development/cvsd: Added (wrapper for cvs in pserver mode).

2024-11-22 19:44:21 +01:00 · 2010-05-13 00:24:35 -05:00 · 2010-05-13 00:24:35 -05:00 · 6f2e5cf258
commit 6f2e5cf258
parent 60f9d60dbe
6 changed files with 351 additions and 0 deletions
--- a/development/cvsd/README
+++ b/development/cvsd/README
@ -0,0 +1,27 @@
+cvsd is a wrapper program for cvs in pserver mode. it will run 'cvs pserver'
+under a special uid/gid in a chroot jail.
+
+cvsd is run as a daemon and is controlled through a configuration file. It is
+relatively easy to configure and provides tools for easy setting up a chroot
+jail.
+
+This server can be useful if you want to run a public cvs pserver. You should
+however be aware of the security limitations of running a cvs pserver. If you
+want any kind of authentication you should really consider using secure shell
+as a secure authentication mechanism and transport. Passwords used in cvs
+pserver are transmitted in plain text.
+
+This wrapper adds a layer of security to the cvs server. cvs is a very
+powerful tool and is capable of running scripts and other things. Running cvs
+in a chroot jail it is possible to limit the amount of "damage" cvs can do if
+it is exploited. It is generally a good idea to run cvsd without any write
+permissions to any directory on the system.
+
+Features of cvsd include:
+ * running in chroot jail
+ * configuring chroot jail
+ * running under a non-root uid
+ * set a nice value
+ * limit resource usage
+ * limit number of connections
+ * relatively easy to set up
--- a/development/cvsd/README.SLACKWARE
+++ b/development/cvsd/README.SLACKWARE
@ -0,0 +1,169 @@
+To have cvsd start at boot-time, you'll need to add the following lines
+to /etc/rc.d/rc.local:
+
+        # Start cvsd
+        if [ -x /etc/rc.d/rc.cvsd ]; then
+          /etc/rc.d/rc.cvsd start
+        fi
+
+You'll then need to add the following lines to /etc/rc.d/rc.local_shutdown:
+
+        # Stop cvsd
+        if [ -x /etc/rc.d/rc.cvsd ]; then
+          /etc/rc.d/rc.cvsd stop
+        fi
+
+
+The following is the configuration section from cvsd's own README
+(located in /usr/doc/cvsd-<version>), just modified a little for Slackware.
+
+You will need this for actually setting up a jail and repositories etc.
+
+
+CONFIGURING CVSD
+================
+
+cvsd is controlled through a configuration file in /etc/cvsd/cvsd.confi
+The default configuration file is fully commented and has a manual page
+(cvsd.conf(5)) which documents use of the configuration file.
+
+very quick setup guide
+----------------------
+
+The is just a series of commands to set up cvsd in a typical read-only setup.
+If you don't understand these steps or are looking for commands that work on
+your system you should look below for further details.
+
+  # cvsd-buildroot /srv/cvsd
+  # cvs -d /srv/cvsd/myrepos init
+  # cvsd-passwd /srv/cvsd/myrepos +anonymous
+  # touch /srv/cvsd/myrepos/CVSROOT/writers
+  edit /srv/cvsd/myrepos/CVSROOT/config
+    add "SystemAuth=no"
+    add "PamAuth=no"
+    add "LockDir=/tmp/myrepos"
+  # mkdir /srv/cvsd/tmp/myrepos
+  # chown cvsd:cvsd /srv/cvsd/tmp/myrepos
+  edit /etc/cvsd/cvsd.conf
+    set "Repos /myrepos"
+
+You should now be able to continue with the section "checking the
+configuration" below.
+
+
+setting up a chroot jail
+------------------------
+
+You can populate a chrooted file system with cvsd-buildroot. You should rerun
+this script if your cvs binary changes or the libraries that it depends upon.
+The place where you create the chroot file system should be specified in the
+configuration file as the 'RootJail'. It is possible (but not advisable) to
+run cvsd without a chrooted file system.
+
+If you plan to run stuff like the scripts from the contrib/ subdirectory in
+cvs, then you have to have all necessary binaries, libraries etc. etc. in the
+chrooted file system. You can just put the needed binaries in the 'bin'
+directory of the chroot jail and 'cvsd-buildroot' will install the needed
+libraries. Please note that this may require manual reconfiguring.
+
+Some systems may require extra libraries to be present in the chrooted file
+system than can not be automatically detected (using ldd). See the FAQ for
+details.
+
+disabling inetd pserver
+-----------------------
+
+If inetd is configured to start cvs /etc/inetd.conf should contain a line
+like this:
+  cvspserver   stream   tcp  nowait  root /usr/bin/cvs --allow-root /home/cvs
+You should remove or comment out this line or tell cvsd to listen on a
+different port (use Listen option in cvsd.conf). If you change inetd.conf you
+should tell inetd to reload it's configuration by:
+  # kill -s HUP <pidofinetd>
+
+setting up a repository
+-----------------------
+
+If you have configured the chroot jail and the user and group id bits you can
+start adding repositories to the chroot jail. There are a couple of ways you
+could do that.
+
+The first is creating an empty repository with something like:
+  # cvs -d /srv/cvsd/myrepos init
+(where /srv/cvsd is the location of the chroot jail and myrepos is the
+name of the new repository)
+
+Another way is copying an already existing repository to the chroot jail. It
+is also possible to do something smart with a tool like 'rsync'. Put this in
+a cronjob for extra effect.
+
+Symbolic linking a repository to the chroot jail is not possible since
+symbolic links will be evaluated within the chroot jail. Hard linking directories
+should be avoided (hard linking in general in my opinion). With Linux 2.4 (and
+probably other systems) it is possible to remount an existing directory
+within another directory. You can use mount:
+  # mount --bind /home/user/develrepos /srv/cvsd/userrepos
+or add something like this to /etc/fstab:
+  /home/user/develrepos /srv/cvsd/userrepos none bind 0 0
+(don't forget to create the /srv/cvsd/userrepos directory)
+
+After you have created or copied a repository into the chroot jail you should
+add it to the cvsd.conf configuration file so cvs can access it. Use the
+'Repos' option for this and remember to specify it relative to the chroot
+jail. So if your repository is /srv/cvsd/myrepos you should add 'Repos
+/myrepos' to the configuration file.
+
+The last step for making your repository accessible is to add a passwd file
+to the 'CVSROOT' directory of the repository. The cvsd-passwd tool will do
+this for you.
+  cvsd-passwd /srv/cvsd/myrepos anonymous
+This will add user 'anonymous' to the list of users that can access the
+repository. You will be prompted for a password which can optionally be
+blank.
+
+Note that the cvsd user needs to have the correct permissions to the
+repository. The cvsd user probably should have read access to the repository
+but probably no write permission. You can add all users in the repository
+passwd file to a file named 'readers' in the 'CVSROOT' directory or create an
+empty 'writers' file. Without any of these files all users have write access!
+
+If you set up your repository so that the cvsd user only has read access to
+the files and directories in the repository (through unix file permissions)
+you need to take some extra provisions since cvs creates lockfiles when
+checking out files from the repository. The best way to do this is to create
+a directory for the cvsd user to write the lockfiles to (e.g.
+/srv/cvsd/tmp/myrepos) and add "LockDir=/tmp/myrepos" to the
+/srv/cvsd/myrepos/CVSROOT/config file. Be sure to create the directory
+and make it writable for the cvsd user. If your cvsd user has write access to
+the repository this should be no problem.
+
+It is also a good idea to put "SystemAuth=no" and maybe "PamAuth=no" in your
+CVSROOT/config file. This way password lookups will only be done to
+CVSROOT/config and not to /etc/passwd inside the chroot jail (that passwd
+file shouldn't contain any passwords) or PAM.
+
+See the "Password authentication server" section in the cvs texinfo document
+for more information about running a pserver and setting up repositories.
+
+
+CHECKING THE CONFIGURATION
+==========================
+
+If you have started cvsd with the provided init script:
+  # /etc/rc.d/rc.cvsd start
+and configured a repository (say myrepos) you should be able to access the
+server with something like:
+  % cvs -d :pserver:anonymous@localhost:/myrepos login
+  % cvs -d :pserver:anonymous@localhost:/myrepos checkout .
+For troubleshooting information see the FAQ on debugging.
+
+
+REPORTING BUGS
+==============
+
+If you find any bugs or missing features please send email to
+  arthur@arthurdejong.org
+Please include as much information as needed (platform, output of configure
+if compilation fails, output of the failure, etc). Most of the configuration
+information can be provided by running cvsd-buginfo. Patches are more than
+welcome.
--- a/development/cvsd/cvsd.SlackBuild
+++ b/development/cvsd/cvsd.SlackBuild
@ -0,0 +1,103 @@
+#!/bin/sh
+# Generated by Alien's SlackBuild Toolkit: http://slackware.com/~alien/AST
+# Copyright 2009 Eric Hameleers <alien@slackware.com>, Eindhoven, Netherlands
+
+# Slackware build script for drbd
+# Written by Zordrak <sbo@tpa.me.uk>
+# Based on http://slackbuilds.org/template.SlackBuild
+
+PRGNAM=cvsd
+VERSION=${VERSION:-1.0.18}
+ARCH=${ARCH:-x86}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+if [ "$ARCH" = "i486" ]; then
+  SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "i686" ]; then
+  SLKCFLAGS="-O2 -march=i686 -mtune=i686"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+  SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
+fi
+
+set -e # Exit on most errors
+
+# Bail out if user or group isn't valid on your system
+# For slackbuilds.org, assigned cvsd uid/gid are 233/233
+# See http://slackbuilds.org/uid_gid.txt
+if ! grep ^cvsd: /etc/group 2>&1 > /dev/null; then
+    echo "  You must have a \"cvsd\" group to run this script."
+    echo "    # groupadd -g 233 cvsd"
+    exit 1
+elif ! grep ^cvsd: /etc/passwd 2>&1 > /dev/null; then
+    echo "  You must have a \"cvsd\" user to run this script."
+    echo "    # useradd -u 233 -g cvsd -d /srv/cvsd -s /bin/false cvsd"
+    exit 1
+fi
+
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $PRGNAM-$VERSION
+tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
+cd $PRGNAM-$VERSION
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+
+CFLAGS="$SLKCFLAGS" \
+CXXFLAGS="$SLKCFLAGS" \
+./configure \
+  --prefix=/usr \
+  --libdir=/usr/lib${LIBDIRSUFFIX} \
+  --sysconfdir=/etc \
+  --localstatedir=/var \
+  --mandir=/usr/man \
+  --docdir=/usr/doc/$PRGNAM-$VERSION \
+  --build=$ARCH-slackware-linux
+
+make
+make install DESTDIR=$PKG
+
+find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
+  | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
+
+( cd $PKG/usr/man
+  find . -type f -exec gzip -9 {} \;
+  for i in $( find . -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
+)
+
+mkdir -p $PKG/etc/rc.d
+mv $PKG/etc/init.d/cvsd $PKG/etc/rc.d/rc.cvsd.new
+rmdir $PKG/etc/init.d
+mv $PKG/etc/cvsd/cvsd.conf $PKG/etc/cvsd/cvsd.conf.new
+
+sed -i 's/\/var\/lib\/cvsd/\/srv\/cvsd/g' $PKG/etc/cvsd/cvsd.conf.new
+sed -i 's/^Repos/# Repos/g' $PKG/etc/cvsd/cvsd.conf.new
+sed -i 's/^#Listen \* 2401/Listen 0.0.0.0 2401/g' $PKG/etc/cvsd/cvsd.conf.new
+mkdir -p $PKG/srv/cvsd
+
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a \
+  AUTHORS COPYING ChangeLog* FAQ INSTALL NEWS README TODO \
+  $PKG/usr/doc/$PRGNAM-$VERSION
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
--- a/development/cvsd/cvsd.info
+++ b/development/cvsd/cvsd.info
@ -0,0 +1,10 @@
+PRGNAM="cvsd"
+VERSION="1.0.18"
+HOMEPAGE="http://arthurdejong.org/cvsd/"
+DOWNLOAD="http://arthurdejong.org/cvsd/cvsd-1.0.18.tar.gz"
+MD5SUM="1117d78572619597ece45c04aab75e2d"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+MAINTAINER="Zordrak"
+EMAIL="slackbuilds@tpa.me.uk"
+APPROVED="rworkman"
--- a/development/cvsd/doinst.sh
+++ b/development/cvsd/doinst.sh
@ -0,0 +1,23 @@
+config() {
+  NEW="$1"
+  OLD="$(dirname $NEW)/$(basename $NEW .new)"
+  # If there's no config file by that name, mv it over:
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
+    # toss the redundant copy
+    rm $NEW
+  fi
+  # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+# Keep same perms on rc.cvsd.new:
+if [ -e etc/rc.d/rc.cvsd ]; then
+  cp -a etc/rc.d/rc.cvsd etc/rc.d/rc.cvsd.new.incoming
+  cat etc/rc.d/rc.cvsd.new > etc/rc.d/rc.cvsd.new.incoming
+  mv etc/rc.d/rc.cvsd.new.incoming etc/rc.d/rc.cvsd.new
+fi
+
+config etc/rc.d/rc.cvsd.new
+config etc/cvsd/cvsd.conf.new
+
--- a/development/cvsd/slack-desc
+++ b/development/cvsd/slack-desc
@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.  Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in.  You must
+# make exactly 11 lines for the formatting to be correct.  It's also
+# customary to leave one space after the ':'.
+
+    |-----handy-ruler------------------------------------------------------|
+cvsd: cvsd (a cvs pserver daemon)
+cvsd:
+cvsd: cvsd is a wrapper program for cvs in pserver mode. It will run
+cvsd: 'cvs pserver' under a special uid/gid in a chroot jail.
+cvsd:
+cvsd: cvsd is run as a daemon and is controlled through a configuration
+cvsd: file. It is relatively easy to configure and tools are provided for
+cvsd: setting up a rootjail.
+cvsd:
+cvsd: Home: http://arthurdejong.org/cvsd/
+cvsd: