Annotation of www/anoncvs.shar, Revision 1.5
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
8: # README
9: # Makefile
10: # anoncvssh.c
11: #
12: echo x - README
13: sed 's/^X//' >README << 'END-of-README'
14: Xfind enough disk space.
15: X you need roughly 300MB.
16: X mount it on /open
17: X if you are not able to mount it as /open, substitute it's location
18: X throughout this description
19: X
20: Xcompile the anoncvssh binary
21: X in the Makefile, change the variable CVSROOT
1.3 deraadt 22: X install the binary setuid-root.
1.1 deraadt 23: X
24: Xcreate an account:
1.2 deraadt 25: X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
26: Xyes, that is right. the account has no password.
1.1 deraadt 27: X
28: Xinstall a crontab entry which runs as any user besides anoncvs (ie. run
29: Xit as yourself, or as root). call that user $SUPUSER
1.3 deraadt 30: X 0 */3 * * 0,1,3,4,6 /usr/local/bin/sup -v /open/sup/ss
31: X 0 */6 * * 2,5 /usr/local/bin/sup -vo /open/sup/ss
32: X
33: Xanoncvs1.usa.openbsd.org uses this particular set of entries. A `sup
34: X-o' is done every few days because sup is not very robust.
1.1 deraadt 35: X
36: Xthe file /open/sup/ss contains
37: X cvs host=cvs.openbsd.org hostbase=/ base=/open/anoncvs delete
38: X
1.4 deraadt 39: Xthe file /open/sup/cvs/refuse should contain the single line
40: X cvs/CVSROOT/history
41: Xif you ever fetch the file cvs/CVSROOT/history, delete it. it will
42: Xcause you problems.
43: X
44: Xon an IRIX or other SYSV machine, ensure that your kernel does not allow
45: Xa user to chown a file to another user. this will cause sup to give away
46: Xthe files to root before chmod'ing them readable. michaels@openbsd.org
47: Xknows how to fix this.
48: X
1.1 deraadt 49: Xmkdir /open/
50: Xmkdir /open/anoncvs
51: Xmkdir /open/anoncvs/cvs
52: Xmkdir /open/sup
53: Xchown -R $SUPUSER /open/anoncvs/cvs /open/sup
54: X
55: Xstart filling the account up with nice stuff
56: X cd /open/anoncvs
57: X touch .hushlogin
58: X touch .profile
59: X
60: Xput a message like the following in .plan:
61: X To use anonymous CVS install the latest version of CVS on your local machine.
62: X Then set your CVSROOT environment variable to the following value:
63: X anoncvs@anoncvs.openbsd.org:/cvs
64: X
65: X chown root.wheel .hushlogin .profile .plan
66: X
67: X mkdir bin dev tmp usr var etc
68: X cp /bin/{cat,pwd,rm,sh} bin/
69: X
70: Xusing mknod, make a dev/null that has the same major/minor numbers as
71: X your /dev/null, and make it mode 666.
72: X
73: Xsome shared library systems require a dev/zero created in the same way
74: X
75: Xfill etc space for the account
76: X cp /etc/{group,hosts,passwd,protocols} etc/
77: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
78: X modify these files to suit your idea of system security
79: X
1.3 deraadt 80: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an
81: Xtiny extension provided in the openbsd cvs server code which permits
82: Xthe use of read-only cvs repositories. therefore you MUST compile the
83: Xopenbsd version of cvs. luckily this is not a problem on a
84: Xnon-openbsd machine since the cvs sources are imported verbatim into
85: Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are
86: Xintegrated such that Makefile.bsd-wrapper knows how to build the
87: Xsources on an OpenBSD machine, using obj directories.
1.1 deraadt 88: X
89: Xcreate tmp space for the account
90: X cd var; ln -s ../tmp tmp
91: X chmod a+rwx tmp
92: X
93: X mkdir usr/{bin,lib}
94: X cp /usr/bin/{ci,co,cvs,diff,diff3,gzip,rcs,rcsclean} usr/bin/
95: X cp /usr/bin/{rcsdiff,rcsfreeze,rcsmerge,rlog,sdiff,zdiff} usr/bin/
96: X
97: Xif your system has ld.so in /usr/libexec,
98: X mkdir usr/libexec
99: X cp /usr/libexec/ld.so usr/libexec/
100: X
101: Xif using shared libraries, copy the shared libs you might need:
102: X cp /usr/lib/lib*.so.* usr/lib/
103: X
104: Xas a final pass, make sure that all the files you have just created are
105: Xnot world writeable (except dev/null)
106: X
1.3 deraadt 107: Xsend mail to deraadt@openbsd.org
108: X1) to have sup permissions granted.
109: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created
110: X3) to have your site mentioned in the http://www.openbsd.org page.
111: X
112: XExample layout. In this example "deraadt" is the $SUPUSER.
113: X
114: X[eap open 5 ]> cd /open
115: X[eap open 6 ]> ls -alF
116: Xtotal 46
117: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./
118: Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../
119: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/
120: X---s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh*
121: Xlrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs
122: Xdrwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/
123: Xdrwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/
124: Xdrwxr-xr-x 4 root wheel 512 Nov 30 1995 src/
125: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/
126: X[eap open 7 ]> cd anoncvs
127: X[eap anoncvs 8 ]> ls -alF
128: Xtotal 20
129: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./
130: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
131: X-r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin
132: X-r--r--r-- 1 root wheel 188 Nov 30 1995 .plan
133: X-r--r--r-- 1 root wheel 0 Nov 29 1995 .profile
134: Xdrwxrwxrwx 2 deraadt wheel 512 Nov 29 1995 bin/
135: Xdrwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/
136: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/
137: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/
138: Xdrwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/
139: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/
140: Xdrwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/
141: X[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev
142: Xbin:
143: Xtotal 948
144: Xdrwxrwxrwx 2 deraadt wheel 512 Nov 29 1995 ./
145: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
146: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat*
147: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd*
148: X--wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm*
149: X--wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh*
150: X
151: Xdev:
152: Xtotal 4
153: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 ./
154: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
155: Xcrw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null
156: X
157: Xetc:
158: Xtotal 112
159: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 ./
160: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
161: X-rw-r--r-- 1 root wheel 252 Nov 29 1995 group
162: X-rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts
163: X-rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd
164: X-rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols
165: X-rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db
166: X-rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf
167: X-rw-r--r-- 1 root wheel 5529 Nov 29 1995 services
168: X-rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys
169: X
170: Xusr:
171: Xtotal 10
172: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./
173: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
174: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/
175: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/
176: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/
177: X
178: Xusr/bin:
179: Xtotal 1968
180: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./
181: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
182: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 ci*
183: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 co*
184: X--wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs*
185: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 diff*
186: X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 diff3*
187: X--wx--x--x 1 deraadt wheel 90112 Jun 18 09:46 gzip*
188: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 rcs*
189: X--wx--x--x 1 deraadt wheel 65536 Jun 18 09:46 rcsclean*
190: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsdiff*
191: X--wx--x--x 1 deraadt wheel 3228 Jun 18 09:46 rcsfreeze*
192: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsmerge*
193: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rlog*
194: X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 sdiff*
195: X--wx--x--x 1 deraadt wheel 2006 Jun 18 09:46 zdiff*
196: X
197: Xusr/lib:
198: Xtotal 5594
199: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./
200: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
201: X-rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libacl.so.4.0
202: X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.12.3
203: X-rw-r--r-- 1 deraadt wheel 377359 Jun 18 09:50 libc.so.12.6
204: X-rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypt.so.0.0
205: X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libcrypt.so.1.0
206: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libcurses.so.2.1
207: X-rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libcurses.so.3.0
208: X-rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libdes.so.4.1
209: X-rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libedit.so.0.0
210: X-rw-r--r-- 1 deraadt wheel 43131 Jun 18 09:50 libform.so.0.0
211: X-rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libg++.so.2.0
212: X-rw-r--r-- 1 deraadt wheel 305738 Jun 18 09:50 libg++.so.27.1
213: X-rw-r--r-- 1 deraadt wheel 25544 Jun 18 09:50 libgnumalloc.so.0.0
214: X-rw-r--r-- 1 deraadt wheel 42696 Jun 18 09:50 libiberty.so.0.0
215: X-rw-r--r-- 1 deraadt wheel 25282 Jun 18 09:50 libkadm.so.4.0
216: X-rw-r--r-- 1 deraadt wheel 16610 Jun 18 09:50 libkafs.so.4.0
217: X-rw-r--r-- 1 deraadt wheel 25539 Jun 18 09:50 libkdb.so.4.0
218: X-rw-r--r-- 1 deraadt wheel 59943 Jun 18 09:50 libkrb.so.4.0
219: X-rw-r--r-- 1 deraadt wheel 25328 Jun 18 09:50 libkvm.so.4.0
220: X-rw-r--r-- 1 deraadt wheel 102104 Jun 18 09:50 libm.so.0.1
221: X-rw-r--r-- 1 deraadt wheel 26540 Jun 18 09:50 libmenu.so.0.0
222: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libocurses.so.2.1
223: X-rw-r--r-- 1 deraadt wheel 16881 Jun 18 09:50 libpanel.so.0.0
224: X-rw-r--r-- 1 deraadt wheel 60222 Jun 18 09:50 libpcap.so.0.0
225: X-rw-r--r-- 1 deraadt wheel 25060 Jun 18 09:50 libresolv.so.1.0
226: X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libresolv.so.2.0
227: X-rw-r--r-- 1 deraadt wheel 33538 Jun 18 09:50 libskey.so.0.0
228: X-rw-r--r-- 1 deraadt wheel 25764 Jun 18 09:50 libss.so.4.0
229: X-rw-r--r-- 1 deraadt wheel 277954 Jun 18 09:50 libstdc++.so.27.1
230: X-rw-r--r-- 1 deraadt wheel 16835 Jun 18 09:50 libtelnet.so.1.0
231: X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermcap.so.0.0
232: X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermlib.so.0.0
233: X-rw-r--r-- 1 deraadt wheel 75039 Jun 18 09:50 libtermlib.so.1.0
234: X-rw-r--r-- 1 deraadt wheel 16625 Jun 18 09:50 libutil.so.3.1
235: X-rw-r--r-- 1 deraadt wheel 25628 Jun 18 09:50 libutil.so.3.2
236: X
237: Xusr/libexec:
238: Xtotal 100
239: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./
240: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
241: X-rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so*
242: X
243: X[eap anoncvs 14 ]> ls cvs
244: XCVSROOT/ src/ sup/ www/
245: X[eap anoncvs 15 ]> ls /open
246: X[eap anoncvs 16 ]> ls -alF sup
247: Xtotal 8
248: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./
249: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
250: Xdrwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/
251: X-rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss
252: X
253: X
254: XThat's pretty much it.
1.1 deraadt 255: END-of-README
256: echo x - Makefile
257: sed 's/^X//' >Makefile << 'END-of-Makefile'
258: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
259: XPROG= anoncvssh
260: XBINOWN= root
261: XBINMODE=4111
262: XBINDIR=/open
263: XNOMAN=
264: X
265: X.include <bsd.prog.mk>
266: X
267: END-of-Makefile
268: echo x - anoncvssh.c
269: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
270: X/*
271: X * anoncvssh
272: X */
273: X
1.4 deraadt 274: X#include <stdio.h>
275: X#include <stdlib.h>
276: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
277: X#include <paths.h>
278: X#endif
279: X#include <pwd.h>
280: X#include <unistd.h>
281: X#include <sys/types.h>
282: X
283: X#ifndef __CONCAT
284: X#if defined(__STDC__) || defined(__cplusplus)
285: X#define __CONCAT(x,y) x ## y
286: X#else
287: X#define __CONCAT(x,y) x/**/y
288: X#endif
289: X#endif
290: X
291: X#ifndef __CONCAT3
292: X#if defined(__STDC__) || defined(__cplusplus)
293: X#define __CONCAT3(x,y,z) x ## y ## z
294: X#else
295: X#define __CONCAT3(x,y,z) x/**/y/**/z
296: X#endif
297: X#endif
298: X
299: X#ifndef __P
300: X#if defined(__STDC__) || defined(__cplusplus)
301: X#define __P(protos) protos /* full-blown ANSI C */
302: X#else
303: X#define __P(protos) () /* traditional C preprocessor */
304: X#endif
305: X#endif
306: X
307: X/*
308: X * You may need to change this path to ensure that RCS, CVS and diff
309: X * can be found
310: X */
311: X#ifndef _PATH_DEFPATH
312: X#define _PATH_DEFPATH "/bin:/usr/bin"
313: X#endif
314: X
315: X/*
316: X * This should not normally have to be changed
317: X */
318: X#ifndef _PATH_BSHELL
319: X#define _PATH_BSHELL "/bin/sh"
320: X#endif
321: X
322: X/*
323: X * Location of CVS tree, relative to the anonymous CVS user's
324: X * home directory
325: X */
326: X#ifndef LOCALROOT
327: X#define LOCALROOT "/cvs"
328: X#endif
329: X
330: X/*
331: X * Account and host name to be used when accessing the
332: X * CVS repository remotely
333: X */
334: X#ifndef HOSTNAME
335: X#define HOSTNAME "anoncvs@anoncvs1.usa.openbsd.org"
336: X#endif
337: X
338: X/*
339: X * $CVSROOT is created based on HOSTNAME and LOCALROOT above
340: X */
1.1 deraadt 341: X#ifndef CVSROOT
1.4 deraadt 342: X#define CVSROOT __CONCAT3(HOSTNAME,":",LOCALROOT)
1.1 deraadt 343: X#endif
344: X
1.4 deraadt 345: Xint main __P((int, char *[]));
346: X
347: Xchar * const env[] = {
348: X __CONCAT("PATH=",_PATH_DEFPATH),
349: X __CONCAT("SHELL=",_PATH_BSHELL),
350: X __CONCAT("CVSROOT=",LOCALROOT),
351: X "HOME=/",
352: X "CVSREADONLYFS=1",
353: X NULL
354: X};
1.1 deraadt 355: X
356: Xint
357: Xmain(argc, argv)
358: Xint argc;
359: Xchar *argv[];
360: X{
361: X struct passwd *pw;
1.5 ! deraadt 362: X#ifdef DEBUG
! 363: X int i;
! 364: X#endif /* DEBUG */
1.1 deraadt 365: X
366: X pw = getpwuid(getuid());
367: X if (pw == NULL) {
368: X fprintf(stderr, "no user for uid %d\n", getuid());
369: X exit(1);
370: X }
371: X if (pw->pw_dir == NULL) {
372: X fprintf(stderr, "no directory\n");
373: X exit(1);
374: X }
375: X seteuid(0);
376: X if (chroot(pw->pw_dir) == -1) {
377: X perror("chroot");
378: X exit (1);
379: X }
380: X chdir("/");
1.4 deraadt 381: X setuid(getuid());
1.1 deraadt 382: X
383: X /*
384: X * program now "safe"
385: X */
386: X
387: X if (argc != 3 ||
388: X strcmp("anoncvssh", argv[0]) != 0 ||
389: X strcmp("-c", argv[1]) != 0 ||
1.5 ! deraadt 390: X (strcmp("cvs server", argv[2]) != 0 &&
! 391: X strcmp(__CONCAT3("cvs -d ",LOCALROOT," server"), argv[2]) != 0)) {
1.1 deraadt 392: X
393: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
394: X fprintf(stderr,"version of CVS on your local machine.\n");
395: X fprintf(stderr,"Then set your CVSROOT environment variable ");
396: X fprintf(stderr,"to the following value:\n");
397: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 ! deraadt 398: X#ifdef DEBUG
! 399: X fprintf(stderr, "argc = %d\n", argc);
! 400: X for (i = 0 ; i < argc ; i++)
! 401: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
! 402: X#endif /* DEBUG */
1.1 deraadt 403: X sleep(10);
404: X exit(0);
405: X }
406: X
1.4 deraadt 407: X execle("/usr/bin/cvs", "cvs", "server", NULL, env);
408: X perror("execle: cvs");
1.1 deraadt 409: X fprintf(stderr, "unable to exec CVS server!\n");
410: X exit(1);
1.5 ! deraadt 411: X /* NOTREACHED */
1.1 deraadt 412: X}
413: X
414: END-of-anoncvssh.c
415: exit
416: