# This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # Makefile # README # anoncvssh.c # echo x - Makefile sed 's/^X//' >Makefile << 'END-of-Makefile' X#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs XPROG= anoncvssh XBINOWN= root XBINMODE=4111 XBINDIR=/open XNOMAN= X X.include X END-of-Makefile echo x - README sed 's/^X//' >README << 'END-of-README' Xfind enough disk space. X you need roughly 300MB. X mount it on /open X if you are not able to mount it as /open, substitute it's location X throughout this description X Xcompile the anoncvssh binary X in the Makefile, change the variable CVSROOT X install the binary setuid-root. X Xcreate an account: X anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh Xyes, that is right. the account has no password. X XFor :pserver: support (optional) X - Create an entry in /etc/services X cvspserver 2401/tcp # CVS client/server operations X - Create an entry in /etc/inetd.conf X cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver X Xinstall a crontab entry which runs as any user besides anoncvs (ie. run Xit as yourself, or as root). call that user $SUPUSER X XFor example: To run every three hours 'sup -v supfile', and thrice Xweekly 'sup -vo supfile' .. because sup is not reliable .. X X0 0,3,6,9,12,15,18,21 * * 0,2,4,5 sup -v /open/anoncvs/sup/ss > /dev/null X0 0,12,15,18,21 * * 1,3,6 sup -v /open/anoncvs/sup/ss > /dev/null X0 3 * * 1,3,6 sup -vo /open/anoncvs/sup/ss > /dev/null X Xanoncvs5.usa.openbsd.org uses this particular set of entries. A `sup X-o' is done every few days because sup is not very robust. X Xthe file /open/sup/ss contains X cvs host=cvs.openbsd.org hostbase=/ base=/open/anoncvs delete X Xthe file /open/sup/cvs/refuse should contain the single line X cvs/CVSROOT/history Xif you ever fetch the file cvs/CVSROOT/history, delete it. it will Xcause you problems. X Xon an IRIX or other SYSV machine, ensure that your kernel does not allow Xa user to chown a file to another user. this will cause sup to give away Xthe files to root before chmod'ing them readable. michaels@openbsd.org Xknows how to fix this. X Xmkdir /open/ Xmkdir /open/anoncvs Xmkdir /open/anoncvs/cvs Xmkdir /open/anoncvs/sup Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs X Xstart filling the account up with nice stuff X cd /open/anoncvs X touch .hushlogin X touch .profile X Xput a message like the following in .plan: X To use anonymous CVS install the latest version of CVS on your local X machine. X Then set your CVSROOT environment variable to the following value: X anoncvs@anoncvs.openbsd.org:/cvs X X chown root.wheel .hushlogin .profile .plan X X mkdir bin dev tmp usr var etc X cp /bin/{cat,pwd,rm,sh} bin/ X Xusing mknod, make a dev/null that has the same major/minor numbers as X your /dev/null, and make it mode 666. X Xsome shared library systems require a dev/zero created in the same way X Xfill etc space for the account X cp /etc/{group,hosts,passwd,protocols} etc/ X cp /etc/{pwd.db,resolv.conf,services,ttys} etc/ X modify these files to suit your idea of system security X Xanoncvssh (by setting the environment variable CVSREADONLYFS) uses an Xtiny extension provided in the openbsd cvs server code which permits Xthe use of read-only cvs repositories. therefore you MUST compile the Xopenbsd version of cvs. luckily this is not a problem on a Xnon-openbsd machine since the cvs sources are imported verbatim into Xthe openbsd tree. they are in gnu/usr.bin/cvs. The sources are Xintegrated such that Makefile.bsd-wrapper knows how to build the Xsources on an OpenBSD machine, using obj directories. X Xcreate tmp space for the account X cd var; ln -s ../tmp tmp X chmod a+rwx tmp X X mkdir usr/{bin,lib} X cp /usr/bin/{ci,co,cvs,diff,diff3,gzip,rcs,rcsclean} usr/bin/ X cp /usr/bin/{rcsdiff,rcsfreeze,rcsmerge,rlog,sdiff,zdiff} usr/bin/ X cp /usr/bin/grep usr/bin X Xif your system has ld.so in /usr/libexec, X mkdir usr/libexec X cp /usr/libexec/ld.so usr/libexec/ X Xif using shared libraries, copy the shared libs you might need: X cp /usr/lib/lib*.so.* usr/lib/ X Xas a final pass, make sure that all the files you have just created are Xnot world writeable (except dev/null) X Xsend mail to deraadt@openbsd.org X1) to have sup permissions granted. X2) to have an anoncvsN.COUNTRY.openbsd.org alias created X3) to have your site mentioned in the http://www.openbsd.org page. X XExample layout. In this example "deraadt" is the $SUPUSER. X X[eap open 5 ]> cd /open X[eap open 6 ]> ls -alF Xtotal 46 Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./ Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../ Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/ X---s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh* Xlrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs Xdrwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/ Xdrwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/ Xdrwxr-xr-x 4 root wheel 512 Nov 30 1995 src/ Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/ X[eap open 7 ]> cd anoncvs X[eap anoncvs 8 ]> ls -alF Xtotal 20 Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./ Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../ X-r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin X-r--r--r-- 1 root wheel 188 Nov 30 1995 .plan X-r--r--r-- 1 root wheel 0 Nov 29 1995 .profile Xdrwxrwxrwx 2 deraadt wheel 512 Nov 29 1995 bin/ Xdrwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/ Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/ Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/ Xdrwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/ Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/ Xdrwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/ X[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev Xbin: Xtotal 948 Xdrwxrwxrwx 2 deraadt wheel 512 Nov 29 1995 ./ Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat* X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd* X--wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm* X--wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh* X Xdev: Xtotal 4 Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 ./ Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ Xcrw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null X Xetc: Xtotal 112 Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 ./ Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ X-rw-r--r-- 1 root wheel 252 Nov 29 1995 group X-rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts X-rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd X-rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols X-rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db X-rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf X-rw-r--r-- 1 root wheel 5529 Nov 29 1995 services X-rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys X Xusr: Xtotal 10 Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./ Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/ Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/ Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/ X Xusr/bin: Xtotal 1968 Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./ Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../ X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 ci* X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 co* X--wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs* X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 diff* X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 diff3* X--wx--x--x 1 deraadt wheel 90112 Jun 18 09:46 gzip* X--wx--x--x 1 deraadt wheel 73728 Jun 18 09:46 rcs* X--wx--x--x 1 deraadt wheel 65536 Jun 18 09:46 rcsclean* X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsdiff* X--wx--x--x 1 deraadt wheel 3228 Jun 18 09:46 rcsfreeze* X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rcsmerge* X--wx--x--x 1 deraadt wheel 57344 Jun 18 09:46 rlog* X--wx--x--x 1 deraadt wheel 24576 Jun 18 09:46 sdiff* X--wx--x--x 1 deraadt wheel 2006 Jun 18 09:46 zdiff* X Xusr/lib: Xtotal 5594 Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./ Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../ X-rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libacl.so.4.0 X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.12.3 X-rw-r--r-- 1 deraadt wheel 377359 Jun 18 09:50 libc.so.12.6 X-rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypt.so.0.0 X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libcrypt.so.1.0 X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libcurses.so.2.1 X-rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libcurses.so.3.0 X-rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libdes.so.4.1 X-rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libedit.so.0.0 X-rw-r--r-- 1 deraadt wheel 43131 Jun 18 09:50 libform.so.0.0 X-rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libg++.so.2.0 X-rw-r--r-- 1 deraadt wheel 305738 Jun 18 09:50 libg++.so.27.1 X-rw-r--r-- 1 deraadt wheel 25544 Jun 18 09:50 libgnumalloc.so.0.0 X-rw-r--r-- 1 deraadt wheel 42696 Jun 18 09:50 libiberty.so.0.0 X-rw-r--r-- 1 deraadt wheel 25282 Jun 18 09:50 libkadm.so.4.0 X-rw-r--r-- 1 deraadt wheel 16610 Jun 18 09:50 libkafs.so.4.0 X-rw-r--r-- 1 deraadt wheel 25539 Jun 18 09:50 libkdb.so.4.0 X-rw-r--r-- 1 deraadt wheel 59943 Jun 18 09:50 libkrb.so.4.0 X-rw-r--r-- 1 deraadt wheel 25328 Jun 18 09:50 libkvm.so.4.0 X-rw-r--r-- 1 deraadt wheel 102104 Jun 18 09:50 libm.so.0.1 X-rw-r--r-- 1 deraadt wheel 26540 Jun 18 09:50 libmenu.so.0.0 X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libocurses.so.2.1 X-rw-r--r-- 1 deraadt wheel 16881 Jun 18 09:50 libpanel.so.0.0 X-rw-r--r-- 1 deraadt wheel 60222 Jun 18 09:50 libpcap.so.0.0 X-rw-r--r-- 1 deraadt wheel 25060 Jun 18 09:50 libresolv.so.1.0 X-rw-r--r-- 1 deraadt wheel 16465 Jun 18 09:50 libresolv.so.2.0 X-rw-r--r-- 1 deraadt wheel 33538 Jun 18 09:50 libskey.so.0.0 X-rw-r--r-- 1 deraadt wheel 25764 Jun 18 09:50 libss.so.4.0 X-rw-r--r-- 1 deraadt wheel 277954 Jun 18 09:50 libstdc++.so.27.1 X-rw-r--r-- 1 deraadt wheel 16835 Jun 18 09:50 libtelnet.so.1.0 X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermcap.so.0.0 X-rw-r--r-- 1 deraadt wheel 16691 Jun 18 09:50 libtermlib.so.0.0 X-rw-r--r-- 1 deraadt wheel 75039 Jun 18 09:50 libtermlib.so.1.0 X-rw-r--r-- 1 deraadt wheel 16625 Jun 18 09:50 libutil.so.3.1 X-rw-r--r-- 1 deraadt wheel 25628 Jun 18 09:50 libutil.so.3.2 X Xusr/libexec: Xtotal 100 Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./ Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../ X-rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so* X X[eap anoncvs 14 ]> ls cvs XCVSROOT/ src/ sup/ www/ X[eap anoncvs 15 ]> cd /open X[eap anoncvs 16 ]> ls -alF sup Xtotal 8 Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./ Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../ Xdrwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/ X-rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss X X XThat's pretty much it. X XFrom Todd Fries to the adventurous. XA note for those installing anoncvs on non-OpenBSD operating systems. XYou are in for some fun. X XFor OSF1, on a DEC alpha, I had to do the following in addition to the Xabove: X X- I do not know how to setup dynamic libraries on osf1 and as a result X everything had to be compiled statically. X- Therefore, everything but /bin/sh I had to recmpile in order to X get the chroot setup. In order that there be no guesswork X involved, the following packages' binaries must exist in the chroot X environment: X X GNU X cvs (from the OpenBSD source tree) X diff[utils] (unless you're running *BSD, probably better get it from a gnu X mirror...the Makefile doesn't work otherwise) X rcs (from the OpenBSD source tree) X XSome notes on compiling. X X rcs must have diff3 capable of diff3 -m during configure. X OSF doesn't by default, thus I had to compile diffutils first. X X cvs fails to install if you don't have makeinfo ... just search for the X string ' install-info$' with regex and remove it from the Makefile for the X install and you'll be fine, or install 'texinfo', your choice. END-of-README echo x - anoncvssh.c sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c' X/* X * anoncvssh X */ X X#include X#include X#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) X#include X#endif X#include X#include X#include X X#ifndef __CONCAT X#if defined(__STDC__) || defined(__cplusplus) X#define __CONCAT(x,y) x ## y X#else X#define __CONCAT(x,y) x/**/y X#endif X#endif X X#ifndef __CONCAT3 X#if defined(__STDC__) || defined(__cplusplus) X#define __CONCAT3(x,y,z) x ## y ## z X#else X#define __CONCAT3(x,y,z) x/**/y/**/z X#endif X#endif X X#ifndef __P X#if defined(__STDC__) || defined(__cplusplus) X#define __P(protos) protos /* full-blown ANSI C */ X#else X#define __P(protos) () /* traditional C preprocessor */ X#endif X#endif X X/* X * You may need to change this path to ensure that RCS, CVS and diff X * can be found X */ X#ifndef _PATH_DEFPATH X#define _PATH_DEFPATH "/bin:/usr/bin" X#endif X X/* X * This should not normally have to be changed X */ X#ifndef _PATH_BSHELL X#define _PATH_BSHELL "/bin/sh" X#endif X X/* X * Location of CVS tree, relative to the anonymous CVS user's X * home directory X */ X#ifndef LOCALROOT X#define LOCALROOT "/cvs" X#endif X X/* X * Account and host name to be used when accessing the X * CVS repository remotely X */ X#ifndef HOSTNAME X#define HOSTNAME "anoncvs@anoncvs1.usa.openbsd.org" X#endif X X/* X * $CVSROOT is created based on HOSTNAME and LOCALROOT above X */ X#ifndef CVSROOT X#define CVSROOT __CONCAT3(HOSTNAME,":",LOCALROOT) X#endif X Xint main __P((int, char *[])); X Xchar * const env[] = { X __CONCAT("PATH=",_PATH_DEFPATH), X __CONCAT("SHELL=",_PATH_BSHELL), X __CONCAT("CVSROOT=",LOCALROOT), X "HOME=/", X "CVSREADONLYFS=1", X NULL X}; X Xint Xmain(argc, argv) Xint argc; Xchar *argv[]; X{ X struct passwd *pw; X#ifdef DEBUG X int i; X#endif /* DEBUG */ X X pw = getpwuid(getuid()); X if (pw == NULL) { X fprintf(stderr, "no user for uid %d\n", getuid()); X exit(1); X } X if (pw->pw_dir == NULL) { X fprintf(stderr, "no directory\n"); X exit(1); X } X seteuid(0); X if (chroot(pw->pw_dir) == -1) { X perror("chroot"); X exit (1); X } X chdir("/"); X setuid(getuid()); X X /* X * program now "safe" X */ X X /* If we want pserver functionality */ X if (strcmp("pserver", argv[1])) { X execle("/usr/bin/cvs", "cvs", "pserver", NULL, env); X perror("execle: cvs"); X fprintf(stderr, "unable to exec CVS pserver!\n"); X exit(1); X /* NOTREACHED */ X } X X if (argc != 3 || X strcmp("anoncvssh", argv[0]) != 0 || X strcmp("-c", argv[1]) != 0 || X (strcmp("cvs server", argv[2]) != 0 && X strcmp(__CONCAT3("cvs -d ",LOCALROOT," server"), argv[2]) != 0)) { X X fprintf(stderr, "\nTo use anonymous CVS install the latest "); X fprintf(stderr,"version of CVS on your local machine.\n"); X fprintf(stderr,"Then set your CVSROOT environment variable "); X fprintf(stderr,"to the following value:\n"); X fprintf(stderr,"\t%s\n\n", CVSROOT); X#ifdef DEBUG X fprintf(stderr, "argc = %d\n", argc); X for (i = 0 ; i < argc ; i++) X fprintf(stderr, "argv[%d] = \"%s\"\n", i, argv[i]); X#endif /* DEBUG */ X sleep(10); X exit(0); X } X X execle("/usr/bin/cvs", "cvs", "server", NULL, env); X perror("execle: cvs"); X fprintf(stderr, "unable to exec CVS server!\n"); X exit(1); X /* NOTREACHED */ X} X END-of-anoncvssh.c exit