aboutsummaryrefslogtreecommitdiff
So, you want to run an anoncvs server. A summary of the steps you'll need to do is: 1) Find enough disk space to hold the anoncvs tree, and mount it in an appropriate place. 2) Compile and install anoncvssh, the shell used for the anoncvs user. Install the cvsync client using 'pkg_add cvsync' command. ( If you aren't using OpenBSD you'll probably need to compile a cvsync client as well. The easier path is to use OpenBSD ;). 3) Add the anoncvs user to the password file, with no password, and anoncvssh as it's shell. Decide on a user that will run cvsync to maintain the archive (this is a different user, NOT the anoncvs user). 4) Make a home directory for the anoncvs user. The anoncvs user's home directory is a chroot jail in which the anoncvssh processes run when servicing anoncvs requests. The jail must contain the cvs binary as well as whatever shared libraries and support files are needed to run them unless you compile and link everything statically. This example shows what is needed for OpenBSD. If you use another platform you'll need to be familiar with what needs to go in a chroot jail for your platform. 5) Get permission to use cvsync to obtain the cvs tree from a server. 6) Set up cvsync to retrieve the cvs tree from an appropriate place. 7) Run cvsync to retrieve the distribution from the server. 8) Once you get the distribution in, set up a cron job to run cvsync periodically to keep your server up to date. ********************************************************************** STEP 1) find enough disk space. You need roughly 6GB. Mount it on /open, make sure it doesn't have nosuid and nodev flags. If you are not able to mount it as /open, substitute it's location throughout the rest of this description. ********************************************************************** STEP 2) compile the anoncvssh binary. In the Makefile, change the variable CVSROOT. Install the binary setuid-root in /open/anoncvssh. ********************************************************************** STEP 3) Create the anoncvs account and decide who will run "cvsync" to maintain the archive. The anoncvs account should *NOT* be the one running cvsync to maintain the archive. create an account similar to: anoncvs::32766:32766::0:0:Anonymous CVS User:/open/anoncvs:/open/anoncvssh Yes, that is right - the account has no password. Be sure that the uid and gid are unique for your system, if the ones above aren't, pick different values. Decide who will run cvsync to maintain the archive. Call that user $CVSYNCUSER. Oh, and in case it hasn't been previously mentioned, $CVSYNCUSER should *NOT* be the anoncvs user :). Add the following to the end of your /etc/ssh/sshd_config and restart your sshd daemon: Match User anoncvs PermitEmptyPasswords yes AllowTcpForwarding no AllowAgentForwarding no X11Forwarding no PermitTTY no ********************************************************************** STEP 4) Build the anoncvs user's home directory chroot jail. This example assumes that you're using OpenBSD. If you're not you may need different files in the chroot. mkdir /open/anoncvs mkdir /open/anoncvs/cvs chown -R $CVSYNCUSER /open/anoncvs/cvs /open/anoncvs Start filling the account up with nice stuff. You are building a chroot jail for anoncvs in /open/anoncvs. cd /open/anoncvs touch .hushlogin touch .profile mkdir bin dev tmp usr var etc cp /bin/{cat,pwd,rm,sh} bin/ Using mknod, make a dev/null that has the same major/minor numbers as your /dev/null, and make it mode 666. Some shared library systems require a dev/zero created in the same way. Fill etc space for the account cp /etc/{group,hosts,passwd,protocols} etc/ cp /etc/{pwd.db,resolv.conf,services,ttys} etc/ modify these files to suit your idea of system security anoncvssh (by setting the environment variable CVSREADONLYFS) uses a tiny extension provided in the openbsd cvs server code which permits the use of read-only cvs repositories, therefore you MUST compile the openbsd version of cvs. Luckily this is not a problem on a non-openbsd machine, since the cvs sources are imported verbatim into the openbsd tree. They are in gnu/usr.bin/cvs. The sources are integrated in such way that Makefile.bsd-wrapper knows how to build the sources on an OpenBSD machine, using obj directories. Create tmp space for the account # (cd var && ln -s ../tmp tmp) # chmod a+rwx tmp # mkdir usr/{bin,lib} # cp /usr/bin/cvs usr/bin/ If your system has ld.so in /usr/libexec, # mkdir usr/libexec # cp /usr/libexec/ld.so usr/libexec/ If using shared libraries, use ldd to find out which shared libs you need: # ldd /usr/bin/cvs /usr/bin/cvs: Start End Type Open Ref GrpRef Name 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.5.0 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.84.2 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so and then copy the required libraries to usr/lib/ As a final pass, make sure that all the files you have just created are not world writable (except dev/null). For :pserver: support (optional) - Create an entry in /etc/services cvspserver 2401/tcp # CVS client/server operations - Create an entry in /etc/inetd.conf cvspserver stream tcp nowait anoncvs /open/anoncvssh anoncvssh pserver - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry anoncvs:AHDysQkJIubEc which would be a password of "anoncvs" (as per anoncvs.html) - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry: anoncvs which tells cvs that user "anoncvs" is allowed readonly access. - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't want anyone to be able to write to the mirror. % cp /dev/null /open/anoncvs/cvs/CVSROOT/writers See the example layout below for full details. ********************************************************************** STEP 5): Get cvsync permission. send mail to sup@openbsd.org 1) to have cvsync permissions granted on an appropriate machine for you to cvsync from. We will need to know your host's real hostname and IP address. 2) to have an anoncvsN.COUNTRY.openbsd.org alias created. 3) to have your site mentioned in the http://www.openbsd.org/anoncvs.html page. ********************************************************************** STEP 6): Configure cvsync. You have to install cvsync package. The file /etc/cvsync.conf contains the configuration of cvsync. It will normally contain: config { base-prefix /open/anoncvs/ hostname anoncvs.ca.openbsd.org collection { name openbsd-cvsroot release rcs prefix cvs } collection { name openbsd-src release rcs prefix cvs } collection { name openbsd-ports release rcs prefix cvs } collection { name openbsd-www release rcs prefix cvs } collection { name openbsd-xenocara release rcs prefix cvs } } ********************************************************************** STEP 7): Run cvsync to retrieve the tree for the first time. Log in as or become the $CVSYNCUSER, and run cvsync > /tmp/cvsynclog &; tail -f /tmp/cvsynclog If you have cvsync permission, and have specified the correct host and prefix in /etc/cvsync.conf you should see a list of files start coming in after a short while. Don't panic if nothing happens immediately. Watch for errors (cvsync can timeout or die). If you can't access files contact the cvsync server maintainer. If you get a timeout or if cvsync dies you can restart and it should continue where it left off. It can take a good while (and a couple of restarts) to obtain the whole tree for the first time. ********************************************************************** STEP 8): Set up cron to keep the tree up to date. You run cvsync periodically from the cron by setting up the crontab file of the $CVSYNCUSER. For example, to update every two hours: 15 */2 * * * /usr/local/bin/cvsync > /dev/null ********************************************************************** EXAMPLE LAYOUT Example layout for OpenBSD. In this example "deraadt" is the $CVSYNCUSER. $ cd /open $ ls -alF total 64 drwxr-xr-x 5 root wheel 512 Jun 18 22:29 ./ drwxr-xr-x 13 root wheel 512 Jun 4 05:14 ../ drwxr-xr-x 9 deraadt wheel 512 Jun 3 02:15 anoncvs/ ---s--x--x 1 root wheel 14302 Jun 18 22:29 anoncvssh* drwxr-xr-x 4 root wheel 5120 Jun 10 14:34 ftp/ $ cd anoncvs $ ls -alF total 68 drwxr-xr-x 9 root wheel 512 Jun 3 02:15 ./ drwxr-xr-x 5 root wheel 512 Jun 10 14:32 ../ -rw-r--r-- 1 root wheel 0 Jun 3 01:50 .hushlogin -rw-r--r-- 1 root wheel 84 Jun 3 01:50 .plan -rw-r--r-- 1 root wheel 0 Jun 3 01:50 .profile drwxr-xr-x 2 root wheel 512 Jun 3 01:40 bin/ drwxr-xr-x 7 deraadt wheel 512 Jun 18 22:19 cvs/ drwxr-xr-x 2 root wheel 512 Jun 3 01:51 dev/ drwxr-xr-x 2 root wheel 512 Jun 3 01:53 etc/ drwxrwxrwx 10 root wheel 512 Jun 18 17:38 tmp/ drwxr-xr-x 5 root wheel 512 Jun 3 01:54 usr/ drwxr-xr-x 2 root wheel 512 Jun 3 01:54 var/ $ ls -alFR bin usr tmp etc dev bin: total 1984 drwxr-xr-x 2 root wheel 512 Jun 3 01:40 ./ drwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ -r-xr-xr-x 1 root wheel 132368 Jun 3 01:40 cat* -r-xr-xr-x 1 root wheel 124176 Jun 3 01:40 pwd* -r-xr-xr-x 1 root wheel 238864 Jun 3 01:40 rm* -r-xr-xr-x 1 root wheel 460048 Jun 3 01:40 sh* dev: total 8 drwxr-xr-x 2 root wheel 512 Jun 3 01:51 ./ drwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ crw-rw-rw- 1 root wheel 3, 2 Jun 3 01:51 null crw-rw-rw- 1 root wheel 3, 12 Jun 3 01:51 zero etc: total 188 drwxr-xr-x 2 root wheel 512 Jun 3 01:53 ./ drwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ -r--r--r-- 1 root wheel 64 Jun 3 01:52 group* -r--r--r-- 1 root wheel 576 Jun 3 01:52 hosts* -r--r--r-- 1 root wheel 291 Jun 3 01:53 passwd* -r--r--r-- 1 root wheel 5625 Jun 3 01:52 protocols* -r--r--r-- 1 root wheel 40960 Jun 3 01:52 pwd.db* -r--r--r-- 1 root wheel 93 Jun 3 01:52 resolv.conf* -r--r--r-- 1 root wheel 9875 Jun 3 01:52 services* -r--r--r-- 1 root wheel 26428 Jun 3 01:52 ttys* usr: total 20 drwxr-xr-x 5 root wheel 512 Jun 3 01:54 ./ drwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ drwxr-xr-x 2 root wheel 512 Jun 3 01:57 bin/ drwxr-xr-x 2 root wheel 512 Jun 3 01:56 lib/ drwxr-xr-x 2 root wheel 512 Jun 3 01:55 libexec/ usr/bin: total 3016 drwxr-xr-x 2 root wheel 512 Jun 3 01:57 ./ drwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ -r-xr-xr-x 1 root wheel 643728 Jun 3 01:54 cvs* usr/lib: total 42344 drwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./ drwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ -r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.84.2 -r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.5.0 usr/libexec: total 120 drwxr-xr-x 2 root wheel 512 Jun 3 01:55 ./ drwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ -r-xr-xr-x 1 root wheel 55683 Jun 3 01:55 ld.so* $ ls cvs CVSROOT ports src www xenocara