Annotation of www/anoncvs.shar, Revision 1.8
1.1 deraadt 1: # This is a shell archive. Save it in a file, remove anything before
2: # this line, and then unpack it by entering "sh file". Note, it may
3: # create directories; files and directories will be owned by you and
4: # have default permissions.
5: #
6: # This archive contains:
7: #
1.6 deraadt 8: # Makefile
1.1 deraadt 9: # README
10: # anoncvssh.c
11: #
1.6 deraadt 12: echo x - Makefile
13: sed 's/^X//' >Makefile << 'END-of-Makefile'
14: X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
15: XPROG= anoncvssh
16: XBINOWN= root
17: XBINMODE=4111
18: XBINDIR=/open
19: XNOMAN=
20: X
21: X.include <bsd.prog.mk>
22: X
23: END-of-Makefile
1.1 deraadt 24: echo x - README
25: sed 's/^X//' >README << 'END-of-README'
26: X
1.7 beck 27: X So, you want to run an anoncvs server.
28: X
29: X A summary of the steps you'll need to do is:
30: X
31: X1) Find enough disk space to hold the anoncvs tree, and mount it in an
32: Xappropriate place.
33: X
34: X2) Compile and install anoncvssh, the shell used for the anoncvs user.
35: X ( If you aren't using OpenBSD you'll probably need to compile a sup
36: X client as well. The easier path is to use OpenBSD ;)
37: X
38: X3) Add the anoncvs user to the password file, with no password, and
39: Xanoncvssh as it's shell. Decide on a user that will run sup to maintain
40: Xthe archive (this is a different user, NOT the anoncvs user)
41: X
42: X4) Make a home directory for the anoncvs user. The anoncvs user's home
43: Xdirectory is a chroot jail in which the anoncvssh processes run when
44: Xservicing anoncvs requests. The jail must contain the cvs binary and
45: Xrelated programs (rcs, etc) as well as whatever shared libraries and
46: Xsupport files are needed to run them unless you compile and link
47: Xeverything staticly. This example shows what is needed for OpenBSD. If
48: Xyou use another platform you'll need to be familiar with what needs
49: Xto go in a chroot jail for your platform.
50: X
51: X5) Get permission to use sup to obtain the cvs tree from a server.
1.1 deraadt 52: X
1.7 beck 53: X6) Set up sup to retrieve the cvs tree from an appropriate place.
54: X (If you aren't using OpenBSD you will need to compile and install
55: X a sup client).
1.6 deraadt 56: X
1.7 beck 57: X7) Run sup to retrieve the distribution from the server
1.3 deraadt 58: X
1.7 beck 59: X8) Once you get the distribution in, set up a cron job to run sup
60: X periodically to keep your server up to date.
1.6 deraadt 61: X
1.7 beck 62: X**********************************************************************
63: XSTEP 1) find enough disk space.
64: X you need roughly 500MB.
65: X mount it on /open
66: X if you are not able to mount it as /open, substitute it's location
67: X throughout the rest of this description
1.6 deraadt 68: X
1.7 beck 69: X**********************************************************************
70: XSTEP 2) compile the anoncvssh binary
71: X in the Makefile, change the variable CVSROOT
72: X install the binary setuid-root in /open/anoncvssh.
1.1 deraadt 73: X
1.7 beck 74: X**********************************************************************
75: XSTEP 3) Create the anoncvs account. and decide who will run "sup"
76: Xto maintain the archive. The anoncvs account should *NOT* be the one
77: Xrunning sup to maintain the archive.
1.1 deraadt 78: X
1.7 beck 79: Xcreate an account:
80: X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
81: Xyes, that is right. the account has no password.
1.4 deraadt 82: X
1.7 beck 83: Xdecide on who will run sup to maintain the archive. call that user $SUPUSER.
84: XOh, and in case it hasn't been previously mentioned, $SUPUSER should *NOT*
85: Xbe the anoncvs user :)
86: X
87: X**********************************************************************
88: XSTEP 4) Build the anoncvs user's home directory chroot jail. This example
89: Xassumes that you're using OpenBSD. If you're not you may need different
90: Xfiles in the chroot.
1.4 deraadt 91: X
1.1 deraadt 92: Xmkdir /open/anoncvs
93: Xmkdir /open/anoncvs/cvs
1.6 deraadt 94: Xmkdir /open/anoncvs/sup
95: Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs
1.1 deraadt 96: X
1.7 beck 97: Xstart filling the account up with nice stuff. You are building a chroot
98: Xjail for anoncvs in /open/anoncvs.
99: X
1.1 deraadt 100: X cd /open/anoncvs
101: X touch .hushlogin
102: X touch .profile
103: X
104: Xput a message like the following in .plan:
1.6 deraadt 105: X To use anonymous CVS install the latest version of CVS on your local
106: X machine.
1.1 deraadt 107: X Then set your CVSROOT environment variable to the following value:
108: X anoncvs@anoncvs.openbsd.org:/cvs
109: X
110: X chown root.wheel .hushlogin .profile .plan
111: X
112: X mkdir bin dev tmp usr var etc
113: X cp /bin/{cat,pwd,rm,sh} bin/
114: X
115: Xusing mknod, make a dev/null that has the same major/minor numbers as
116: X your /dev/null, and make it mode 666.
117: X
118: Xsome shared library systems require a dev/zero created in the same way
119: X
120: Xfill etc space for the account
121: X cp /etc/{group,hosts,passwd,protocols} etc/
122: X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
123: X modify these files to suit your idea of system security
124: X
1.3 deraadt 125: Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an
126: Xtiny extension provided in the openbsd cvs server code which permits
127: Xthe use of read-only cvs repositories. therefore you MUST compile the
128: Xopenbsd version of cvs. luckily this is not a problem on a
129: Xnon-openbsd machine since the cvs sources are imported verbatim into
130: Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are
131: Xintegrated such that Makefile.bsd-wrapper knows how to build the
132: Xsources on an OpenBSD machine, using obj directories.
1.1 deraadt 133: X
134: Xcreate tmp space for the account
135: X cd var; ln -s ../tmp tmp
136: X chmod a+rwx tmp
137: X
138: X mkdir usr/{bin,lib}
139: X cp /usr/bin/{ci,co,cvs,diff,diff3,gzip,rcs,rcsclean} usr/bin/
140: X cp /usr/bin/{rcsdiff,rcsfreeze,rcsmerge,rlog,sdiff,zdiff} usr/bin/
1.6 deraadt 141: X cp /usr/bin/grep usr/bin
1.1 deraadt 142: X
143: Xif your system has ld.so in /usr/libexec,
144: X mkdir usr/libexec
145: X cp /usr/libexec/ld.so usr/libexec/
146: X
147: Xif using shared libraries, copy the shared libs you might need:
148: X cp /usr/lib/lib*.so.* usr/lib/
149: X
150: Xas a final pass, make sure that all the files you have just created are
1.7 beck 151: Xnot world writable (except dev/null)
1.1 deraadt 152: X
1.7 beck 153: XFor :pserver: support (optional)
154: X - Create an entry in /etc/services
155: X cvspserver 2401/tcp # CVS client/server operations
156: X - Create an entry in /etc/inetd.conf
157: X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
158: X
159: XSee the example layout below for full details.
160: X
161: X**********************************************************************
162: XSTEP 5): Get sup permission.
163: Xsend mail to sup@openbsd.org
164: X1) to have sup permissions granted on an appropriate machine for you
165: X to sup from.
1.3 deraadt 166: X2) to have an anoncvsN.COUNTRY.openbsd.org alias created
167: X3) to have your site mentioned in the http://www.openbsd.org page.
168: X
1.7 beck 169: X**********************************************************************
170: XSTEP 6): Configure sup
171: X
172: XIf you're running OpenBSD, you already have a sup client in
173: X/usr/bin/sup. If not you may need to build it. On an IRIX or other
174: XSYSV machine, ensure that your kernel does not allow a user to chown a
175: Xfile to another user (You may have heard of this particular brand of
176: Xevil referred to as "chown giveaway"). this will cause sup to give
177: Xaway the files to root before chmod'ing them
178: Xreadable. michaels@openbsd.org knows how to fix this.
179: X
180: XThe file /open/sup/ss contains a line that tells sup where to get the
181: Xcvs tree from. it can contain *one* of:
182: X
183: X cvs host=anoncvs1.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete
184: X cvs host=cvs.openbsd.org hostbase=/ base=/open/anoncvs delete
185: X
186: X You should ask which one to use when obtaining sup permission.
187: X
188: XThe file /open/sup/cvs/refuse tells sup what files it should not get.
189: XIt should contain the single line:
190: X
191: X cvs/CVSROOT/history
192: X
193: Xif you ever fetch the file cvs/CVSROOT/history, delete it. it will
194: Xcause you problems.
195: X
196: X**********************************************************************
197: XSTEP 7): Run sup to retrieve the tree for the first time
198: X
199: XLog in as or become the $SUPUSER, and run
200: X
201: Xsup -v /open/anoncvs/sup/ss > /tmp/suplog &; tail -f /tmp/suplog
202: X
203: XIf you have sup permission, and have specified the correct host and
204: Xhostbase in /open/anoncvs/sup/ss you should see a list of files start
205: Xcoming in after a short while. Don't panic if nothing happens
206: Ximmediately. Watch for errors (sup can timeout or die). If you can't
207: Xaccess files contact the sup server maintainer, If you get a timeout
208: Xor if sup dies you can restart and it should continue where it left off.
209: X
210: XIt can take a good while (and a couple of restarts) to obtain the
211: Xwhole tree for the first time.
212: X
213: X**********************************************************************
214: XSTEP 8): Set up cron to keep the tree up to date.
215: X
216: XYou run sup periodically from the cron by setting up the crontab file
217: Xof the $SUPUSER.
218: X
219: XFor example: To run every three hours 'sup -v supfile', and thrice
220: Xweekly 'sup -vo supfile' .. because sup is not reliable ..
221: X
222: X0 0,3,6,9,12,15,18,21 * * 0,2,4,5 sup -v /open/anoncvs/sup/ss > /dev/null
223: X0 0,12,15,18,21 * * 1,3,6 sup -v /open/anoncvs/sup/ss > /dev/null
224: X0 3 * * 1,3,6 sup -vo /open/anoncvs/sup/ss > /dev/null
225: X
226: Xanoncvs5.usa.openbsd.org uses this particular set of entries. A `sup
227: X-o' is done every few days because sup is not very robust.
228: X
229: X**********************************************************************
230: XEXAMPLE LAYOUT
231: X
232: XExample layout for OpenBSD. In this example "deraadt" is the $SUPUSER.
1.3 deraadt 233: X
234: X[eap open 5 ]> cd /open
235: X[eap open 6 ]> ls -alF
236: Xtotal 46
237: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./
238: Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../
239: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/
240: X---s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh*
241: Xlrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs
242: Xdrwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/
243: Xdrwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/
244: Xdrwxr-xr-x 4 root wheel 512 Nov 30 1995 src/
245: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/
246: X[eap open 7 ]> cd anoncvs
247: X[eap anoncvs 8 ]> ls -alF
248: Xtotal 20
249: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./
250: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
251: X-r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin
252: X-r--r--r-- 1 root wheel 188 Nov 30 1995 .plan
253: X-r--r--r-- 1 root wheel 0 Nov 29 1995 .profile
254: Xdrwxrwxrwx 2 deraadt wheel 512 Nov 29 1995 bin/
255: Xdrwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/
256: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/
257: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/
258: Xdrwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/
259: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/
260: Xdrwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/
261: X[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev
262: Xbin:
263: Xtotal 948
264: Xdrwxrwxrwx 2 deraadt wheel 512 Nov 29 1995 ./
265: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
266: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat*
267: X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd*
268: X--wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm*
269: X--wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh*
270: X
271: Xdev:
272: Xtotal 4
273: Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 ./
274: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
275: Xcrw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null
276: X
277: Xetc:
278: Xtotal 112
279: Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 ./
280: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
281: X-rw-r--r-- 1 root wheel 252 Nov 29 1995 group
282: X-rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts
283: X-rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd
284: X-rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols
285: X-rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db
286: X-rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf
287: X-rw-r--r-- 1 root wheel 5529 Nov 29 1995 services
288: X-rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys
289: X
290: Xusr:
291: Xtotal 10
292: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./
293: Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
294: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/
295: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/
296: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/
297: X
298: Xusr/bin:
299: Xtotal 1968
300: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./
301: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
302: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 ci*
303: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 co*
304: X--wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs*
305: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 diff*
306: X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 diff3*
307: X--wx--x--x 1 deraadt wheel 90112 Jun 18 09:46 gzip*
308: X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 rcs*
309: X--wx--x--x 1 deraadt wheel 65536 Jun 18 09:46 rcsclean*
310: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsdiff*
311: X--wx--x--x 1 deraadt wheel 3228 Jun 18 09:46 rcsfreeze*
312: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsmerge*
313: X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rlog*
314: X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 sdiff*
315: X--wx--x--x 1 deraadt wheel 2006 Jun 18 09:46 zdiff*
316: X
317: Xusr/lib:
318: Xtotal 5594
319: Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./
320: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
321: X-rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libacl.so.4.0
322: X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.12.3
323: X-rw-r--r-- 1 deraadt wheel 377359 Jun 18 09:50 libc.so.12.6
324: X-rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypt.so.0.0
325: X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libcrypt.so.1.0
326: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libcurses.so.2.1
327: X-rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libcurses.so.3.0
328: X-rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libdes.so.4.1
329: X-rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libedit.so.0.0
330: X-rw-r--r-- 1 deraadt wheel 43131 Jun 18 09:50 libform.so.0.0
331: X-rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libg++.so.2.0
332: X-rw-r--r-- 1 deraadt wheel 305738 Jun 18 09:50 libg++.so.27.1
333: X-rw-r--r-- 1 deraadt wheel 25544 Jun 18 09:50 libgnumalloc.so.0.0
334: X-rw-r--r-- 1 deraadt wheel 42696 Jun 18 09:50 libiberty.so.0.0
335: X-rw-r--r-- 1 deraadt wheel 25282 Jun 18 09:50 libkadm.so.4.0
336: X-rw-r--r-- 1 deraadt wheel 16610 Jun 18 09:50 libkafs.so.4.0
337: X-rw-r--r-- 1 deraadt wheel 25539 Jun 18 09:50 libkdb.so.4.0
338: X-rw-r--r-- 1 deraadt wheel 59943 Jun 18 09:50 libkrb.so.4.0
339: X-rw-r--r-- 1 deraadt wheel 25328 Jun 18 09:50 libkvm.so.4.0
340: X-rw-r--r-- 1 deraadt wheel 102104 Jun 18 09:50 libm.so.0.1
341: X-rw-r--r-- 1 deraadt wheel 26540 Jun 18 09:50 libmenu.so.0.0
342: X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libocurses.so.2.1
343: X-rw-r--r-- 1 deraadt wheel 16881 Jun 18 09:50 libpanel.so.0.0
344: X-rw-r--r-- 1 deraadt wheel 60222 Jun 18 09:50 libpcap.so.0.0
345: X-rw-r--r-- 1 deraadt wheel 25060 Jun 18 09:50 libresolv.so.1.0
346: X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libresolv.so.2.0
347: X-rw-r--r-- 1 deraadt wheel 33538 Jun 18 09:50 libskey.so.0.0
348: X-rw-r--r-- 1 deraadt wheel 25764 Jun 18 09:50 libss.so.4.0
349: X-rw-r--r-- 1 deraadt wheel 277954 Jun 18 09:50 libstdc++.so.27.1
350: X-rw-r--r-- 1 deraadt wheel 16835 Jun 18 09:50 libtelnet.so.1.0
351: X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermcap.so.0.0
352: X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermlib.so.0.0
353: X-rw-r--r-- 1 deraadt wheel 75039 Jun 18 09:50 libtermlib.so.1.0
354: X-rw-r--r-- 1 deraadt wheel 16625 Jun 18 09:50 libutil.so.3.1
355: X-rw-r--r-- 1 deraadt wheel 25628 Jun 18 09:50 libutil.so.3.2
356: X
357: Xusr/libexec:
358: Xtotal 100
359: Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./
360: Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
361: X-rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so*
362: X
363: X[eap anoncvs 14 ]> ls cvs
364: XCVSROOT/ src/ sup/ www/
1.6 deraadt 365: X[eap anoncvs 15 ]> cd /open
1.3 deraadt 366: X[eap anoncvs 16 ]> ls -alF sup
367: Xtotal 8
368: Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./
369: Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
370: Xdrwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/
371: X-rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss
372: X
373: X
1.7 beck 374: X***************************************************************
375: XNOTES FOR OTHER PLATFORMS:
376: X
377: XIf you're not that familiar with your other platform (i.e. you haven't
378: Xbuilt a chroot jail for a server on it) You may be better off
379: Xfinding an OpenBSD machine to use. (and duplicating the example above)
380: X
381: X**SunOS 5)
382: XBob Beck <beck@panopticon.ucs.ualberta.ca> has done this. E-mail for
383: Xhelp if you need it.
1.6 deraadt 384: X
1.7 beck 385: X**OSF 1)
1.6 deraadt 386: XFrom Todd Fries <toddf@acm.org> to the adventurous.
387: XA note for those installing anoncvs on non-OpenBSD operating systems.
388: XYou are in for some fun.
389: X
390: XFor OSF1, on a DEC alpha, I had to do the following in addition to the
391: Xabove:
392: X
393: X- I do not know how to setup dynamic libraries on osf1 and as a result
394: X everything had to be compiled statically.
395: X- Therefore, everything but /bin/sh I had to recmpile in order to
396: X get the chroot setup. In order that there be no guesswork
397: X involved, the following packages' binaries must exist in the chroot
398: X environment:
399: X
400: X GNU
401: X cvs (from the OpenBSD source tree)
402: X diff[utils] (unless you're running *BSD, probably better get it from a gnu
403: X mirror...the Makefile doesn't work otherwise)
404: X rcs (from the OpenBSD source tree)
405: X
406: XSome notes on compiling.
407: X
408: X rcs must have diff3 capable of diff3 -m during configure.
409: X OSF doesn't by default, thus I had to compile diffutils first.
410: X
411: X cvs fails to install if you don't have makeinfo ... just search for the
412: X string ' install-info$' with regex and remove it from the Makefile for the
413: X install and you'll be fine, or install 'texinfo', your choice.
1.1 deraadt 414: END-of-README
415: echo x - anoncvssh.c
416: sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
417: X/*
418: X * anoncvssh
419: X */
420: X
1.4 deraadt 421: X#include <stdio.h>
422: X#include <stdlib.h>
423: X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
424: X#include <paths.h>
425: X#endif
426: X#include <pwd.h>
427: X#include <unistd.h>
428: X#include <sys/types.h>
429: X
430: X#ifndef __CONCAT
431: X#if defined(__STDC__) || defined(__cplusplus)
432: X#define __CONCAT(x,y) x ## y
433: X#else
434: X#define __CONCAT(x,y) x/**/y
435: X#endif
436: X#endif
437: X
438: X#ifndef __CONCAT3
439: X#if defined(__STDC__) || defined(__cplusplus)
440: X#define __CONCAT3(x,y,z) x ## y ## z
441: X#else
442: X#define __CONCAT3(x,y,z) x/**/y/**/z
443: X#endif
444: X#endif
445: X
446: X#ifndef __P
447: X#if defined(__STDC__) || defined(__cplusplus)
448: X#define __P(protos) protos /* full-blown ANSI C */
449: X#else
450: X#define __P(protos) () /* traditional C preprocessor */
451: X#endif
452: X#endif
453: X
454: X/*
455: X * You may need to change this path to ensure that RCS, CVS and diff
456: X * can be found
457: X */
458: X#ifndef _PATH_DEFPATH
459: X#define _PATH_DEFPATH "/bin:/usr/bin"
460: X#endif
461: X
462: X/*
463: X * This should not normally have to be changed
464: X */
465: X#ifndef _PATH_BSHELL
466: X#define _PATH_BSHELL "/bin/sh"
467: X#endif
468: X
469: X/*
470: X * Location of CVS tree, relative to the anonymous CVS user's
471: X * home directory
472: X */
473: X#ifndef LOCALROOT
474: X#define LOCALROOT "/cvs"
475: X#endif
476: X
477: X/*
478: X * Account and host name to be used when accessing the
479: X * CVS repository remotely
480: X */
481: X#ifndef HOSTNAME
482: X#define HOSTNAME "anoncvs@anoncvs1.usa.openbsd.org"
483: X#endif
484: X
485: X/*
486: X * $CVSROOT is created based on HOSTNAME and LOCALROOT above
487: X */
1.1 deraadt 488: X#ifndef CVSROOT
1.4 deraadt 489: X#define CVSROOT __CONCAT3(HOSTNAME,":",LOCALROOT)
1.1 deraadt 490: X#endif
491: X
1.8 ! beck 492: X/*
! 493: X * We define PSERVER_SUPPORT to allow anoncvssh to spawn a "cvs pserver".
! 494: X * You may undefine this if you aren't going to be running pserver.
! 495: X */
! 496: X#ifndef PSERVER_SUPPORT
! 497: X#define PSERVER_SUPPORT
! 498: X#endif
! 499: X
! 500: X/*
! 501: X * Define USE_SYSLOG if you want anoncvssh to log pserver connections
! 502: X * using syslog()
! 503: X */
! 504: X#define USE_SYSLOG
! 505: X
! 506: X#ifdef USE_SYSLOG
! 507: X#include <string.h>
! 508: X#include <syslog.h>
! 509: X#include <netinet/in.h>
! 510: X#include <sys/socket.h>
! 511: X#include <arpa/inet.h>
! 512: X#define LOG_FACILITY LOG_DAEMON
! 513: X#define LOG_PRIO LOG_INFO
! 514: X#endif
! 515: X
! 516: X/* Define ANONCVS_USER if you want anoncvssh to complain if invoked by
! 517: X * anyone other than root or ANONCVS_USER.
! 518: X */
! 519: X/* #define ANONCVS_USER "anoncvs" */
! 520: X
1.4 deraadt 521: Xint main __P((int, char *[]));
522: X
523: Xchar * const env[] = {
524: X __CONCAT("PATH=",_PATH_DEFPATH),
525: X __CONCAT("SHELL=",_PATH_BSHELL),
526: X __CONCAT("CVSROOT=",LOCALROOT),
527: X "HOME=/",
528: X "CVSREADONLYFS=1",
529: X NULL
530: X};
1.1 deraadt 531: X
532: Xint
533: Xmain(argc, argv)
534: Xint argc;
535: Xchar *argv[];
536: X{
537: X struct passwd *pw;
1.5 deraadt 538: X#ifdef DEBUG
539: X int i;
540: X#endif /* DEBUG */
1.1 deraadt 541: X
542: X pw = getpwuid(getuid());
543: X if (pw == NULL) {
544: X fprintf(stderr, "no user for uid %d\n", getuid());
545: X exit(1);
546: X }
547: X if (pw->pw_dir == NULL) {
548: X fprintf(stderr, "no directory\n");
549: X exit(1);
550: X }
1.8 ! beck 551: X
! 552: X#ifdef USE_SYSLOG
! 553: X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY);
! 554: X#endif /* USE_SYSLOG */
! 555: X
! 556: X#ifdef ANONCVS_USER
! 557: X /*
! 558: X * I love lusers who have to test every setuid binary on my machine.
! 559: X */
! 560: X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) {
! 561: X fprintf(stderr, "You're not supposed to be running me!\n");
! 562: X#ifdef USE_SYSLOG
! 563: X syslog(LOG_NOTICE,
! 564: X "User %s(%d) invoked anoncvssh - Possible twink?",
! 565: X pw->pw_name, pw->pw_uid);
! 566: X#endif /* USE_SYSLOG */
! 567: X exit(1);
! 568: X }
! 569: X#endif /* ANONCVS_USER */
! 570: X
! 571: X
1.1 deraadt 572: X seteuid(0);
573: X if (chroot(pw->pw_dir) == -1) {
574: X perror("chroot");
575: X exit (1);
576: X }
577: X chdir("/");
1.4 deraadt 578: X setuid(getuid());
1.1 deraadt 579: X
580: X /*
581: X * program now "safe"
582: X */
1.6 deraadt 583: X
1.8 ! beck 584: X#ifdef PSERVER_SUPPORT
1.6 deraadt 585: X /* If we want pserver functionality */
1.8 ! beck 586: X if ((argc == 2) && (strcmp("pserver", argv[1]) == 0)) {
! 587: X#ifdef USE_SYSLOG
! 588: X int slen;
! 589: X struct sockaddr_in my_sa, peer_sa;
! 590: X char *us, *them;
! 591: X
! 592: X slen = sizeof(my_sa);
! 593: X if (getsockname(0, (struct sockaddr *) &my_sa, &slen)
! 594: X != 0) {
! 595: X perror("getsockname");
! 596: X exit(1);
! 597: X }
! 598: X us = strdup(inet_ntoa(my_sa.sin_addr));
! 599: X if (us == NULL) {
! 600: X fprintf(stderr, "malloc failed\n");
! 601: X exit(1);
! 602: X }
! 603: X slen = sizeof(peer_sa);
! 604: X if (getpeername(0, (struct sockaddr *) &peer_sa, &slen)
! 605: X != 0) {
! 606: X perror("getpeername");
! 607: X exit(1);
! 608: X }
! 609: X them=strdup(inet_ntoa(peer_sa.sin_addr));
! 610: X if (them == NULL) {
! 611: X fprintf(stderr, "malloc failed\n");
! 612: X exit(1);
! 613: X }
! 614: X syslog(LOG_PRIO,
! 615: X "pserver connection from %s:%d to %s:%d\n",
! 616: X them, ntohs(peer_sa.sin_port),
! 617: X us, ntohs(my_sa.sin_port));
! 618: X#endif /* USE_SYSLOG */
1.6 deraadt 619: X execle("/usr/bin/cvs", "cvs", "pserver", NULL, env);
620: X perror("execle: cvs");
621: X fprintf(stderr, "unable to exec CVS pserver!\n");
622: X exit(1);
623: X /* NOTREACHED */
624: X }
1.8 ! beck 625: X#endif
1.1 deraadt 626: X
627: X if (argc != 3 ||
628: X strcmp("anoncvssh", argv[0]) != 0 ||
629: X strcmp("-c", argv[1]) != 0 ||
1.5 deraadt 630: X (strcmp("cvs server", argv[2]) != 0 &&
631: X strcmp(__CONCAT3("cvs -d ",LOCALROOT," server"), argv[2]) != 0)) {
1.1 deraadt 632: X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
633: X fprintf(stderr,"version of CVS on your local machine.\n");
634: X fprintf(stderr,"Then set your CVSROOT environment variable ");
635: X fprintf(stderr,"to the following value:\n");
636: X fprintf(stderr,"\t%s\n\n", CVSROOT);
1.5 deraadt 637: X#ifdef DEBUG
638: X fprintf(stderr, "argc = %d\n", argc);
639: X for (i = 0 ; i < argc ; i++)
640: X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]);
641: X#endif /* DEBUG */
1.1 deraadt 642: X sleep(10);
643: X exit(0);
644: X }
1.4 deraadt 645: X execle("/usr/bin/cvs", "cvs", "server", NULL, env);
646: X perror("execle: cvs");
1.1 deraadt 647: X fprintf(stderr, "unable to exec CVS server!\n");
648: X exit(1);
1.5 deraadt 649: X /* NOTREACHED */
1.1 deraadt 650: X}
651: X
652: END-of-anoncvssh.c
653: exit
654: