From ad3eac4f3956eaff6b10e2944bccc3263797e4d4 Mon Sep 17 00:00:00 2001 From: Dimitri Sokolyuk Date: Fri, 15 Feb 2013 09:37:31 +0000 Subject: sync --- README | 386 ++++++++++++++++++++++++---------------------------------- anoncvs.shar | 387 ++++++++++++++++++++++++----------------------------------- 2 files changed, 308 insertions(+), 465 deletions(-) diff --git a/README b/README index 74c51d9..ddeb41c 100644 --- a/README +++ b/README @@ -7,11 +7,12 @@ appropriate place. 2) Compile and install anoncvssh, the shell used for the anoncvs user. - ( If you aren't using OpenBSD you'll probably need to compile a sup + Install the cvsync client using 'pkg_add cvsync' command. + ( If you aren't using OpenBSD you'll probably need to compile a cvsync client as well. The easier path is to use OpenBSD ;). 3) Add the anoncvs user to the password file, with no password, and - anoncvssh as it's shell. Decide on a user that will run sup to maintain + anoncvssh as it's shell. Decide on a user that will run cvsync to maintain the archive (this is a different user, NOT the anoncvs user). 4) Make a home directory for the anoncvs user. The anoncvs user's @@ -23,19 +24,15 @@ use another platform you'll need to be familiar with what needs to go in a chroot jail for your platform. -5) Get permission to use sup to obtain the cvs tree from a server. +5) Get permission to use cvsync to obtain the cvs tree from a server. -6) Set up sup to retrieve the cvs tree from an appropriate place. - (If you aren't using OpenBSD you will need to compile and install - a sup client). +6) Set up cvsync to retrieve the cvs tree from an appropriate place. -7) Run sup to retrieve the distribution from the server. +7) Run cvsync to retrieve the distribution from the server. -8) Once you get the distribution in, set up a cron job to run sup +8) Once you get the distribution in, set up a cron job to run cvsync periodically to keep your server up to date. -9) Enabling OpenCVS anoncvs. - ********************************************************************** STEP 1) find enough disk space. You need roughly 2GB. @@ -49,9 +46,9 @@ STEP 2) compile the anoncvssh binary. Install the binary setuid-root in /open/anoncvssh. ********************************************************************** -STEP 3) Create the anoncvs account and decide who will run "sup" +STEP 3) Create the anoncvs account and decide who will run "cvsync" to maintain the archive. The anoncvs account should *NOT* be the one - running sup to maintain the archive. + running cvsync to maintain the archive. create an account similar to: @@ -61,12 +58,18 @@ Yes, that is right - the account has no password. Be sure that the uid and gid are unique for your system, if the ones above aren't, pick different values. -Decide who will run sup to maintain the archive. Call that user -$SUPUSER. Oh, and in case it hasn't been previously mentioned, -$SUPUSER should *NOT* be the anoncvs user :). +Decide who will run cvsync to maintain the archive. Call that user +$CVSYNCUSER. Oh, and in case it hasn't been previously mentioned, +$CVSYNCUSER should *NOT* be the anoncvs user :). + +Add the following to the end of your /etc/ssh/sshd_config and restart +your sshd daemon: -Set "PermitEmptyPasswords yes" option in /etc/ssh/sshd_config and -restart your sshd daemon. +Match User anoncvs + PermitEmptyPasswords yes + AllowTcpForwarding no + AllowAgentForwarding no + X11Forwarding no ********************************************************************** STEP 4) Build the anoncvs user's home directory chroot jail. This @@ -75,8 +78,7 @@ STEP 4) Build the anoncvs user's home directory chroot jail. This mkdir /open/anoncvs mkdir /open/anoncvs/cvs -mkdir /open/anoncvs/sup -chown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs +chown -R $CVSYNCUSER /open/anoncvs/cvs /open/anoncvs Start filling the account up with nice stuff. You are building a chroot jail for anoncvs in /open/anoncvs. @@ -91,8 +93,6 @@ Put a message like the following in .plan: Then set your CVSROOT environment variable to the following value: anoncvs@anoncvs.openbsd.org:/cvs - chown root:wheel .hushlogin .profile .plan - mkdir bin dev tmp usr var etc cp /bin/{cat,pwd,rm,sh} bin/ @@ -129,17 +129,15 @@ If your system has ld.so in /usr/libexec, If using shared libraries, use ldd to find out which shared libs you need: # ldd /usr/bin/cvs /usr/bin/cvs: - Start End Type Ref Name - 00000000 00000000 exe 1 /usr/bin/cvs - 0015f000 20165000 rlib 1 /usr/lib/libz.so.2.0 - 0016d000 20172000 rlib 1 /usr/lib/libgssapi.so.2.0 - 0017f000 2018d000 rlib 1 /usr/lib/libkrb5.so.5.2 - 00141000 20145000 rlib 1 /usr/lib/libasn1.so.3.1 - 00089000 200ba000 rlib 1 /usr/lib/libcrypto.so.10.0 - 00177000 2017c000 rlib 1 /usr/lib/libdes.so.8.0 - 00169000 2016d000 rlib 1 /usr/lib/libcom_err.so.1.0 - 00009000 20053000 rlib 1 /usr/lib/libc.so.30.0 - 00002000 00002000 rtld 1 /usr/libexec/ld.so + Start End Type Open Ref GrpRef Name + 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs + 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.4.1 + 020f3000 220f8000 rlib 0 1 0 /usr/lib/libgssapi.so.5.0 + 0530c000 2531c000 rlib 0 1 0 /usr/lib/libkrb5.so.17.0 + 03801000 23841000 rlib 0 1 0 /usr/lib/libcrypto.so.18.0 + 0a8fb000 2a900000 rlib 0 1 0 /usr/lib/libdes.so.9.0 + 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.51.0 + 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so and then copy the required libraries to usr/lib/ @@ -164,54 +162,60 @@ For :pserver: support (optional) See the example layout below for full details. ********************************************************************** -STEP 5): Get sup permission. +STEP 5): Get cvsync permission. send mail to sup@openbsd.org -1) to have sup permissions granted on an appropriate machine for you - to sup from. We will need to know your host's real hostname and +1) to have cvsync permissions granted on an appropriate machine for you + to cvsync from. We will need to know your host's real hostname and IP address. 2) to have an anoncvsN.COUNTRY.openbsd.org alias created. -3) to have your site mentioned in the http://www.openbsd.org page. +3) to have your site mentioned in the http://www.openbsd.org/anoncvs.html page. ********************************************************************** -STEP 6): Configure sup. - -If you're running OpenBSD, you already have a sup client in -/usr/bin/sup. If not you may need to build it. On an IRIX or other -SYSV machine, ensure that your kernel does not allow a user to chown -a file to another user (you may have heard of this particular brand -of evil referred to as "chown giveaway"). This will cause sup to -give away the files to root before chmod'ing them readable. -michaels@openbsd.org knows how to fix this. - -The file /open/anoncvs/sup/ss contains a line that tells sup where -to get the cvs tree from. It will normally contain: - - cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete - -The file /open/anoncvs/sup/cvs/refuse tells sup what files it should not get. -It should contain the following lines: - - cvs/CVSROOT/history - cvs/CVSROOT/readers - cvs/CVSROOT/writers - cvs/CVSROOT/passwd - -If you ever fetch the file cvs/CVSROOT/history, delete it. It will -cause you problems. +STEP 6): Configure cvsync. + +You have to install cvsync package. + +The file /etc/cvsync.conf contains the configuration of cvsync. It will +normally contain: + +config { + base-prefix /open/anoncvs/ + hostname anoncvs.ca.openbsd.org + collection { + name openbsd-cvsroot release rcs + prefix cvs + } + collection { + name openbsd-src release rcs + prefix cvs + } + collection { + name openbsd-ports release rcs + prefix cvs + } + collection { + name openbsd-www release rcs + prefix cvs + } + collection { + name openbsd-xenocara release rcs + prefix cvs + } +} ********************************************************************** -STEP 7): Run sup to retrieve the tree for the first time. +STEP 7): Run cvsync to retrieve the tree for the first time. -Log in as or become the $SUPUSER, and run +Log in as or become the $CVSYNCUSER, and run -sup -v /open/anoncvs/sup/ss > /tmp/suplog &; tail -f /tmp/suplog +cvsync > /tmp/cvsynclog &; tail -f /tmp/cvsynclog -If you have sup permission, and have specified the correct host and -hostbase in /open/anoncvs/sup/ss you should see a list of files start +If you have cvsync permission, and have specified the correct host and +prefix in /etc/cvsync.conf you should see a list of files start coming in after a short while. Don't panic if nothing happens -immediately. Watch for errors (sup can timeout or die). If you can't -access files contact the sup server maintainer. If you get a timeout -or if sup dies you can restart and it should continue where it left off. +immediately. Watch for errors (cvsync can timeout or die). If you can't +access files contact the cvsync server maintainer. If you get a timeout +or if cvsync dies you can restart and it should continue where it left off. It can take a good while (and a couple of restarts) to obtain the whole tree for the first time. @@ -219,185 +223,103 @@ whole tree for the first time. ********************************************************************** STEP 8): Set up cron to keep the tree up to date. -You run sup periodically from the cron by setting up the crontab file -of the $SUPUSER. - -For example: To run every three hours 'sup -v supfile', and thrice -weekly 'sup -vo supfile' .. because sup is not reliable .. +You run cvsync periodically from the cron by setting up the crontab file +of the $CVSYNCUSER. -0 0,3,6,9,12,15,18,21 * * 0,2,4,5 sup -v /open/anoncvs/sup/ss > /dev/null -0 0,12,15,18,21 * * 1,3,6 sup -v /open/anoncvs/sup/ss > /dev/null -0 3 * * 1,3,6 sup -vo /open/anoncvs/sup/ss > /dev/null +For example, to update every two hours: -anoncvs5.usa.openbsd.org uses this particular set of entries. A `sup --o' is done every few days because sup is not very robust. +15 */2 * * * /usr/local/bin/cvsync > /dev/null ********************************************************************** -STEP 9): Enabling OpenCVS anoncvs. - -The next step is to enable OpenCVS, which will run on your system next -to the normal GNU cvs server. This will become the default in the -future. - -First off, create a new user account "opencvs" like you did for your -normal anoncvs user: - -opencvs::32766:32766::0:0:Anonymous OpenCVS User:/open/anoncvs:/open/anoncvssh - -Be sure that the uid and gid are unique for your system, if the ones -above aren't, pick different values. - -#define OPENCVS_USER "opencvs" - -Recompile anoncvssh.c and install the binary setuid-root in /open/anoncvssh. - -Compile and install a current /usr/bin/opencvs. - -Copy /usr/bin/opencvs to /open/anoncvs/usr/bin/opencvs - -You can now use OpenCVS anoncvs by using the correct CVSROOT: - opencvs@anoncvs.openbsd.org:/cvs - -If you encounter bugs, send them to joris@openbsd.org - -********************************************************************** EXAMPLE LAYOUT -Example layout for OpenBSD. In this example "deraadt" is the $SUPUSER. - -[eap open 5 ]> cd /open -[eap open 6 ]> ls -alF -total 46 -drwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./ -drwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../ -drwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/ ----s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh* -lrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs -drwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/ -drwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/ -drwxr-xr-x 4 root wheel 512 Nov 30 1995 src/ -drwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/ -[eap open 7 ]> cd anoncvs -[eap anoncvs 8 ]> ls -alF -total 20 -drwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./ -drwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../ --r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin --r--r--r-- 1 root wheel 188 Nov 30 1995 .plan --r--r--r-- 1 root wheel 0 Nov 29 1995 .profile -drwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 bin/ -drwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/ -drwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/ -drwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/ -drwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/ -drwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/ -drwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/ -[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev +Example layout for OpenBSD. In this example "deraadt" is the $CVSYNCUSER. + +$ cd /open +$ ls -alF +total 64 +drwxr-xr-x 5 root wheel 512 Jun 18 22:29 ./ +drwxr-xr-x 13 root wheel 512 Jun 4 05:14 ../ +drwxr-xr-x 9 deraadt wheel 512 Jun 3 02:15 anoncvs/ +---s--x--x 1 root wheel 14302 Jun 18 22:29 anoncvssh* +drwxr-xr-x 4 root wheel 5120 Jun 10 14:34 ftp/ + +$ cd anoncvs +$ ls -alF +total 68 +drwxr-xr-x 9 root wheel 512 Jun 3 02:15 ./ +drwxr-xr-x 5 root wheel 512 Jun 10 14:32 ../ +-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .hushlogin +-rw-r--r-- 1 root wheel 84 Jun 3 01:50 .plan +-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .profile +drwxr-xr-x 2 root wheel 512 Jun 3 01:40 bin/ +drwxr-xr-x 7 deraadt wheel 512 Jun 18 22:19 cvs/ +drwxr-xr-x 2 root wheel 512 Jun 3 01:51 dev/ +drwxr-xr-x 2 root wheel 512 Jun 3 01:53 etc/ +drwxrwxrwx 10 root wheel 512 Jun 18 17:38 tmp/ +drwxr-xr-x 5 root wheel 512 Jun 3 01:54 usr/ +drwxr-xr-x 2 root wheel 512 Jun 3 01:54 var/ +$ ls -alFR bin usr tmp etc dev bin: -total 948 -drwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 ./ -drwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ ---wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat* ---wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd* ---wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm* ---wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh* - +total 1984 +drwxr-xr-x 2 root wheel 512 Jun 3 01:40 ./ +drwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ +-r-xr-xr-x 1 root wheel 132368 Jun 3 01:40 cat* +-r-xr-xr-x 1 root wheel 124176 Jun 3 01:40 pwd* +-r-xr-xr-x 1 root wheel 238864 Jun 3 01:40 rm* +-r-xr-xr-x 1 root wheel 460048 Jun 3 01:40 sh* + dev: -total 4 -drwxr-xr-x 2 root wheel 512 Nov 30 1995 ./ -drwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ -crw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null - +total 8 +drwxr-xr-x 2 root wheel 512 Jun 3 01:51 ./ +drwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ +crw-rw-rw- 1 root wheel 3, 2 Jun 3 01:51 null +crw-rw-rw- 1 root wheel 3, 12 Jun 3 01:51 zero + etc: -total 112 -drwxr-xr-x 2 root wheel 512 Nov 29 1995 ./ -drwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ --rw-r--r-- 1 root wheel 252 Nov 29 1995 group --rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts --rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd --rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols --rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db --rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf --rw-r--r-- 1 root wheel 5529 Nov 29 1995 services --rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys +total 188 +drwxr-xr-x 2 root wheel 512 Jun 3 01:53 ./ +drwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ +-r--r--r-- 1 root wheel 64 Jun 3 01:52 group* +-r--r--r-- 1 root wheel 576 Jun 3 01:52 hosts* +-r--r--r-- 1 root wheel 291 Jun 3 01:53 passwd* +-r--r--r-- 1 root wheel 5625 Jun 3 01:52 protocols* +-r--r--r-- 1 root wheel 40960 Jun 3 01:52 pwd.db* +-r--r--r-- 1 root wheel 93 Jun 3 01:52 resolv.conf* +-r--r--r-- 1 root wheel 9875 Jun 3 01:52 services* +-r--r--r-- 1 root wheel 26428 Jun 3 01:52 ttys* usr: -total 10 -drwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./ -drwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ -drwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/ -drwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/ -drwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/ +total 20 +drwxr-xr-x 5 root wheel 512 Jun 3 01:54 ./ +drwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ +drwxr-xr-x 2 root wheel 512 Jun 3 01:57 bin/ +drwxr-xr-x 2 root wheel 512 Jun 3 01:56 lib/ +drwxr-xr-x 2 root wheel 512 Jun 3 01:55 libexec/ usr/bin: -total 1968 -drwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./ -drwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../ ---wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs* +total 3016 +drwxr-xr-x 2 root wheel 512 Jun 3 01:57 ./ +drwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ +-r-xr-xr-x 1 root wheel 643728 Jun 3 01:54 cvs* usr/lib: -total 5594 -drwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./ -drwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../ --rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libasn1.so.2.0 --rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.28.5 --rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypto.so.6.0 --rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libdes.so.7.0 --rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libgssapi.so.1.0 --rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libkafs.so.10.0 --rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libkrb.so.10.0 --rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libkrb5.so.4.0 --rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libz.so.1.4 +total 42344 +drwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./ +drwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ +-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.50.1 +-r--r--r-- 1 root wheel 9659802 Jun 3 01:56 libcrypto.so.18.0 +-r--r--r-- 1 root wheel 190814 Jun 3 01:56 libdes.so.9.0 +-r--r--r-- 1 root wheel 1593303 Jun 3 01:55 libgssapi.so.5.0 +-r--r--r-- 1 root wheel 5337583 Jun 3 01:56 libkrb5.so.16.0 +-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.4.1 usr/libexec: -total 100 -drwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./ -drwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../ --rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so* - -[eap anoncvs 14 ]> ls cvs -CVSROOT/ src/ sup/ www/ -[eap anoncvs 15 ]> cd /open -[eap anoncvs 16 ]> ls -alF sup -total 8 -drwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./ -drwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../ -drwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/ --rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss - - -*************************************************************** -NOTES FOR OTHER PLATFORMS: - -If you're not that familiar with your other platform (i.e. you haven't -built a chroot jail for a server on it) you may be better off -finding an OpenBSD machine to use and duplicating the example above. - -**SunOS 5) -Bob Beck has done this. E-mail for -help if you need it. - -**OSF 1) -From Todd Fries to the adventurous. -A note for those installing anoncvs on non-OpenBSD operating systems. -You are in for some fun. - -For OSF1, on a DEC alpha, I had to do the following in addition to the -above: - -- I do not know how to setup dynamic libraries on osf1 and as a result - everything had to be compiled statically. -- Therefore, everything but /bin/sh I had to recmpile in order to - get the chroot setup. In order that there be no guesswork - involved, the following packages' binaries must exist in the chroot - environment: - - GNU - cvs (from the OpenBSD source tree) - -Some notes on compiling. +total 120 +drwxr-xr-x 2 root wheel 512 Jun 3 01:55 ./ +drwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ +-r-xr-xr-x 1 root wheel 55683 Jun 3 01:55 ld.so* +$ ls cvs +CVSROOT ports src www xenocara - cvs fails to install if you don't have makeinfo ... just search for the - string ' install-info$' with regex and remove it from the Makefile for the - install and you'll be fine, or install 'texinfo', your choice. diff --git a/anoncvs.shar b/anoncvs.shar index 2be7832..a388dcf 100644 --- a/anoncvs.shar +++ b/anoncvs.shar @@ -5,7 +5,6 @@ # # This archive contains: # -# anoncvs.shar # Makefile # README # anoncvssh.c @@ -33,11 +32,12 @@ X1) Find enough disk space to hold the anoncvs tree, and mount it in an X appropriate place. X X2) Compile and install anoncvssh, the shell used for the anoncvs user. -X ( If you aren't using OpenBSD you'll probably need to compile a sup +X Install the cvsync client using 'pkg_add cvsync' command. +X ( If you aren't using OpenBSD you'll probably need to compile a cvsync X client as well. The easier path is to use OpenBSD ;). X X3) Add the anoncvs user to the password file, with no password, and -X anoncvssh as it's shell. Decide on a user that will run sup to maintain +X anoncvssh as it's shell. Decide on a user that will run cvsync to maintain X the archive (this is a different user, NOT the anoncvs user). X X4) Make a home directory for the anoncvs user. The anoncvs user's @@ -49,19 +49,15 @@ X statically. This example shows what is needed for OpenBSD. If you X use another platform you'll need to be familiar with what needs X to go in a chroot jail for your platform. X -X5) Get permission to use sup to obtain the cvs tree from a server. +X5) Get permission to use cvsync to obtain the cvs tree from a server. X -X6) Set up sup to retrieve the cvs tree from an appropriate place. -X (If you aren't using OpenBSD you will need to compile and install -X a sup client). +X6) Set up cvsync to retrieve the cvs tree from an appropriate place. X -X7) Run sup to retrieve the distribution from the server. +X7) Run cvsync to retrieve the distribution from the server. X -X8) Once you get the distribution in, set up a cron job to run sup +X8) Once you get the distribution in, set up a cron job to run cvsync X periodically to keep your server up to date. X -X9) Enabling OpenCVS anoncvs. -X X********************************************************************** XSTEP 1) find enough disk space. X You need roughly 2GB. @@ -75,9 +71,9 @@ X In the Makefile, change the variable CVSROOT. X Install the binary setuid-root in /open/anoncvssh. X X********************************************************************** -XSTEP 3) Create the anoncvs account and decide who will run "sup" +XSTEP 3) Create the anoncvs account and decide who will run "cvsync" X to maintain the archive. The anoncvs account should *NOT* be the one -X running sup to maintain the archive. +X running cvsync to maintain the archive. X Xcreate an account similar to: X @@ -87,12 +83,18 @@ XYes, that is right - the account has no password. Be sure that the Xuid and gid are unique for your system, if the ones above aren't, Xpick different values. X -XDecide who will run sup to maintain the archive. Call that user -X$SUPUSER. Oh, and in case it hasn't been previously mentioned, -X$SUPUSER should *NOT* be the anoncvs user :). +XDecide who will run cvsync to maintain the archive. Call that user +X$CVSYNCUSER. Oh, and in case it hasn't been previously mentioned, +X$CVSYNCUSER should *NOT* be the anoncvs user :). +X +XAdd the following to the end of your /etc/ssh/sshd_config and restart +Xyour sshd daemon: X -XSet "PermitEmptyPasswords yes" option in /etc/ssh/sshd_config and -Xrestart your sshd daemon. +XMatch User anoncvs +X PermitEmptyPasswords yes +X AllowTcpForwarding no +X AllowAgentForwarding no +X X11Forwarding no X X********************************************************************** XSTEP 4) Build the anoncvs user's home directory chroot jail. This @@ -101,8 +103,7 @@ X may need different files in the chroot. X Xmkdir /open/anoncvs Xmkdir /open/anoncvs/cvs -Xmkdir /open/anoncvs/sup -Xchown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs +Xchown -R $CVSYNCUSER /open/anoncvs/cvs /open/anoncvs X XStart filling the account up with nice stuff. You are building a chroot Xjail for anoncvs in /open/anoncvs. @@ -117,8 +118,6 @@ X machine. X Then set your CVSROOT environment variable to the following value: X anoncvs@anoncvs.openbsd.org:/cvs X -X chown root:wheel .hushlogin .profile .plan -X X mkdir bin dev tmp usr var etc X cp /bin/{cat,pwd,rm,sh} bin/ X @@ -155,17 +154,15 @@ X XIf using shared libraries, use ldd to find out which shared libs you need: X # ldd /usr/bin/cvs X /usr/bin/cvs: -X Start End Type Ref Name -X 00000000 00000000 exe 1 /usr/bin/cvs -X 0015f000 20165000 rlib 1 /usr/lib/libz.so.2.0 -X 0016d000 20172000 rlib 1 /usr/lib/libgssapi.so.2.0 -X 0017f000 2018d000 rlib 1 /usr/lib/libkrb5.so.5.2 -X 00141000 20145000 rlib 1 /usr/lib/libasn1.so.3.1 -X 00089000 200ba000 rlib 1 /usr/lib/libcrypto.so.10.0 -X 00177000 2017c000 rlib 1 /usr/lib/libdes.so.8.0 -X 00169000 2016d000 rlib 1 /usr/lib/libcom_err.so.1.0 -X 00009000 20053000 rlib 1 /usr/lib/libc.so.30.0 -X 00002000 00002000 rtld 1 /usr/libexec/ld.so +X Start End Type Open Ref GrpRef Name +X 1c000000 3c01f000 exe 1 0 0 /usr/bin/cvs +X 0f802000 2f80a000 rlib 0 1 0 /usr/lib/libz.so.4.1 +X 020f3000 220f8000 rlib 0 1 0 /usr/lib/libgssapi.so.5.0 +X 0530c000 2531c000 rlib 0 1 0 /usr/lib/libkrb5.so.17.0 +X 03801000 23841000 rlib 0 1 0 /usr/lib/libcrypto.so.18.0 +X 0a8fb000 2a900000 rlib 0 1 0 /usr/lib/libdes.so.9.0 +X 094d2000 2950b000 rlib 0 1 0 /usr/lib/libc.so.51.0 +X 094ca000 094ca000 rtld 0 1 0 /usr/libexec/ld.so X X and then copy the required libraries to usr/lib/ X @@ -190,54 +187,60 @@ X XSee the example layout below for full details. X X********************************************************************** -XSTEP 5): Get sup permission. +XSTEP 5): Get cvsync permission. Xsend mail to sup@openbsd.org -X1) to have sup permissions granted on an appropriate machine for you -X to sup from. We will need to know your host's real hostname and +X1) to have cvsync permissions granted on an appropriate machine for you +X to cvsync from. We will need to know your host's real hostname and X IP address. X2) to have an anoncvsN.COUNTRY.openbsd.org alias created. -X3) to have your site mentioned in the http://www.openbsd.org page. +X3) to have your site mentioned in the http://www.openbsd.org/anoncvs.html page. X X********************************************************************** -XSTEP 6): Configure sup. -X -XIf you're running OpenBSD, you already have a sup client in -X/usr/bin/sup. If not you may need to build it. On an IRIX or other -XSYSV machine, ensure that your kernel does not allow a user to chown -Xa file to another user (you may have heard of this particular brand -Xof evil referred to as "chown giveaway"). This will cause sup to -Xgive away the files to root before chmod'ing them readable. -Xmichaels@openbsd.org knows how to fix this. -X -XThe file /open/anoncvs/sup/ss contains a line that tells sup where -Xto get the cvs tree from. It will normally contain: -X -X cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete -X -XThe file /open/anoncvs/sup/cvs/refuse tells sup what files it should not get. -XIt should contain the following lines: -X -X cvs/CVSROOT/history -X cvs/CVSROOT/readers -X cvs/CVSROOT/writers -X cvs/CVSROOT/passwd -X -XIf you ever fetch the file cvs/CVSROOT/history, delete it. It will -Xcause you problems. +XSTEP 6): Configure cvsync. +X +XYou have to install cvsync package. +X +XThe file /etc/cvsync.conf contains the configuration of cvsync. It will +Xnormally contain: +X +Xconfig { +X base-prefix /open/anoncvs/ +X hostname anoncvs.ca.openbsd.org +X collection { +X name openbsd-cvsroot release rcs +X prefix cvs +X } +X collection { +X name openbsd-src release rcs +X prefix cvs +X } +X collection { +X name openbsd-ports release rcs +X prefix cvs +X } +X collection { +X name openbsd-www release rcs +X prefix cvs +X } +X collection { +X name openbsd-xenocara release rcs +X prefix cvs +X } +X} X X********************************************************************** -XSTEP 7): Run sup to retrieve the tree for the first time. +XSTEP 7): Run cvsync to retrieve the tree for the first time. X -XLog in as or become the $SUPUSER, and run +XLog in as or become the $CVSYNCUSER, and run X -Xsup -v /open/anoncvs/sup/ss > /tmp/suplog &; tail -f /tmp/suplog +Xcvsync > /tmp/cvsynclog &; tail -f /tmp/cvsynclog X -XIf you have sup permission, and have specified the correct host and -Xhostbase in /open/anoncvs/sup/ss you should see a list of files start +XIf you have cvsync permission, and have specified the correct host and +Xprefix in /etc/cvsync.conf you should see a list of files start Xcoming in after a short while. Don't panic if nothing happens -Ximmediately. Watch for errors (sup can timeout or die). If you can't -Xaccess files contact the sup server maintainer. If you get a timeout -Xor if sup dies you can restart and it should continue where it left off. +Ximmediately. Watch for errors (cvsync can timeout or die). If you can't +Xaccess files contact the cvsync server maintainer. If you get a timeout +Xor if cvsync dies you can restart and it should continue where it left off. X XIt can take a good while (and a couple of restarts) to obtain the Xwhole tree for the first time. @@ -245,188 +248,106 @@ X X********************************************************************** XSTEP 8): Set up cron to keep the tree up to date. X -XYou run sup periodically from the cron by setting up the crontab file -Xof the $SUPUSER. +XYou run cvsync periodically from the cron by setting up the crontab file +Xof the $CVSYNCUSER. X -XFor example: To run every three hours 'sup -v supfile', and thrice -Xweekly 'sup -vo supfile' .. because sup is not reliable .. +XFor example, to update every two hours: X -X0 0,3,6,9,12,15,18,21 * * 0,2,4,5 sup -v /open/anoncvs/sup/ss > /dev/null -X0 0,12,15,18,21 * * 1,3,6 sup -v /open/anoncvs/sup/ss > /dev/null -X0 3 * * 1,3,6 sup -vo /open/anoncvs/sup/ss > /dev/null -X -Xanoncvs5.usa.openbsd.org uses this particular set of entries. A `sup -X-o' is done every few days because sup is not very robust. +X15 */2 * * * /usr/local/bin/cvsync > /dev/null X X********************************************************************** -XSTEP 9): Enabling OpenCVS anoncvs. -X -XThe next step is to enable OpenCVS, which will run on your system next -Xto the normal GNU cvs server. This will become the default in the -Xfuture. -X -XFirst off, create a new user account "opencvs" like you did for your -Xnormal anoncvs user: -X -Xopencvs::32766:32766::0:0:Anonymous OpenCVS User:/open/anoncvs:/open/anoncvssh -X -XBe sure that the uid and gid are unique for your system, if the ones -Xabove aren't, pick different values. -X -X#define OPENCVS_USER "opencvs" -X -XRecompile anoncvssh.c and install the binary setuid-root in /open/anoncvssh. -X -XCompile and install a current /usr/bin/opencvs. -X -XCopy /usr/bin/opencvs to /open/anoncvs/usr/bin/opencvs X -XYou can now use OpenCVS anoncvs by using the correct CVSROOT: -X -X opencvs@anoncvs.openbsd.org:/cvs -X -XIf you encounter bugs, send them to joris@openbsd.org -X -X********************************************************************** XEXAMPLE LAYOUT X -XExample layout for OpenBSD. In this example "deraadt" is the $SUPUSER. -X -X[eap open 5 ]> cd /open -X[eap open 6 ]> ls -alF -Xtotal 46 -Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ./ -Xdrwxr-xr-x 17 root wheel 512 Jun 14 14:05 ../ -Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 anoncvs/ -X---s--x--x 1 root bin 16384 Nov 30 1995 anoncvssh* -Xlrwxr-xr-x 1 root wheel 11 Jan 3 21:52 cvs@ -> anoncvs/cvs -Xdrwxr-xr-x 5 root wheel 512 Feb 22 13:22 ftp/ -Xdrwxrwxrwt 2 anoncvs wheel 1024 Jan 1 13:18 lost+found/ -Xdrwxr-xr-x 4 root wheel 512 Nov 30 1995 src/ -Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 sup/ -X[eap open 7 ]> cd anoncvs -X[eap anoncvs 8 ]> ls -alF -Xtotal 20 -Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ./ -Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../ -X-r--r--r-- 1 root wheel 0 Nov 30 1995 .hushlogin -X-r--r--r-- 1 root wheel 188 Nov 30 1995 .plan -X-r--r--r-- 1 root wheel 0 Nov 29 1995 .profile -Xdrwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 bin/ -Xdrwxrwxr-x 6 deraadt cvs 512 Jun 16 20:28 cvs/ -Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 dev/ -Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 etc/ -Xdrwxrwxrwx 3 root wheel 512 Jun 22 07:42 tmp/ -Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 usr/ -Xdrwxr-xr-x 2 root wheel 512 Jan 3 21:55 var/ -X[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev +XExample layout for OpenBSD. In this example "deraadt" is the $CVSYNCUSER. +X +X$ cd /open +X$ ls -alF +Xtotal 64 +Xdrwxr-xr-x 5 root wheel 512 Jun 18 22:29 ./ +Xdrwxr-xr-x 13 root wheel 512 Jun 4 05:14 ../ +Xdrwxr-xr-x 9 deraadt wheel 512 Jun 3 02:15 anoncvs/ +X---s--x--x 1 root wheel 14302 Jun 18 22:29 anoncvssh* +Xdrwxr-xr-x 4 root wheel 5120 Jun 10 14:34 ftp/ +X +X$ cd anoncvs +X$ ls -alF +Xtotal 68 +Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ./ +Xdrwxr-xr-x 5 root wheel 512 Jun 10 14:32 ../ +X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .hushlogin +X-rw-r--r-- 1 root wheel 84 Jun 3 01:50 .plan +X-rw-r--r-- 1 root wheel 0 Jun 3 01:50 .profile +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 bin/ +Xdrwxr-xr-x 7 deraadt wheel 512 Jun 18 22:19 cvs/ +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 dev/ +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 etc/ +Xdrwxrwxrwx 10 root wheel 512 Jun 18 17:38 tmp/ +Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 usr/ +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:54 var/ +X$ ls -alFR bin usr tmp etc dev Xbin: -Xtotal 948 -Xdrwxrwxr-x 2 deraadt wheel 512 Nov 29 1995 ./ -Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ -X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 cat* -X--wx--x--x 1 deraadt wheel 40960 Jun 18 09:45 pwd* -X--wx--x--x 1 deraadt wheel 122880 Jun 18 09:45 rm* -X--wx--x--x 1 deraadt wheel 262144 Jun 18 09:45 sh* -X +Xtotal 1984 +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:40 ./ +Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ +X-r-xr-xr-x 1 root wheel 132368 Jun 3 01:40 cat* +X-r-xr-xr-x 1 root wheel 124176 Jun 3 01:40 pwd* +X-r-xr-xr-x 1 root wheel 238864 Jun 3 01:40 rm* +X-r-xr-xr-x 1 root wheel 460048 Jun 3 01:40 sh* +X Xdev: -Xtotal 4 -Xdrwxr-xr-x 2 root wheel 512 Nov 30 1995 ./ -Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ -Xcrw-rw-rw- 1 root wheel 2, 2 Nov 30 1995 null -X +Xtotal 8 +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:51 ./ +Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ +Xcrw-rw-rw- 1 root wheel 3, 2 Jun 3 01:51 null +Xcrw-rw-rw- 1 root wheel 3, 12 Jun 3 01:51 zero +X Xetc: -Xtotal 112 -Xdrwxr-xr-x 2 root wheel 512 Nov 29 1995 ./ -Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ -X-rw-r--r-- 1 root wheel 252 Nov 29 1995 group -X-rw-r--r-- 1 root wheel 296 Nov 29 1995 hosts -X-rw-r--r-- 1 root wheel 540 Nov 29 1995 passwd -X-rw-r--r-- 1 root wheel 1094 Nov 29 1995 protocols -X-rw-r--r-- 1 root wheel 40960 Nov 29 1995 pwd.db -X-rw-r--r-- 1 root wheel 89 Nov 29 1995 resolv.conf -X-rw-r--r-- 1 root wheel 5529 Nov 29 1995 services -X-rw-r--r-- 1 root wheel 1361 Nov 29 1995 ttys +Xtotal 188 +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:53 ./ +Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ +X-r--r--r-- 1 root wheel 64 Jun 3 01:52 group* +X-r--r--r-- 1 root wheel 576 Jun 3 01:52 hosts* +X-r--r--r-- 1 root wheel 291 Jun 3 01:53 passwd* +X-r--r--r-- 1 root wheel 5625 Jun 3 01:52 protocols* +X-r--r--r-- 1 root wheel 40960 Jun 3 01:52 pwd.db* +X-r--r--r-- 1 root wheel 93 Jun 3 01:52 resolv.conf* +X-r--r--r-- 1 root wheel 9875 Jun 3 01:52 services* +X-r--r--r-- 1 root wheel 26428 Jun 3 01:52 ttys* X Xusr: -Xtotal 10 -Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ./ -Xdrwxr-xr-x 9 root wheel 512 Jan 3 21:55 ../ -Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 bin/ -Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 lib/ -Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 libexec/ +Xtotal 20 +Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ./ +Xdrwxr-xr-x 9 root wheel 512 Jun 3 02:15 ../ +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 bin/ +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 lib/ +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 libexec/ X Xusr/bin: -Xtotal 1968 -Xdrwxr-xr-x 2 deraadt wheel 512 Nov 30 1995 ./ -Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../ -X--wx--x--x 1 deraadt wheel 317787 Jun 18 09:46 cvs* +Xtotal 3016 +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:57 ./ +Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ +X-r-xr-xr-x 1 root wheel 643728 Jun 3 01:54 cvs* X Xusr/lib: -Xtotal 5594 -Xdrwxr-xr-x 2 deraadt wheel 1024 Jun 18 09:50 ./ -Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../ -X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libasn1.so.2.0 -X-rw-r--r-- 1 deraadt wheel 351730 Jun 18 09:50 libc.so.28.5 -X-rw-r--r-- 1 deraadt wheel 16608 Jun 18 09:50 libcrypto.so.6.0 -X-rw-r--r-- 1 deraadt wheel 44424 Jun 18 09:50 libdes.so.7.0 -X-rw-r--r-- 1 deraadt wheel 16665 Jun 18 09:50 libgssapi.so.1.0 -X-rw-r--r-- 1 deraadt wheel 86198 Jun 18 09:50 libkafs.so.10.0 -X-rw-r--r-- 1 deraadt wheel 42254 Jun 18 09:50 libkrb.so.10.0 -X-rw-r--r-- 1 deraadt wheel 66099 Jun 18 09:50 libkrb5.so.4.0 -X-rw-r--r-- 1 deraadt wheel 387976 Jun 18 09:50 libz.so.1.4 +Xtotal 42344 +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:56 ./ +Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ +X-r--r--r-- 1 root wheel 4605409 Jun 3 01:56 libc.so.50.1 +X-r--r--r-- 1 root wheel 9659802 Jun 3 01:56 libcrypto.so.18.0 +X-r--r--r-- 1 root wheel 190814 Jun 3 01:56 libdes.so.9.0 +X-r--r--r-- 1 root wheel 1593303 Jun 3 01:55 libgssapi.so.5.0 +X-r--r--r-- 1 root wheel 5337583 Jun 3 01:56 libkrb5.so.16.0 +X-r--r--r-- 1 root wheel 182556 Jun 3 01:55 libz.so.4.1 X Xusr/libexec: -Xtotal 100 -Xdrwxr-xr-x 2 deraadt wheel 512 Nov 29 1995 ./ -Xdrwxr-xr-x 5 deraadt wheel 512 Nov 30 1995 ../ -X-rwxr-xr-x 1 deraadt wheel 49152 Jun 18 09:47 ld.so* -X -X[eap anoncvs 14 ]> ls cvs -XCVSROOT/ src/ sup/ www/ -X[eap anoncvs 15 ]> cd /open -X[eap anoncvs 16 ]> ls -alF sup -Xtotal 8 -Xdrwxrwxr-x 3 deraadt wheel 512 Dec 4 1995 ./ -Xdrwxr-xr-x 7 root wheel 512 Feb 20 09:58 ../ -Xdrwxr-xr-x 2 deraadt wheel 512 Jun 22 06:05 cvs/ -X-rw-rw-r-- 1 deraadt wheel 54 Dec 4 1995 ss -X -X -X*************************************************************** -XNOTES FOR OTHER PLATFORMS: -X -XIf you're not that familiar with your other platform (i.e. you haven't -Xbuilt a chroot jail for a server on it) you may be better off -Xfinding an OpenBSD machine to use and duplicating the example above. -X -X**SunOS 5) -XBob Beck has done this. E-mail for -Xhelp if you need it. -X -X**OSF 1) -XFrom Todd Fries to the adventurous. -XA note for those installing anoncvs on non-OpenBSD operating systems. -XYou are in for some fun. -X -XFor OSF1, on a DEC alpha, I had to do the following in addition to the -Xabove: -X -X- I do not know how to setup dynamic libraries on osf1 and as a result -X everything had to be compiled statically. -X- Therefore, everything but /bin/sh I had to recmpile in order to -X get the chroot setup. In order that there be no guesswork -X involved, the following packages' binaries must exist in the chroot -X environment: -X -X GNU -X cvs (from the OpenBSD source tree) -X -XSome notes on compiling. +Xtotal 120 +Xdrwxr-xr-x 2 root wheel 512 Jun 3 01:55 ./ +Xdrwxr-xr-x 5 root wheel 512 Jun 3 01:54 ../ +X-r-xr-xr-x 1 root wheel 55683 Jun 3 01:55 ld.so* +X$ ls cvs +XCVSROOT ports src www xenocara X -X cvs fails to install if you don't have makeinfo ... just search for the -X string ' install-info$' with regex and remove it from the Makefile for the -X install and you'll be fine, or install 'texinfo', your choice. END-of-README echo x - anoncvssh.c sed 's/^X//' >anoncvssh.c << 'END-of-anoncvssh.c' -- cgit v1.2.3