From 2a5b5ab1809f1685e2071834be4755e32078c59a Mon Sep 17 00:00:00 2001 From: Dimitri Sokolyuk Date: Tue, 31 May 2016 11:50:52 +0200 Subject: Sync from https://www.openbsd.org/anoncvs.shar --- anoncvs.shar | 79 ++++++++++++------------------------------------------------ 1 file changed, 16 insertions(+), 63 deletions(-) diff --git a/anoncvs.shar b/anoncvs.shar index a388dcf..bcdc2b5 100644 --- a/anoncvs.shar +++ b/anoncvs.shar @@ -60,7 +60,7 @@ X periodically to keep your server up to date. X X********************************************************************** XSTEP 1) find enough disk space. -X You need roughly 2GB. +X You need roughly 6GB. X Mount it on /open, make sure it doesn't have nosuid and nodev flags. X If you are not able to mount it as /open, substitute it's location X throughout the rest of this description. @@ -95,6 +95,7 @@ X PermitEmptyPasswords yes X AllowTcpForwarding no X AllowAgentForwarding no X X11Forwarding no +X PermitTTY no X X********************************************************************** XSTEP 4) Build the anoncvs user's home directory chroot jail. This @@ -111,13 +112,6 @@ X X cd /open/anoncvs X touch .hushlogin X touch .profile -X -XPut a message like the following in .plan: -X To use anonymous CVS install the latest version of CVS on your local -X machine. -X Then set your CVSROOT environment variable to the following value: -X anoncvs@anoncvs.openbsd.org:/cvs -X X mkdir bin dev tmp usr var etc X cp /bin/{cat,pwd,rm,sh} bin/ X @@ -156,12 +150,8 @@ X # ldd /usr/bin/cvs X /usr/bin/cvs: X Start End Type Open Ref GrpRef Name X 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs -X 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.4.1 -X 020f3000 220f8000 rlib 0 1 0 /usr/lib/libgssapi.so.5.0 -X 0530c000 2531c000 rlib 0 1 0 /usr/lib/libkrb5.so.17.0 -X 03801000 23841000 rlib 0 1 0 /usr/lib/libcrypto.so.18.0 -X 0a8fb000 2a900000 rlib 0 1 0 /usr/lib/libdes.so.9.0 -X 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.51.0 +X 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.5.0 +X 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.84.2 X 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so X X and then copy the required libraries to usr/lib/ @@ -333,12 +323,8 @@ Xusr/lib: Xtotal 42344 Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./ Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ -X-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.50.1 -X-r--r--r-- 1 root wheel 9659802 Jun 3 01:56 libcrypto.so.18.0 -X-r--r--r-- 1 root wheel 190814 Jun 3 01:56 libdes.so.9.0 -X-r--r--r-- 1 root wheel 1593303 Jun 3 01:55 libgssapi.so.5.0 -X-r--r--r-- 1 root wheel 5337583 Jun 3 01:56 libkrb5.so.16.0 -X-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.4.1 +X-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.84.2 +X-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.5.0 X Xusr/libexec: Xtotal 120 @@ -438,8 +424,9 @@ X#ifndef PSERVER_SUPPORT X#define PSERVER_SUPPORT X#endif X +X X/* -X * Define USE_SYSLOG if you want anoncvssh to log pserver connections +X * Define USE_SYSLOG if you want anoncvssh to log pserver connections X * using syslog() X */ X#define USE_SYSLOG @@ -459,12 +446,6 @@ X * anyone other than root or ANONCVS_USER. X */ X/* #define ANONCVS_USER USERNAME */ X -X/* -X * If you want to be able to run an alternate OpenCVS binary on your -X * anoncvs server, define OPENCVS_USER as the user who will invoke it. -X */ -X#define OPENCVS_USER "opencvs" -X Xint main __P((int, char *[])); X Xchar * const env[] = { @@ -485,9 +466,6 @@ X struct passwd *pw; X#ifdef DEBUG X int i; X#endif /* DEBUG */ -X#if defined(OPENCVS_USER) -X int opencvs; -X#endif X X pw = getpwuid(getuid()); X if (pw == NULL) { @@ -502,17 +480,17 @@ X X#ifdef USE_SYSLOG X openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY); X#endif /* USE_SYSLOG */ -X +X X#ifdef ANONCVS_USER -X /* +X /* X * I love lusers who have to test every setuid binary on my machine. X */ X if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) { -X fprintf(stderr, "You're not supposed to be running me!\n"); +X fprintf(stderr, "You're not supposed to be running me!\n"); X#ifdef USE_SYSLOG X syslog(LOG_NOTICE, X "User %s(%d) invoked anoncvssh - Possible twink?", -X pw->pw_name, pw->pw_uid); +X pw->pw_name, pw->pw_uid); X#endif /* USE_SYSLOG */ X exit(1); X } @@ -527,12 +505,8 @@ X } X chdir("/"); X setuid(pw->pw_uid); X -X#if defined(OPENCVS_USER) -X if (!strcmp(pw->pw_name, OPENCVS_USER)) -X opencvs = 1; -X else -X opencvs = 0; -X#endif +X if (pledge("stdio inet exec", NULL) == -1) +X err(1, "pledge"); X X /* X * program now "safe" @@ -546,14 +520,6 @@ X int slen; X struct sockaddr_in my_sa, peer_sa; X char *us, *them; X -X#if defined(OPENCVS_USER) -X if (opencvs == 1) { -X fprintf(stderr, "OpenCVS does not support pserver\n"); -X sleep(10); -X exit(1); -X } -X#endif -X X slen = sizeof(my_sa); X if (getsockname(0, (struct sockaddr *) &my_sa, &slen) X != 0) { @@ -576,7 +542,7 @@ X if (them == NULL) { X fprintf(stderr, "malloc failed\n"); X exit(1); X } -X syslog(LOG_PRIO, +X syslog(LOG_PRIO, X "pserver connection from %s:%d to %s:%d\n", X them, ntohs(peer_sa.sin_port), X us, ntohs(my_sa.sin_port)); @@ -590,7 +556,7 @@ X /* NOTREACHED */ X } X#endif X -X if (argc != 3 || +X if (argc != 3 || X strcmp("anoncvssh", argv[0]) != 0 || X strcmp("-c", argv[1]) != 0 || X (strcmp("cvs server", argv[2]) != 0 && @@ -599,10 +565,6 @@ X fprintf(stderr, "\nTo use anonymous CVS install the latest "); X fprintf(stderr,"version of CVS on your local machine.\n"); X fprintf(stderr,"Then set your CVSROOT environment variable "); X fprintf(stderr,"to the following value:\n"); -X#if defined(OPENCVS_USER) -X fprintf(stderr, "\t%s@%s:%s for OpenCVS\n", OPENCVS_USER, -X HOSTNAME, LOCALROOT); -X#endif X fprintf(stderr,"\t%s\n\n", CVSROOT); X#ifdef DEBUG X fprintf(stderr, "argc = %d\n", argc); @@ -613,16 +575,7 @@ X sleep(10); X exit(0); X } X -X#if defined(OPENCVS_USER) -X if (opencvs == 1) { -X execle("/usr/bin/opencvs", "opencvs", -X "server", (char *)NULL, env); -X } else { -X#endif X execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env); -X#if defined(OPENCVS_USER) -X } -X#endif X X perror("execle: cvs"); X fprintf(stderr, "unable to exec CVS server!\n"); -- cgit v1.2.3