File: [local] / www / anoncvs.shar (download)
Revision 1.4, Sat Sep 14 22:16:56 1996 UTC (27 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +91 -18 lines
new anoncvs.shar file
|
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# README
# Makefile
# anoncvssh.c
#
echo x - README
sed 's/^X//' >README << 'END-of-README'
Xfind enough disk space.
X you need roughly 300MB.
X mount it on /open
X if you are not able to mount it as /open, substitute it's location
X throughout this description
X
Xcompile the anoncvssh binary
X in the Makefile, change the variable CVSROOT
X install the binary setuid-root.
X
Xcreate an account:
X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
Xyes, that is right. the account has no password.
X
Xinstall a crontab entry which runs as any user besides anoncvs (ie. run
Xit as yourself, or as root). call that user $SUPUSER
X 0 */3 * * 0,1,3,4,6 /usr/local/bin/sup -v /open/sup/ss
X 0 */6 * * 2,5 /usr/local/bin/sup -vo /open/sup/ss
X
Xanoncvs1.usa.openbsd.org uses this particular set of entries. A `sup
X-o' is done every few days because sup is not very robust.
X
Xthe file /open/sup/ss contains
X cvs host=cvs.openbsd.org hostbase=/ base=/open/anoncvs delete
X
Xthe file /open/sup/cvs/refuse should contain the single line
X cvs/CVSROOT/history
Xif you ever fetch the file cvs/CVSROOT/history, delete it. it will
Xcause you problems.
X
Xon an IRIX or other SYSV machine, ensure that your kernel does not allow
Xa user to chown a file to another user. this will cause sup to give away
Xthe files to root before chmod'ing them readable. michaels@openbsd.org
Xknows how to fix this.
X
Xmkdir /open/
Xmkdir /open/anoncvs
Xmkdir /open/anoncvs/cvs
Xmkdir /open/sup
Xchown -R $SUPUSER /open/anoncvs/cvs /open/sup
X
Xstart filling the account up with nice stuff
X cd /open/anoncvs
X touch .hushlogin
X touch .profile
X
Xput a message like the following in .plan:
X To use anonymous CVS install the latest version of CVS on your local machine.
X Then set your CVSROOT environment variable to the following value:
X anoncvs@anoncvs.openbsd.org:/cvs
X
X chown root.wheel .hushlogin .profile .plan
X
X mkdir bin dev tmp usr var etc
X cp /bin/{cat,pwd,rm,sh} bin/
X
Xusing mknod, make a dev/null that has the same major/minor numbers as
X your /dev/null, and make it mode 666.
X
Xsome shared library systems require a dev/zero created in the same way
X
Xfill etc space for the account
X cp /etc/{group,hosts,passwd,protocols} etc/
X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
X modify these files to suit your idea of system security
X
Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an
Xtiny extension provided in the openbsd cvs server code which permits
Xthe use of read-only cvs repositories. therefore you MUST compile the
Xopenbsd version of cvs. luckily this is not a problem on a
Xnon-openbsd machine since the cvs sources are imported verbatim into
Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are
Xintegrated such that Makefile.bsd-wrapper knows how to build the
Xsources on an OpenBSD machine, using obj directories.
X
Xcreate tmp space for the account
X cd var; ln -s ../tmp tmp
X chmod a+rwx tmp
X
X mkdir usr/{bin,lib}
X cp /usr/bin/{ci,co,cvs,diff,diff3,gzip,rcs,rcsclean} usr/bin/
X cp /usr/bin/{rcsdiff,rcsfreeze,rcsmerge,rlog,sdiff,zdiff} usr/bin/
X
Xif your system has ld.so in /usr/libexec,
X mkdir usr/libexec
X cp /usr/libexec/ld.so usr/libexec/
X
Xif using shared libraries, copy the shared libs you might need:
X cp /usr/lib/lib*.so.* usr/lib/
X
Xas a final pass, make sure that all the files you have just created are
Xnot world writeable (except dev/null)
X
Xsend mail to deraadt@openbsd.org
X1) to have sup permissions granted.
X2) to have an anoncvsN.COUNTRY.openbsd.org alias created
X3) to have your site mentioned in the http://www.openbsd.org page.
X
XExample layout. In this example "deraadt" is the $SUPUSER.
X
X[eap open 5 ]> cd /open
X[eap open 6 ]> ls -alF
Xtotal 46
Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./
Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../
Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/
X---s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh*
Xlrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs
Xdrwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/
Xdrwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/
Xdrwxr-xr-x 4 root wheel 512 Nov 30 1995 src/
Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/
X[eap open 7 ]> cd anoncvs
X[eap anoncvs 8 ]> ls -alF
Xtotal 20
Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./
Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
X-r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin
X-r--r--r-- 1 root wheel 188 Nov 30 1995 .plan
X-r--r--r-- 1 root wheel 0 Nov 29 1995 .profile
Xdrwxrwxrwx 2 deraadt wheel 512 Nov 29 1995 bin/
Xdrwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/
Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/
Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/
Xdrwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/
Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/
Xdrwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/
X[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev
Xbin:
Xtotal 948
Xdrwxrwxrwx 2 deraadt wheel 512 Nov 29 1995 ./
Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat*
X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd*
X--wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm*
X--wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh*
X
Xdev:
Xtotal 4
Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 ./
Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
Xcrw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null
X
Xetc:
Xtotal 112
Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 ./
Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
X-rw-r--r-- 1 root wheel 252 Nov 29 1995 group
X-rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts
X-rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd
X-rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols
X-rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db
X-rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf
X-rw-r--r-- 1 root wheel 5529 Nov 29 1995 services
X-rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys
X
Xusr:
Xtotal 10
Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./
Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../
Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/
Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/
Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/
X
Xusr/bin:
Xtotal 1968
Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./
Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 ci*
X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 co*
X--wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs*
X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 diff*
X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 diff3*
X--wx--x--x 1 deraadt wheel 90112 Jun 18 09:46 gzip*
X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 rcs*
X--wx--x--x 1 deraadt wheel 65536 Jun 18 09:46 rcsclean*
X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsdiff*
X--wx--x--x 1 deraadt wheel 3228 Jun 18 09:46 rcsfreeze*
X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsmerge*
X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rlog*
X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 sdiff*
X--wx--x--x 1 deraadt wheel 2006 Jun 18 09:46 zdiff*
X
Xusr/lib:
Xtotal 5594
Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./
Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
X-rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libacl.so.4.0
X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.12.3
X-rw-r--r-- 1 deraadt wheel 377359 Jun 18 09:50 libc.so.12.6
X-rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypt.so.0.0
X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libcrypt.so.1.0
X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libcurses.so.2.1
X-rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libcurses.so.3.0
X-rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libdes.so.4.1
X-rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libedit.so.0.0
X-rw-r--r-- 1 deraadt wheel 43131 Jun 18 09:50 libform.so.0.0
X-rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libg++.so.2.0
X-rw-r--r-- 1 deraadt wheel 305738 Jun 18 09:50 libg++.so.27.1
X-rw-r--r-- 1 deraadt wheel 25544 Jun 18 09:50 libgnumalloc.so.0.0
X-rw-r--r-- 1 deraadt wheel 42696 Jun 18 09:50 libiberty.so.0.0
X-rw-r--r-- 1 deraadt wheel 25282 Jun 18 09:50 libkadm.so.4.0
X-rw-r--r-- 1 deraadt wheel 16610 Jun 18 09:50 libkafs.so.4.0
X-rw-r--r-- 1 deraadt wheel 25539 Jun 18 09:50 libkdb.so.4.0
X-rw-r--r-- 1 deraadt wheel 59943 Jun 18 09:50 libkrb.so.4.0
X-rw-r--r-- 1 deraadt wheel 25328 Jun 18 09:50 libkvm.so.4.0
X-rw-r--r-- 1 deraadt wheel 102104 Jun 18 09:50 libm.so.0.1
X-rw-r--r-- 1 deraadt wheel 26540 Jun 18 09:50 libmenu.so.0.0
X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libocurses.so.2.1
X-rw-r--r-- 1 deraadt wheel 16881 Jun 18 09:50 libpanel.so.0.0
X-rw-r--r-- 1 deraadt wheel 60222 Jun 18 09:50 libpcap.so.0.0
X-rw-r--r-- 1 deraadt wheel 25060 Jun 18 09:50 libresolv.so.1.0
X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libresolv.so.2.0
X-rw-r--r-- 1 deraadt wheel 33538 Jun 18 09:50 libskey.so.0.0
X-rw-r--r-- 1 deraadt wheel 25764 Jun 18 09:50 libss.so.4.0
X-rw-r--r-- 1 deraadt wheel 277954 Jun 18 09:50 libstdc++.so.27.1
X-rw-r--r-- 1 deraadt wheel 16835 Jun 18 09:50 libtelnet.so.1.0
X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermcap.so.0.0
X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermlib.so.0.0
X-rw-r--r-- 1 deraadt wheel 75039 Jun 18 09:50 libtermlib.so.1.0
X-rw-r--r-- 1 deraadt wheel 16625 Jun 18 09:50 libutil.so.3.1
X-rw-r--r-- 1 deraadt wheel 25628 Jun 18 09:50 libutil.so.3.2
X
Xusr/libexec:
Xtotal 100
Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./
Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../
X-rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so*
X
X[eap anoncvs 14 ]> ls cvs
XCVSROOT/ src/ sup/ www/
X[eap anoncvs 15 ]> ls /open
X[eap anoncvs 16 ]> ls -alF sup
Xtotal 8
Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./
Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../
Xdrwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/
X-rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss
X
X
XThat's pretty much it.
END-of-README
echo x - Makefile
sed 's/^X//' >Makefile << 'END-of-Makefile'
X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs
XPROG= anoncvssh
XBINOWN= root
XBINMODE=4111
XBINDIR=/open
XNOMAN=
X
X.include <bsd.prog.mk>
X
END-of-Makefile
echo x - anoncvssh.c
sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c'
X/*
X * anoncvssh
X */
X
X#include <stdio.h>
X#include <stdlib.h>
X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__)
X#include <paths.h>
X#endif
X#include <pwd.h>
X#include <unistd.h>
X#include <sys/types.h>
X
X#ifndef __CONCAT
X#if defined(__STDC__) || defined(__cplusplus)
X#define __CONCAT(x,y) x ## y
X#else
X#define __CONCAT(x,y) x/**/y
X#endif
X#endif
X
X#ifndef __CONCAT3
X#if defined(__STDC__) || defined(__cplusplus)
X#define __CONCAT3(x,y,z) x ## y ## z
X#else
X#define __CONCAT3(x,y,z) x/**/y/**/z
X#endif
X#endif
X
X#ifndef __P
X#if defined(__STDC__) || defined(__cplusplus)
X#define __P(protos) protos /* full-blown ANSI C */
X#else
X#define __P(protos) () /* traditional C preprocessor */
X#endif
X#endif
X
X/*
X * You may need to change this path to ensure that RCS, CVS and diff
X * can be found
X */
X#ifndef _PATH_DEFPATH
X#define _PATH_DEFPATH "/bin:/usr/bin"
X#endif
X
X/*
X * This should not normally have to be changed
X */
X#ifndef _PATH_BSHELL
X#define _PATH_BSHELL "/bin/sh"
X#endif
X
X/*
X * Location of CVS tree, relative to the anonymous CVS user's
X * home directory
X */
X#ifndef LOCALROOT
X#define LOCALROOT "/cvs"
X#endif
X
X/*
X * Account and host name to be used when accessing the
X * CVS repository remotely
X */
X#ifndef HOSTNAME
X#define HOSTNAME "anoncvs@anoncvs1.usa.openbsd.org"
X#endif
X
X/*
X * $CVSROOT is created based on HOSTNAME and LOCALROOT above
X */
X#ifndef CVSROOT
X#define CVSROOT __CONCAT3(HOSTNAME,":",LOCALROOT)
X#endif
X
Xint main __P((int, char *[]));
X
Xchar * const env[] = {
X __CONCAT("PATH=",_PATH_DEFPATH),
X __CONCAT("SHELL=",_PATH_BSHELL),
X __CONCAT("CVSROOT=",LOCALROOT),
X "HOME=/",
X "CVSREADONLYFS=1",
X NULL
X};
X
Xint
Xmain(argc, argv)
Xint argc;
Xchar *argv[];
X{
X struct passwd *pw;
X
X pw = getpwuid(getuid());
X if (pw == NULL) {
X fprintf(stderr, "no user for uid %d\n", getuid());
X exit(1);
X }
X if (pw->pw_dir == NULL) {
X fprintf(stderr, "no directory\n");
X exit(1);
X }
X seteuid(0);
X if (chroot(pw->pw_dir) == -1) {
X perror("chroot");
X exit (1);
X }
X chdir("/");
X setuid(getuid());
X
X /*
X * program now "safe"
X */
X
X if (argc != 3 ||
X strcmp("anoncvssh", argv[0]) != 0 ||
X strcmp("-c", argv[1]) != 0 ||
X strcmp("cvs server", argv[2]) != 0) {
X
X fprintf(stderr, "\nTo use anonymous CVS install the latest ");
X fprintf(stderr,"version of CVS on your local machine.\n");
X fprintf(stderr,"Then set your CVSROOT environment variable ");
X fprintf(stderr,"to the following value:\n");
X fprintf(stderr,"\t%s\n\n", CVSROOT);
X sleep(10);
X exit(0);
X }
X
X execle("/usr/bin/cvs", "cvs", "server", NULL, env);
X perror("execle: cvs");
X fprintf(stderr, "unable to exec CVS server!\n");
X exit(1);
X}
X
END-of-anoncvssh.c
exit