Annotation of www/anoncvs.shar, Revision 1.3
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
8: # README
9: # Makefile
10: # anoncvssh.c
11: #
12: echo x - README
13: sed 's/^X//' >README << 'END-of-README'
14: Xfind enough disk space.
15: X you need roughly 300MB.
16: X mount it on /open
17: X if you are not able to mount it as /open, substitute it's location
18: X throughout this description
19: X
20: Xcompile the anoncvssh binary
21: X in the Makefile, change the variable CVSROOT
1.3 ! deraadt 22: X install the binary setuid-root.
1.1 deraadt 23: X
24: Xcreate an account:
1.2 deraadt 25: X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
26: Xyes, that is right. the account has no password.
1.1 deraadt 27: X
28: Xinstall a crontab entry which runs as any user besides anoncvs (ie. run
29: Xit as yourself, or as root). call that user $SUPUSER
1.3 ! deraadt 30: X 0 */3 * * 0,1,3,4,6 /usr/local/bin/sup -v /open/sup/ss
! 31: X 0 */6 * * 2,5 /usr/local/bin/sup -vo /open/sup/ss
! 32: X
! 33: Xanoncvs1.usa.openbsd.org uses this particular set of entries. A `sup
! 34: X-o' is done every few days because sup is not very robust.
1.1 deraadt 35: X
36: Xthe file /open/sup/ss contains
37: X cvs host=cvs.openbsd.org hostbase=/ base=/open/anoncvs delete
38: X
39: Xmkdir /open/
40: Xmkdir /open/anoncvs
41: Xmkdir /open/anoncvs/cvs
42: Xmkdir /open/sup
43: Xchown -R $SUPUSER /open/anoncvs/cvs /open/sup
44: X
45: Xstart filling the account up with nice stuff
46: X cd /open/anoncvs
47: X touch .hushlogin
48: X touch .profile
49: X
50: Xput a message like the following in .plan:
51: X To use anonymous CVS install the latest version of CVS on your local machine.
52: X Then set your CVSROOT environment variable to the following value:
53: X anoncvs@anoncvs.openbsd.org:/cvs
54: X
55: X chown root.wheel .hushlogin .profile .plan
56: X
57: X mkdir bin dev tmp usr var etc
58: X cp /bin/{cat,pwd,rm,sh} bin/
59: X
60: Xusing mknod, make a dev/null that has the same major/minor numbers as
61: X your /dev/null, and make it mode 666.
62: X
63: Xsome shared library systems require a dev/zero created in the same way
64: X
65: Xfill etc space for the account
66: X cp /etc/{group,hosts,passwd,protocols} etc/
67: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
68: X modify these files to suit your idea of system security
69: X
1.3 ! deraadt 70: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an
! 71: Xtiny extension provided in the openbsd cvs server code which permits
! 72: Xthe use of read-only cvs repositories. therefore you MUST compile the
! 73: Xopenbsd version of cvs. luckily this is not a problem on a
! 74: Xnon-openbsd machine since the cvs sources are imported verbatim into
! 75: Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are
! 76: Xintegrated such that Makefile.bsd-wrapper knows how to build the
! 77: Xsources on an OpenBSD machine, using obj directories.
1.1 deraadt 78: X
79: Xcreate tmp space for the account
80: X cd var; ln -s ../tmp tmp
81: X chmod a+rwx tmp
82: X
83: X mkdir usr/{bin,lib}
84: X cp /usr/bin/{ci,co,cvs,diff,diff3,gzip,rcs,rcsclean} usr/bin/
85: X cp /usr/bin/{rcsdiff,rcsfreeze,rcsmerge,rlog,sdiff,zdiff} usr/bin/
86: X
87: Xif your system has ld.so in /usr/libexec,
88: X mkdir usr/libexec
89: X cp /usr/libexec/ld.so usr/libexec/
90: X
91: Xif using shared libraries, copy the shared libs you might need:
92: X cp /usr/lib/lib*.so.* usr/lib/
93: X
94: Xas a final pass, make sure that all the files you have just created are
95: Xnot world writeable (except dev/null)
96: X
1.3 ! deraadt 97: Xsend mail to deraadt@openbsd.org
! 98: X1) to have sup permissions granted.
! 99: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created
! 100: X3) to have your site mentioned in the http://www.openbsd.org page.
! 101: X
! 102: X
! 103: XExample layout. In this example "deraadt" is the $SUPUSER.
! 104: X
! 105: X[eap open 5 ]> cd /open
! 106: X[eap open 6 ]> ls -alF
! 107: Xtotal 46
! 108: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./
! 109: Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../
! 110: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/
! 111: X---s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh*
! 112: Xlrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs
! 113: Xdrwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/
! 114: Xdrwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/
! 115: Xdrwxr-xr-x 4 root wheel 512 Nov 30 1995 src/
! 116: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/
! 117: X[eap open 7 ]> cd anoncvs
! 118: X[eap anoncvs 8 ]> ls -alF
! 119: Xtotal 20
! 120: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./
! 121: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
! 122: X-r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin
! 123: X-r--r--r-- 1 root wheel 188 Nov 30 1995 .plan
! 124: X-r--r--r-- 1 root wheel 0 Nov 29 1995 .profile
! 125: Xdrwxrwxrwx 2 deraadt wheel 512 Nov 29 1995 bin/
! 126: Xdrwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/
! 127: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/
! 128: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/
! 129: Xdrwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/
! 130: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/
! 131: Xdrwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/
! 132: X[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev
! 133: Xbin:
! 134: Xtotal 948
! 135: Xdrwxrwxrwx 2 deraadt wheel 512 Nov 29 1995 ./
! 136: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
! 137: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat*
! 138: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd*
! 139: X--wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm*
! 140: X--wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh*
! 141: X
! 142: Xdev:
! 143: Xtotal 4
! 144: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 ./
! 145: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
! 146: Xcrw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null
! 147: X
! 148: Xetc:
! 149: Xtotal 112
! 150: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 ./
! 151: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
! 152: X-rw-r--r-- 1 root wheel 252 Nov 29 1995 group
! 153: X-rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts
! 154: X-rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd
! 155: X-rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols
! 156: X-rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db
! 157: X-rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf
! 158: X-rw-r--r-- 1 root wheel 5529 Nov 29 1995 services
! 159: X-rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys
! 160: X
! 161: Xusr:
! 162: Xtotal 10
! 163: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./
! 164: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
! 165: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/
! 166: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/
! 167: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/
! 168: X
! 169: Xusr/bin:
! 170: Xtotal 1968
! 171: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./
! 172: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
! 173: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 ci*
! 174: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 co*
! 175: X--wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs*
! 176: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 diff*
! 177: X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 diff3*
! 178: X--wx--x--x 1 deraadt wheel 90112 Jun 18 09:46 gzip*
! 179: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 rcs*
! 180: X--wx--x--x 1 deraadt wheel 65536 Jun 18 09:46 rcsclean*
! 181: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsdiff*
! 182: X--wx--x--x 1 deraadt wheel 3228 Jun 18 09:46 rcsfreeze*
! 183: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsmerge*
! 184: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rlog*
! 185: X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 sdiff*
! 186: X--wx--x--x 1 deraadt wheel 2006 Jun 18 09:46 zdiff*
! 187: X
! 188: Xusr/lib:
! 189: Xtotal 5594
! 190: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./
! 191: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
! 192: X-rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libacl.so.4.0
! 193: X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.12.3
! 194: X-rw-r--r-- 1 deraadt wheel 377359 Jun 18 09:50 libc.so.12.6
! 195: X-rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypt.so.0.0
! 196: X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libcrypt.so.1.0
! 197: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libcurses.so.2.1
! 198: X-rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libcurses.so.3.0
! 199: X-rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libdes.so.4.1
! 200: X-rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libedit.so.0.0
! 201: X-rw-r--r-- 1 deraadt wheel 43131 Jun 18 09:50 libform.so.0.0
! 202: X-rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libg++.so.2.0
! 203: X-rw-r--r-- 1 deraadt wheel 305738 Jun 18 09:50 libg++.so.27.1
! 204: X-rw-r--r-- 1 deraadt wheel 25544 Jun 18 09:50 libgnumalloc.so.0.0
! 205: X-rw-r--r-- 1 deraadt wheel 42696 Jun 18 09:50 libiberty.so.0.0
! 206: X-rw-r--r-- 1 deraadt wheel 25282 Jun 18 09:50 libkadm.so.4.0
! 207: X-rw-r--r-- 1 deraadt wheel 16610 Jun 18 09:50 libkafs.so.4.0
! 208: X-rw-r--r-- 1 deraadt wheel 25539 Jun 18 09:50 libkdb.so.4.0
! 209: X-rw-r--r-- 1 deraadt wheel 59943 Jun 18 09:50 libkrb.so.4.0
! 210: X-rw-r--r-- 1 deraadt wheel 25328 Jun 18 09:50 libkvm.so.4.0
! 211: X-rw-r--r-- 1 deraadt wheel 102104 Jun 18 09:50 libm.so.0.1
! 212: X-rw-r--r-- 1 deraadt wheel 26540 Jun 18 09:50 libmenu.so.0.0
! 213: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libocurses.so.2.1
! 214: X-rw-r--r-- 1 deraadt wheel 16881 Jun 18 09:50 libpanel.so.0.0
! 215: X-rw-r--r-- 1 deraadt wheel 60222 Jun 18 09:50 libpcap.so.0.0
! 216: X-rw-r--r-- 1 deraadt wheel 25060 Jun 18 09:50 libresolv.so.1.0
! 217: X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libresolv.so.2.0
! 218: X-rw-r--r-- 1 deraadt wheel 33538 Jun 18 09:50 libskey.so.0.0
! 219: X-rw-r--r-- 1 deraadt wheel 25764 Jun 18 09:50 libss.so.4.0
! 220: X-rw-r--r-- 1 deraadt wheel 277954 Jun 18 09:50 libstdc++.so.27.1
! 221: X-rw-r--r-- 1 deraadt wheel 16835 Jun 18 09:50 libtelnet.so.1.0
! 222: X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermcap.so.0.0
! 223: X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermlib.so.0.0
! 224: X-rw-r--r-- 1 deraadt wheel 75039 Jun 18 09:50 libtermlib.so.1.0
! 225: X-rw-r--r-- 1 deraadt wheel 16625 Jun 18 09:50 libutil.so.3.1
! 226: X-rw-r--r-- 1 deraadt wheel 25628 Jun 18 09:50 libutil.so.3.2
! 227: X
! 228: Xusr/libexec:
! 229: Xtotal 100
! 230: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./
! 231: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
! 232: X-rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so*
! 233: X
! 234: X[eap anoncvs 14 ]> ls cvs
! 235: XCVSROOT/ src/ sup/ www/
! 236: X[eap anoncvs 15 ]> ls /open
! 237: X[eap anoncvs 16 ]> ls -alF sup
! 238: Xtotal 8
! 239: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./
! 240: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
! 241: Xdrwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/
! 242: X-rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss
! 243: X
! 244: X
! 245: XThat's pretty much it.
1.1 deraadt 246: END-of-README
247: echo x - Makefile
248: sed 's/^X//' >Makefile << 'END-of-Makefile'
249: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
250: XPROG= anoncvssh
251: XBINOWN= root
252: XBINMODE=4111
253: XBINDIR=/open
254: XNOMAN=
255: X
256: X.include <bsd.prog.mk>
257: X
258: END-of-Makefile
259: echo x - anoncvssh.c
260: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
261: X/*
262: X * anoncvssh
263: X */
264: X
265: X#ifndef CVSROOT
266: X#define CVSROOT "anoncvs@anoncvs1.usa.openbsd.org:/cvs"
267: X#endif
268: X
269: X#include <stdio.h>
270: X#include <unistd.h>
271: X#include <pwd.h>
272: X#include <sys/types.h>
273: X
274: Xint
275: Xmain(argc, argv)
276: Xint argc;
277: Xchar *argv[];
278: X{
279: X struct passwd *pw;
280: X
281: X pw = getpwuid(getuid());
282: X if (pw == NULL) {
283: X fprintf(stderr, "no user for uid %d\n", getuid());
284: X exit(1);
285: X }
286: X if (pw->pw_dir == NULL) {
287: X fprintf(stderr, "no directory\n");
288: X exit(1);
289: X }
290: X seteuid(0);
291: X if (chroot(pw->pw_dir) == -1) {
292: X perror("chroot");
293: X exit (1);
294: X }
295: X chdir("/");
296: X seteuid(getuid());
297: X
298: X /*
299: X * program now "safe"
300: X */
301: X
302: X if (argc != 3 ||
303: X strcmp("anoncvssh", argv[0]) != 0 ||
304: X strcmp("-c", argv[1]) != 0 ||
305: X strcmp("cvs server", argv[2]) != 0) {
306: X
307: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
308: X fprintf(stderr,"version of CVS on your local machine.\n");
309: X fprintf(stderr,"Then set your CVSROOT environment variable ");
310: X fprintf(stderr,"to the following value:\n");
311: X fprintf(stderr,"\t%s\n\n", CVSROOT);
312: X sleep(10);
313: X exit(0);
314: X }
315: X
316: X /*
317: X * since the only things in annocvs's bin entire chroot space will
318: X * be "safe commands", this is not a big deal
319: X */
320: X putenv("SHELL=/bin/sh");
321: X putenv("CVSROOT=/cvs");
322: X putenv("HOME=/");
323: X putenv("CVSREADONLYFS=");
324: X
325: X execl("/usr/bin/cvs", "cvs", "server", NULL);
326: X perror("execl: cvs");
327: X fprintf(stderr, "unable to exec CVS server!\n");
328: X exit(1);
329: X}
330: X
331: END-of-anoncvssh.c
332: exit
333: