 etc/
! 275: Xdrwxrwxrwx 10 root wheel 512 Jun 18 17:38 tmp/
! 276: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 usr/
! 277: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:54 var/
! 278: X$ ls -alFR bin usr tmp etc dev
! 279: Xbin:
! 280: Xtotal 1984
! 281: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 ./
! 282: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
! 283: X-r-xr-xr-x 1 root wheel 132368 Jun 3 01:40 cat*
! 284: X-r-xr-xr-x 1 root wheel 124176 Jun 3 01:40 pwd*
! 285: X-r-xr-xr-x 1 root wheel 238864 Jun 3 01:40 rm*
! 286: X-r-xr-xr-x 1 root wheel 460048 Jun 3 01:40 sh*
! 287: X
! 288: Xdev:
! 289: Xtotal 8
! 290: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 ./
! 291: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
! 292: Xcrw-rw-rw- 1 root wheel 3, 2 Jun 3 01:51 null
! 293: Xcrw-rw-rw- 1 root wheel 3, 12 Jun 3 01:51 zero
! 294: X
! 295: Xetc:
! 296: Xtotal 188
! 297: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 ./
! 298: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
! 299: X-r--r--r-- 1 root wheel 64 Jun 3 01:52 group*
! 300: X-r--r--r-- 1 root wheel 576 Jun 3 01:52 hosts*
! 301: X-r--r--r-- 1 root wheel 291 Jun 3 01:53 passwd*
! 302: X-r--r--r-- 1 root wheel 5625 Jun 3 01:52 protocols*
! 303: X-r--r--r-- 1 root wheel 40960 Jun 3 01:52 pwd.db*
! 304: X-r--r--r-- 1 root wheel 93 Jun 3 01:52 resolv.conf*
! 305: X-r--r--r-- 1 root wheel 9875 Jun 3 01:52 services*
! 306: X-r--r--r-- 1 root wheel 26428 Jun 3 01:52 ttys*
! 307: X
! 308: Xusr:
! 309: Xtotal 20
! 310: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ./
! 311: Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../
! 312: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 bin/
! 313: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 lib/
! 314: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 libexec/
! 315: X
! 316: Xusr/bin:
! 317: Xtotal 3016
! 318: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 ./
! 319: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
! 320: X-r-xr-xr-x 1 root wheel 643728 Jun 3 01:54 cvs*
! 321: X
! 322: Xusr/lib:
! 323: Xtotal 42344
! 324: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./
! 325: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
! 326: X-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.84.2
! 327: X-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.5.0
! 328: X
! 329: Xusr/libexec:
! 330: Xtotal 120
! 331: Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 ./
! 332: Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../
! 333: X-r-xr-xr-x 1 root wheel 55683 Jun 3 01:55 ld.so*
! 334: X$ ls cvs
! 335: XCVSROOT ports src www xenocara
! 336: X
! 337: END-of-README
! 338: echo x - anoncvssh.c
! 339: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
! 340: X/*
! 341: X * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
! 342: X * Copyright (c) 1997 Bob Beck <beck@obtuse.com>
! 343: X * Copyright (c) 1996 Thorsten Lockert <tholo@sigmasoft.com>
! 344: X *
! 345: X * Permission to use, copy, modify, and distribute this software for any
! 346: X * purpose with or without fee is hereby granted, provided that the above
! 347: X * copyright notice and this permission notice appear in all copies.
! 348: X *
! 349: X * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 350: X * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 351: X * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 352: X * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 353: X * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 354: X * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 355: X * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 356: X */
! 357: X
! 358: X#include <stdio.h>
! 359: X#include <stdlib.h>
! 360: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
! 361: X#include <paths.h>
! 362: X#endif
! 363: X#include <pwd.h>
! 364: X#include <unistd.h>
! 365: X#include <sys/types.h>
! 366: X
! 367: X#ifndef __P
! 368: X#if defined(__STDC__) || defined(__cplusplus)
! 369: X#define __P(protos) protos /* full-blown ANSI C */
! 370: X#else
! 371: X#define __P(protos) () /* traditional C preprocessor */
! 372: X#endif
! 373: X#endif
! 374: X
! 375: X/*
! 376: X * You may need to change this path to ensure that RCS, CVS and diff
! 377: X * can be found
! 378: X */
! 379: X#ifndef _PATH_DEFPATH
! 380: X#define _PATH_DEFPATH "/bin:/usr/bin"
! 381: X#endif
! 382: X
! 383: X/*
! 384: X * This should not normally have to be changed
! 385: X */
! 386: X#ifndef _PATH_BSHELL
! 387: X#define _PATH_BSHELL "/bin/sh"
! 388: X#endif
! 389: X
! 390: X/*
! 391: X * Location of CVS tree, relative to the anonymous CVS user's
! 392: X * home directory
! 393: X */
! 394: X#ifndef LOCALROOT
! 395: X#define LOCALROOT "/cvs"
! 396: X#endif
! 397: X
! 398: X/*
! 399: X * Hostname to be used when accessing the remote repository.
! 400: X */
! 401: X#ifndef HOSTNAME
! 402: X#define HOSTNAME "anoncvs1.usa.openbsd.org"
! 403: X#endif
! 404: X
! 405: X/*
! 406: X * Username to be used when accessing the remote repository.
! 407: X */
! 408: X#ifndef USERNAME
! 409: X#define USERNAME "anoncvs"
! 410: X#endif
! 411: X
! 412: X/*
! 413: X * $CVSROOT is created based on USERNAME HOSTNAME and LOCALROOT above
! 414: X */
! 415: X#ifndef CVSROOT
! 416: X#define CVSROOT USERNAME "@" HOSTNAME ":"LOCALROOT
! 417: X#endif
! 418: X
! 419: X/*
! 420: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
! 421: X * You may undefine this if you aren't going to be running pserver.
! 422: X */
! 423: X#ifndef PSERVER_SUPPORT
! 424: X#define PSERVER_SUPPORT
! 425: X#endif
! 426: X
! 427: X
! 428: X/*
! 429: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
! 430: X * using syslog()
! 431: X */
! 432: X#define USE_SYSLOG
! 433: X
! 434: X#ifdef USE_SYSLOG
! 435: X#include <string.h>
! 436: X#include <syslog.h>
! 437: X#include <netinet/in.h>
! 438: X#include <sys/socket.h>
! 439: X#include <arpa/inet.h>
! 440: X#define LOG_FACILITY LOG_DAEMON
! 441: X#define LOG_PRIO LOG_INFO
! 442: X#endif
! 443: X
! 444: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
! 445: X * anyone other than root or ANONCVS_USER.
! 446: X */
! 447: X/* #define ANONCVS_USER USERNAME */
! 448: X
! 449: Xint main __P((int, char *[]));
! 450: X
! 451: Xchar * const env[] = {
! 452: X "PATH="_PATH_DEFPATH,
! 453: X "SHELL="_PATH_BSHELL,
! 454: X "CVSROOT="LOCALROOT,
! 455: X "HOME=/",
! 456: X "CVSREADONLYFS=1",
! 457: X NULL
! 458: X};
! 459: X
! 460: Xint
! 461: Xmain(argc, argv)
! 462: Xint argc;
! 463: Xchar *argv[];
! 464: X{
! 465: X struct passwd *pw;
! 466: X#ifdef DEBUG
! 467: X int i;
! 468: X#endif /* DEBUG */
! 469: X
! 470: X pw = getpwuid(getuid());
! 471: X if (pw == NULL) {
! 472: X fprintf(stderr, "no user for uid %d\n", getuid());
! 473: X exit(1);
! 474: X }
! 475: X if (pw->pw_dir == NULL) {
! 476: X fprintf(stderr, "no directory\n");
! 477: X exit(1);
! 478: X }
! 479: X
! 480: X#ifdef USE_SYSLOG
! 481: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
! 482: X#endif /* USE_SYSLOG */
! 483: X
! 484: X#ifdef ANONCVS_USER
! 485: X /*
! 486: X * I love lusers who have to test every setuid binary on my machine.
! 487: X */
! 488: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
! 489: X fprintf(stderr, "You're not supposed to be running me!\n");
! 490: X#ifdef USE_SYSLOG
! 491: X syslog(LOG_NOTICE,
! 492: X "User %s(%d) invoked anoncvssh - Possible twink?",
! 493: X pw->pw_name, pw->pw_uid);
! 494: X#endif /* USE_SYSLOG */
! 495: X exit(1);
! 496: X }
! 497: X#endif /* ANONCVS_USER */
! 498: X
! 499: X
! 500: X setuid(0);
! 501: X if (chroot(pw->pw_dir) == -1) {
! 502: X perror("chroot");
! 503: X exit (1);
! 504: X }
! 505: X chdir("/");
! 506: X setuid(pw->pw_uid);
! 507: X
! 508: X if (pledge("stdio inet exec", NULL) == -1)
! 509: X err(1, "pledge");
! 510: X
! 511: X /*
! 512: X * program now "safe"
! 513: X */
! 514: X
! 515: X#ifdef PSERVER_SUPPORT
! 516: X /* If we want pserver functionality */
! 517: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
! 518: X#ifdef USE_SYSLOG
! 519: X int slen;
! 520: X struct sockaddr_in my_sa, peer_sa;
! 521: X char *us, *them;
! 522: X
! 523: X slen = sizeof(my_sa);
! 524: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
! 525: X != 0) {
! 526: X perror("getsockname");
! 527: X exit(1);
! 528: X }
! 529: X us = strdup(inet_ntoa(my_sa.sin_addr));
! 530: X if (us == NULL) {
! 531: X fprintf(stderr, "malloc failed\n");
! 532: X exit(1);
! 533: X }
! 534: X slen = sizeof(peer_sa);
! 535: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
! 536: X != 0) {
! 537: X perror("getpeername");
! 538: X exit(1);
! 539: X }
! 540: X them=strdup(inet_ntoa(peer_sa.sin_addr));
! 541: X if (them == NULL) {
! 542: X fprintf(stderr, "malloc failed\n");
! 543: X exit(1);
! 544: X }
! 545: X syslog(LOG_PRIO,
! 546: X "pserver connection from %s:%d to %s:%d\n",
! 547: X them, ntohs(peer_sa.sin_port),
! 548: X us, ntohs(my_sa.sin_port));
! 549: X#endif /* USE_SYSLOG */
! 550: X execle("/usr/bin/cvs", "cvs",
! 551: X "--allow-root="LOCALROOT, "pserver", (char *)NULL, env);
! 552: X perror("execle: cvs");
! 553: X fprintf(stderr, "unable to exec CVS pserver!\n");
! 554: X exit(1);
! 555: X /* NOTREACHED */
! 556: X }
! 557: X#endif
! 558: X
! 559: X if (argc != 3 ||
! 560: X strcmp("anoncvssh", argv[0]) != 0 ||
! 561: X strcmp("-c", argv[1]) != 0 ||
! 562: X (strcmp("cvs server", argv[2]) != 0 &&
! 563: X strcmp("cvs -d "LOCALROOT" server", argv[2]) != 0)) {
! 564: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
! 565: X fprintf(stderr,"version of CVS on your local machine.\n");
! 566: X fprintf(stderr,"Then set your CVSROOT environment variable ");
! 567: X fprintf(stderr,"to the following value:\n");
! 568: X fprintf(stderr,"\t%s\n\n", CVSROOT);
! 569: X#ifdef DEBUG
! 570: X fprintf(stderr, "argc = %d\n", argc);
! 571: X for (i = 0 ; i < argc ; i++)
! 572: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
! 573: X#endif /* DEBUG */
! 574: X sleep(10);
! 575: X exit(0);
! 576: X }
! 577: X
! 578: X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env);
! 579: X
! 580: X perror("execle: cvs");
! 581: X fprintf(stderr, "unable to exec CVS server!\n");
! 582: X exit(1);
! 583: X /* NOTREACHED */
! 584: X}
! 585: X
! 586: END-of-anoncvssh.c
! 587: exit
1.1 deraadt 588: