1$MirOS: src/libexec/anoncvssh/README,v 1.6 2008/11/29 17:03:53 tg Exp $
2
3On MirBSD, the directory structure outlined below, as well
4as the anoncvssh and accompanying programmes, are already
5installed in /var/anoncvs and its subdirectories.
6Just set a password (may be empty) for user "_anoncvs",
7pull the CVSROOT into /var/anoncvs/cvs and you are
8set up. For empty passwords, remember to configure the SSH
9daemon appropiately.
10
11To use anonymous rsync, place a statically linked rsync
12executable into /var/anoncvs/bin and make it
13chmod 110, chown root:_anoncvs.
14
15Please change the defaults to fit your needs.
16_______________________________________________________________________________
17
18	So, you want to run an anoncvs server.
19
20        A summary of the steps you'll need to do is:
21
221) Find enough disk space to hold the anoncvs tree, and mount it in an
23   appropriate place.
24
252) Compile and install anoncvssh, the shell used for the anoncvs user.
26   ( If you aren't using OpenBSD you'll probably need to compile a sup
27     client as well. The easier path is to use OpenBSD ;)
28
293) Add the anoncvs user to the password file, with no password, and
30   anoncvssh as it's shell. Decide on a user that will run sup to maintain
31   the archive (this is a different user, NOT the anoncvs user)
32
334) Make a home directory for the anoncvs user. The anoncvs user's
34   home directory is a chroot jail in which the anoncvssh processes
35   run when servicing anoncvs requests. The jail must contain the
36   cvs binary as well as whatever shared libraries and support files
37   are needed to run them unless you compile and link everything
38   staticly. This example shows what is needed for OpenBSD. If you
39   use another platform you'll need to be familiar with what needs
40   to go in a chroot jail for your platform.
41
425) Get permission to use sup to obtain the cvs tree from a server.
43
446) Set up sup to retrieve the cvs tree from an appropriate place.
45   (If you aren't using OpenBSD you will need to compile and install
46    a sup client).
47
487) Run sup to retrieve the distribution from the server
49
508) Once you get the distribution in, set up a cron job to run sup
51   periodically to keep your server up to date.
52
53**********************************************************************
54STEP 1) find enough disk space.
55    You need roughly 1.6GB.
56    Mount it on /open.
57    If you are not able to mount it as /open, substitute it's location
58	throughout the rest of this description.
59
60**********************************************************************
61STEP 2) compile the anoncvssh binary
62    In the Makefile, change the variable CVSROOT
63    Install the binary setuid-root in /open/anoncvssh.
64
65**********************************************************************
66STEP 3) Create the anoncvs account. and decide who will run "sup"
67    to maintain the archive. The anoncvs account should *NOT* be the one
68    running sup to maintain the archive.
69
70create an account similar to:
71
72    anoncvs::32766:32766:Anonymous CVS User:/open/anoncvs:/open/anoncvssh
73
74Yes, that is right. the account has no password. Be sure that the
75uid and gid are unique for your system, if the ones above aren't,
76pick different values.
77
78Decide who will run sup to maintain the archive. call that user
79$SUPUSER.  Oh, and in case it hasn't been previously mentioned,
80$SUPUSER should *NOT* be the anoncvs user :)
81
82**********************************************************************
83STEP 4) Build the anoncvs user's home directory chroot jail. This
84    example assumes that you're using OpenBSD. If you're not you
85    may need different files in the chroot.
86
87mkdir /open/anoncvs
88mkdir /open/anoncvs/cvs
89mkdir /open/anoncvs/sup
90chown -R $SUPUSER /open/anoncvs/cvs /open/anoncvs/sup /open/anoncvs
91
92Start filling the account up with nice stuff. You are building a chroot
93jail for anoncvs in /open/anoncvs.
94
95    cd /open/anoncvs
96    touch .hushlogin
97    touch .profile
98
99Put a message like the following in .plan:
100    To use anonymous CVS install the latest version of CVS on your local
101    machine.
102    Then set your CVSROOT environment variable to the following value:
103            anoncvs@anoncvs.openbsd.org:/cvs
104
105    chown root:wheel .hushlogin .profile .plan
106
107    mkdir bin dev tmp etc
108    cp /bin/{cat,pwd,rm,sh} bin/
109    ln -s . var
110
111Using mknod, make a dev/null that has the same major/minor numbers as
112    your /dev/null, and make it mode 666. A dev/zero must be created
113    the same way.
114
115Fill etc space for the account
116    cp /etc/{group,hosts,passwd,protocols} etc/
117    cp /etc/{pwd.db,resolv.conf,services,ttys} etc/
118    modify these files to suit your idea of system security
119
120anoncvssh (by setting the environment variable CVSREADONLYFS) uses
121an tiny extension provided in the openbsd cvs server code which
122permits the use of read-only cvs repositories.  therefore you MUST
123compile the openbsd version of cvs.  luckily this is not a problem
124on a non-openbsd machine since the cvs sources are imported verbatim
125into the openbsd tree.  they are in gnu/usr.bin/cvs.  The sources
126are integrated such that Makefile.bsd-wrapper knows how to build
127the sources on an OpenBSD machine, using obj directories.
128
129Create tmp space for the account
130    # cd var; ln -s ../tmp tmp
131    # chmod a+rwx tmp
132
133    # mkdir usr/{bin,lib}
134    # cp /usr/bin/cvs usr/bin/
135
136If your system has ld.so in /usr/libexec,
137    # mkdir usr/libexec
138    # cp /usr/libexec/ld.so usr/libexec/
139
140If using shared libraries, use ldd to find out which shared libs you need:
141    # ldd /usr/bin/cvs
142    /usr/bin/cvs:
143	    -lz.1 => /usr/lib/libz.so.1.4 (0x40097000)
144	    -lgssapi.1 => /usr/lib/libgssapi.so.1.0 (0x400a4000)
145	    -lkrb.10 => /usr/lib/libkrb.so.10.0 (0x400ae000)
146	    -lkrb5.4 => /usr/lib/libkrb5.so.4.0 (0x400c8000)
147	    -lasn1.2 => /usr/lib/libasn1.so.2.0 (0x400ff000)
148	    -lcrypto.6 => /usr/lib/libcrypto.so.6.0 (0x4011d000)
149	    -ldes.7 => /usr/lib/libdes.so.7.0 (0x40203000)
150	    -lkafs.10 => /usr/lib/libkafs.so.10.0 (0x4020d000)
151	    -lc.28 => /usr/lib/libc.so.28.5 (0x40210000)
152
153    and then copy the required libraries to usr/lib/
154
155As a final pass, make sure that all the files you have just created are
156not world writable (except dev/null and dev/zero).
157
158For :pserver: support (optional)
159  - Create an entry in /etc/services
160     cvspserver		2401/tcp		# CVS client/server operations
161  - Create an entry in /etc/inetd.conf
162     cvspserver	stream	tcp nowait anoncvs /open/anoncvssh anoncvssh pserver
163  - Create a file /open/anoncvs/cvs/CVSROOT/passwd with the following entry
164	anoncvs:AHDysQkJIubEc
165    which would be a password of "anoncvs" (as per anoncvs.html)
166  - Create a file /open/anoncvs/cvs/CVSROOT/readers with a single entry:
167	anoncvs
168    which tells cvs that user "anoncvs" is allowed readonly access.
169  - Create a zero-length file /open/anoncvs/cvs/CVSROOT/writers since you don't
170    want anyone to be able to write to the mirror.
171	% cp /dev/null /open/anoncvs/cvs/CVSROOT/writers
172
173See the example layout below for full details.
174
175**********************************************************************
176STEP 5): Get sup permission.
177send mail to sup@openbsd.org
1781) to have sup permissions granted on an appropriate machine for you
179   to sup from. We will need to know your host's real hostname and
180   IP address.
1812) to have an anoncvsN.COUNTRY.openbsd.org alias created
1823) to have your site mentioned in the http://www.openbsd.org page.
183
184**********************************************************************
185STEP 6): Configure sup
186
187If you're running OpenBSD, you already have a sup client in
188/usr/bin/sup.  If not you may need to build it. On an IRIX or other
189SYSV machine, ensure that your kernel does not allow a user to chown
190a file to another user (You may have heard of this particular brand
191of evil referred to as "chown giveaway"). this will cause sup to
192give away the files to root before chmod'ing them readable.
193michaels@openbsd.org knows how to fix this.
194
195The file /open/anoncvs/sup/ss contains a line that tells sup where
196to get the cvs tree from. it will normally contain:
197
198    cvs host=anoncvs.ca.openbsd.org hostbase=/usr/OpenBSD base=/open/anoncvs delete
199
200The file /open/anoncvs/sup/cvs/refuse tells sup what files it should not get.
201It should contain the following lines:
202
203    cvs/CVSROOT/history
204    cvs/CVSROOT/readers
205    cvs/CVSROOT/writers
206    cvs/CVSROOT/passwd
207
208if you ever fetch the file cvs/CVSROOT/history, delete it. it will
209cause you problems.
210
211**********************************************************************
212STEP 7): Run sup to retrieve the tree for the first time
213
214Log in as or become the $SUPUSER, and run
215
216sup -v  /open/anoncvs/sup/ss > /tmp/suplog &; tail -f /tmp/suplog
217
218If you have sup permission, and have specified the correct host and
219hostbase in /open/anoncvs/sup/ss you should see a list of files start
220coming in after a short while. Don't panic if nothing happens
221immediately.  Watch for errors (sup can timeout or die). If you can't
222access files contact the sup server maintainer, If you get a timeout
223or if sup dies you can restart and it should continue where it left off.
224
225It can take a good while (and a couple of restarts) to obtain the
226whole tree for the first time.
227
228**********************************************************************
229STEP 8): Set up cron to keep the tree up to date.
230
231You run sup periodically from the cron by setting up the crontab file
232of the $SUPUSER.
233
234For example:  To run every three hours 'sup -v supfile', and thrice
235weekly 'sup -vo supfile' .. because sup is not reliable ..
236
2370 0,3,6,9,12,15,18,21 * * 0,2,4,5 sup -v  /open/anoncvs/sup/ss > /dev/null
2380 0,12,15,18,21       * *  1,3,6  sup -v  /open/anoncvs/sup/ss > /dev/null
2390 3                   * *  1,3,6  sup -vo /open/anoncvs/sup/ss > /dev/null
240
241anoncvs5.usa.openbsd.org uses this particular set of entries.  A `sup
242-o' is done every few days because sup is not very robust.
243
244**********************************************************************
245EXAMPLE LAYOUT
246
247Example layout for OpenBSD. In this example "deraadt" is the $SUPUSER.
248
249[eap open 5 ]> cd /open
250[eap open 6 ]> ls -alF
251total 46
252drwxr-xr-x   7 root     wheel    512 Feb 20 09:58 ./
253drwxr-xr-x  17 root     wheel    512 Jun 14 14:05 ../
254drwxr-xr-x   9 root     wheel    512 Jan  3 21:55 anoncvs/
255---s--x--x   1 root     bin    16384 Nov 30  1995 anoncvssh*
256lrwxr-xr-x   1 root     wheel     11 Jan  3 21:52 cvs@ -> anoncvs/cvs
257drwxr-xr-x   5 root     wheel    512 Feb 22 13:22 ftp/
258drwxrwxrwt   2 anoncvs  wheel   1024 Jan  1 13:18 lost+found/
259drwxr-xr-x   4 root     wheel    512 Nov 30  1995 src/
260drwxrwxr-x   3 deraadt  wheel    512 Dec  4  1995 sup/
261[eap open 7 ]> cd anoncvs
262[eap anoncvs 8 ]> ls -alF
263total 20
264drwxr-xr-x  9 root     wheel  512 Jan  3 21:55 ./
265drwxr-xr-x  7 root     wheel  512 Feb 20 09:58 ../
266-r--r--r--  1 root     wheel    0 Nov 30  1995 .hushlogin
267-r--r--r--  1 root     wheel  188 Nov 30  1995 .plan
268-r--r--r--  1 root     wheel    0 Nov 29  1995 .profile
269drwxrwxr-x  2 deraadt  wheel  512 Nov 29  1995 bin/
270drwxrwxr-x  6 deraadt  cvs    512 Jun 16 20:28 cvs/
271drwxr-xr-x  2 root     wheel  512 Nov 30  1995 dev/
272drwxr-xr-x  2 root     wheel  512 Nov 29  1995 etc/
273drwxrwxrwx  3 root     wheel  512 Jun 22 07:42 tmp/
274drwxr-xr-x  5 deraadt  wheel  512 Nov 30  1995 usr/
275drwxr-xr-x  2 root     wheel  512 Jan  3 21:55 var/
276[eap anoncvs 8 ]> ls -alFR bin usr tmp etc dev
277bin:
278total 948
279drwxrwxr-x  2 deraadt  wheel     512 Nov 29  1995 ./
280drwxr-xr-x  9 root     wheel     512 Jan  3 21:55 ../
281--wx--x--x  1 deraadt  wheel   40960 Jun 18 09:45 cat*
282--wx--x--x  1 deraadt  wheel   40960 Jun 18 09:45 pwd*
283--wx--x--x  1 deraadt  wheel  122880 Jun 18 09:45 rm*
284--wx--x--x  1 deraadt  wheel  262144 Jun 18 09:45 sh*
285
286dev:
287total 4
288drwxr-xr-x  2 root  wheel       512 Nov 30  1995 ./
289drwxr-xr-x  9 root  wheel       512 Jan  3 21:55 ../
290crw-rw-rw-  1 root  wheel    2,   2 Nov 30  1995 null
291
292etc:
293total 112
294drwxr-xr-x  2 root  wheel    512 Nov 29  1995 ./
295drwxr-xr-x  9 root  wheel    512 Jan  3 21:55 ../
296-rw-r--r--  1 root  wheel    252 Nov 29  1995 group
297-rw-r--r--  1 root  wheel    296 Nov 29  1995 hosts
298-rw-r--r--  1 root  wheel    540 Nov 29  1995 passwd
299-rw-r--r--  1 root  wheel   1094 Nov 29  1995 protocols
300-rw-r--r--  1 root  wheel  40960 Nov 29  1995 pwd.db
301-rw-r--r--  1 root  wheel     89 Nov 29  1995 resolv.conf
302-rw-r--r--  1 root  wheel   5529 Nov 29  1995 services
303-rw-r--r--  1 root  wheel   1361 Nov 29  1995 ttys
304
305usr:
306total 10
307drwxr-xr-x  5 deraadt  wheel   512 Nov 30  1995 ./
308drwxr-xr-x  9 root     wheel   512 Jan  3 21:55 ../
309drwxr-xr-x  2 deraadt  wheel   512 Nov 30  1995 bin/
310drwxr-xr-x  2 deraadt  wheel  1024 Jun 18 09:50 lib/
311drwxr-xr-x  2 deraadt  wheel   512 Nov 29  1995 libexec/
312
313usr/bin:
314total 1968
315drwxr-xr-x  2 deraadt  wheel     512 Nov 30  1995 ./
316drwxr-xr-x  5 deraadt  wheel     512 Nov 30  1995 ../
317--wx--x--x  1 deraadt  wheel  317787 Jun 18 09:46 cvs*
318
319usr/lib:
320total 5594
321drwxr-xr-x  2 deraadt  wheel    1024 Jun 18 09:50 ./
322drwxr-xr-x  5 deraadt  wheel     512 Nov 30  1995 ../
323-rw-r--r--  1 deraadt  wheel  351730 Jun 18 09:50 libasn1.so.2.0
324-rw-r--r--  1 deraadt  wheel  351730 Jun 18 09:50 libc.so.28.5
325-rw-r--r--  1 deraadt  wheel   16608 Jun 18 09:50 libcrypto.so.6.0
326-rw-r--r--  1 deraadt  wheel   44424 Jun 18 09:50 libdes.so.7.0
327-rw-r--r--  1 deraadt  wheel   16665 Jun 18 09:50 libgssapi.so.1.0
328-rw-r--r--  1 deraadt  wheel   86198 Jun 18 09:50 libkafs.so.10.0
329-rw-r--r--  1 deraadt  wheel   42254 Jun 18 09:50 libkrb.so.10.0
330-rw-r--r--  1 deraadt  wheel   66099 Jun 18 09:50 libkrb5.so.4.0
331-rw-r--r--  1 deraadt  wheel  387976 Jun 18 09:50 libz.so.1.4
332
333usr/libexec:
334total 100
335drwxr-xr-x  2 deraadt  wheel    512 Nov 29  1995 ./
336drwxr-xr-x  5 deraadt  wheel    512 Nov 30  1995 ../
337-rwxr-xr-x  1 deraadt  wheel  49152 Jun 18 09:47 ld.so*
338
339[eap anoncvs 14 ]> ls cvs
340CVSROOT/        src/            sup/            www/
341[eap anoncvs 15 ]> cd /open
342[eap anoncvs 16 ]> ls -alF sup
343total 8
344drwxrwxr-x  3 deraadt  wheel  512 Dec  4  1995 ./
345drwxr-xr-x  7 root     wheel  512 Feb 20 09:58 ../
346drwxr-xr-x  2 deraadt  wheel  512 Jun 22 06:05 cvs/
347-rw-rw-r--  1 deraadt  wheel   54 Dec  4  1995 ss
348
349
350***************************************************************
351NOTES FOR OTHER PLATFORMS:
352
353If you're not that familiar with your other platform (i.e. you haven't
354built a chroot jail for a server on it) you may be better off
355finding an OpenBSD machine to use. (and duplicating the example above)
356
357**SunOS 5)
358Bob Beck <Bob.Beck@ualberta.ca> has done this. E-mail for
359help if you need it.
360
361**OSF 1)
362From Todd Fries <toddf@acm.org> to the adventurous.
363A note for those installing anoncvs on non-OpenBSD operating systems.
364You are in for some fun.
365
366For OSF1, on a DEC alpha, I had to do the following in addition to the
367above:
368
369- I do not know how to setup dynamic libraries on osf1 and as a result
370  everything had to be compiled statically.
371- Therefore, everything but /bin/sh I had to recmpile in order to
372  get the chroot setup.  In order that there be no guesswork
373  involved, the following packages' binaries must exist in the chroot
374  environment:
375
376 GNU
377   cvs         (from the OpenBSD source tree)
378
379Some notes on compiling.
380
381   cvs fails to install if you don't have makeinfo ... just search for the
382   string ' install-info$' with regex and remove it from the Makefile for the
383   install and you'll be fine, or install 'texinfo', your choice.
384