From 2e201c780e72b49fa6d16f27fa559972503acac4 Mon Sep 17 00:00:00 2001 From: Dimitri Sokolyuk Date: Tue, 31 May 2016 11:52:47 +0200 Subject: Sync --- Makefile | 4 ++-- README | 26 ++++++-------------------- anoncvssh.c | 55 +++++++++++-------------------------------------------- 3 files changed, 19 insertions(+), 66 deletions(-) diff --git a/Makefile b/Makefile index 3e26750..7c9f7be 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,9 @@ +#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs PROG= anoncvssh BINOWN= root BINMODE=4111 -BINDIR=/usr/local/bin +BINDIR=/open NOMAN= -LDSTATIC=${STATIC} .include diff --git a/README b/README index ddeb41c..dd05ee4 100644 --- a/README +++ b/README @@ -35,7 +35,7 @@ ********************************************************************** STEP 1) find enough disk space. - You need roughly 2GB. + You need roughly 6GB. Mount it on /open, make sure it doesn't have nosuid and nodev flags. If you are not able to mount it as /open, substitute it's location throughout the rest of this description. @@ -70,6 +70,7 @@ Match User anoncvs AllowTcpForwarding no AllowAgentForwarding no X11Forwarding no + PermitTTY no ********************************************************************** STEP 4) Build the anoncvs user's home directory chroot jail. This @@ -86,13 +87,6 @@ jail for anoncvs in /open/anoncvs. cd /open/anoncvs touch .hushlogin touch .profile - -Put a message like the following in .plan: - To use anonymous CVS install the latest version of CVS on your local - machine. - Then set your CVSROOT environment variable to the following value: - anoncvs@anoncvs.openbsd.org:/cvs - mkdir bin dev tmp usr var etc cp /bin/{cat,pwd,rm,sh} bin/ @@ -131,12 +125,8 @@ If using shared libraries, use ldd to find out which shared libs you need: /usr/bin/cvs: Start End Type Open Ref GrpRef Name 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs - 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.4.1 - 020f3000 220f8000 rlib 0 1 0 /usr/lib/libgssapi.so.5.0 - 0530c000 2531c000 rlib 0 1 0 /usr/lib/libkrb5.so.17.0 - 03801000 23841000 rlib 0 1 0 /usr/lib/libcrypto.so.18.0 - 0a8fb000 2a900000 rlib 0 1 0 /usr/lib/libdes.so.9.0 - 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.51.0 + 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.5.0 + 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.84.2 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so and then copy the required libraries to usr/lib/ @@ -308,12 +298,8 @@ usr/lib: total 42344 drwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./ drwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ --r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.50.1 --r--r--r-- 1 root wheel 9659802 Jun 3 01:56 libcrypto.so.18.0 --r--r--r-- 1 root wheel 190814 Jun 3 01:56 libdes.so.9.0 --r--r--r-- 1 root wheel 1593303 Jun 3 01:55 libgssapi.so.5.0 --r--r--r-- 1 root wheel 5337583 Jun 3 01:56 libkrb5.so.16.0 --r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.4.1 +-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.84.2 +-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.5.0 usr/libexec: total 120 diff --git a/anoncvssh.c b/anoncvssh.c index ba4ffd1..3a59c98 100644 --- a/anoncvssh.c +++ b/anoncvssh.c @@ -60,7 +60,7 @@ * Hostname to be used when accessing the remote repository. */ #ifndef HOSTNAME -#define HOSTNAME "dim13.org" +#define HOSTNAME "anoncvs1.usa.openbsd.org" #endif /* @@ -85,8 +85,9 @@ #define PSERVER_SUPPORT #endif + /* - * Define USE_SYSLOG if you want anoncvssh to log pserver connections + * Define USE_SYSLOG if you want anoncvssh to log pserver connections * using syslog() */ #define USE_SYSLOG @@ -106,12 +107,6 @@ */ /* #define ANONCVS_USER USERNAME */ -/* - * If you want to be able to run an alternate OpenCVS binary on your - * anoncvs server, define OPENCVS_USER as the user who will invoke it. - */ -/* #define OPENCVS_USER "opencvs" */ - int main __P((int, char *[])); char * const env[] = { @@ -132,9 +127,6 @@ char *argv[]; #ifdef DEBUG int i; #endif /* DEBUG */ -#if defined(OPENCVS_USER) - int opencvs; -#endif pw = getpwuid(getuid()); if (pw == NULL) { @@ -149,17 +141,17 @@ char *argv[]; #ifdef USE_SYSLOG openlog("anoncvssh", LOG_PID | LOG_NDELAY, LOG_FACILITY); #endif /* USE_SYSLOG */ - + #ifdef ANONCVS_USER - /* + /* * I love lusers who have to test every setuid binary on my machine. */ if (getuid() != 0 && (strcmp (pw->pw_name, ANONCVS_USER) != 0)) { - fprintf(stderr, "You're not supposed to be running me!\n"); + fprintf(stderr, "You're not supposed to be running me!\n"); #ifdef USE_SYSLOG syslog(LOG_NOTICE, "User %s(%d) invoked anoncvssh - Possible twink?", - pw->pw_name, pw->pw_uid); + pw->pw_name, pw->pw_uid); #endif /* USE_SYSLOG */ exit(1); } @@ -174,12 +166,8 @@ char *argv[]; chdir("/"); setuid(pw->pw_uid); -#if defined(OPENCVS_USER) - if (!strcmp(pw->pw_name, OPENCVS_USER)) - opencvs = 1; - else - opencvs = 0; -#endif + if (pledge("stdio inet exec", NULL) == -1) + err(1, "pledge"); /* * program now "safe" @@ -193,14 +181,6 @@ char *argv[]; struct sockaddr_in my_sa, peer_sa; char *us, *them; -#if defined(OPENCVS_USER) - if (opencvs == 1) { - fprintf(stderr, "OpenCVS does not support pserver\n"); - sleep(10); - exit(1); - } -#endif - slen = sizeof(my_sa); if (getsockname(0, (struct sockaddr *) &my_sa, &slen) != 0) { @@ -223,7 +203,7 @@ char *argv[]; fprintf(stderr, "malloc failed\n"); exit(1); } - syslog(LOG_PRIO, + syslog(LOG_PRIO, "pserver connection from %s:%d to %s:%d\n", them, ntohs(peer_sa.sin_port), us, ntohs(my_sa.sin_port)); @@ -237,7 +217,7 @@ char *argv[]; } #endif - if (argc != 3 || + if (argc != 3 || strcmp("anoncvssh", argv[0]) != 0 || strcmp("-c", argv[1]) != 0 || (strcmp("cvs server", argv[2]) != 0 && @@ -246,10 +226,6 @@ char *argv[]; fprintf(stderr,"version of CVS on your local machine.\n"); fprintf(stderr,"Then set your CVSROOT environment variable "); fprintf(stderr,"to the following value:\n"); -#if defined(OPENCVS_USER) - fprintf(stderr, "\t%s@%s:%s for OpenCVS\n", OPENCVS_USER, - HOSTNAME, LOCALROOT); -#endif fprintf(stderr,"\t%s\n\n", CVSROOT); #ifdef DEBUG fprintf(stderr, "argc = %d\n", argc); @@ -260,16 +236,7 @@ char *argv[]; exit(0); } -#if defined(OPENCVS_USER) - if (opencvs == 1) { - execle("/usr/bin/opencvs", "opencvs", - "server", (char *)NULL, env); - } else { -#endif execle("/usr/bin/cvs", "cvs", "server", (char *)NULL, env); -#if defined(OPENCVS_USER) - } -#endif perror("execle: cvs"); fprintf(stderr, "unable to exec CVS server!\n"); -- cgit v1.2.3