From 6f2e5cf258f35192bcc15dfab06b69e12cc2a513 Mon Sep 17 00:00:00 2001 From: Zordrak Date: Thu, 13 May 2010 00:24:35 -0500 Subject: development/cvsd: Added (wrapper for cvs in pserver mode). --- development/cvsd/README | 27 ++++++ development/cvsd/README.SLACKWARE | 169 ++++++++++++++++++++++++++++++++++++++ development/cvsd/cvsd.SlackBuild | 103 +++++++++++++++++++++++ development/cvsd/cvsd.info | 10 +++ development/cvsd/doinst.sh | 23 ++++++ development/cvsd/slack-desc | 19 +++++ 6 files changed, 351 insertions(+) create mode 100644 development/cvsd/README create mode 100644 development/cvsd/README.SLACKWARE create mode 100644 development/cvsd/cvsd.SlackBuild create mode 100644 development/cvsd/cvsd.info create mode 100644 development/cvsd/doinst.sh create mode 100644 development/cvsd/slack-desc diff --git a/development/cvsd/README b/development/cvsd/README new file mode 100644 index 0000000000..248327f3cf --- /dev/null +++ b/development/cvsd/README @@ -0,0 +1,27 @@ +cvsd is a wrapper program for cvs in pserver mode. it will run 'cvs pserver' +under a special uid/gid in a chroot jail. + +cvsd is run as a daemon and is controlled through a configuration file. It is +relatively easy to configure and provides tools for easy setting up a chroot +jail. + +This server can be useful if you want to run a public cvs pserver. You should +however be aware of the security limitations of running a cvs pserver. If you +want any kind of authentication you should really consider using secure shell +as a secure authentication mechanism and transport. Passwords used in cvs +pserver are transmitted in plain text. + +This wrapper adds a layer of security to the cvs server. cvs is a very +powerful tool and is capable of running scripts and other things. Running cvs +in a chroot jail it is possible to limit the amount of "damage" cvs can do if +it is exploited. It is generally a good idea to run cvsd without any write +permissions to any directory on the system. + +Features of cvsd include: + * running in chroot jail + * configuring chroot jail + * running under a non-root uid + * set a nice value + * limit resource usage + * limit number of connections + * relatively easy to set up diff --git a/development/cvsd/README.SLACKWARE b/development/cvsd/README.SLACKWARE new file mode 100644 index 0000000000..62d2e5bdba --- /dev/null +++ b/development/cvsd/README.SLACKWARE @@ -0,0 +1,169 @@ +To have cvsd start at boot-time, you'll need to add the following lines +to /etc/rc.d/rc.local: + + # Start cvsd + if [ -x /etc/rc.d/rc.cvsd ]; then + /etc/rc.d/rc.cvsd start + fi + +You'll then need to add the following lines to /etc/rc.d/rc.local_shutdown: + + # Stop cvsd + if [ -x /etc/rc.d/rc.cvsd ]; then + /etc/rc.d/rc.cvsd stop + fi + + +The following is the configuration section from cvsd's own README +(located in /usr/doc/cvsd-), just modified a little for Slackware. + +You will need this for actually setting up a jail and repositories etc. + + +CONFIGURING CVSD +================ + +cvsd is controlled through a configuration file in /etc/cvsd/cvsd.confi +The default configuration file is fully commented and has a manual page +(cvsd.conf(5)) which documents use of the configuration file. + +very quick setup guide +---------------------- + +The is just a series of commands to set up cvsd in a typical read-only setup. +If you don't understand these steps or are looking for commands that work on +your system you should look below for further details. + + # cvsd-buildroot /srv/cvsd + # cvs -d /srv/cvsd/myrepos init + # cvsd-passwd /srv/cvsd/myrepos +anonymous + # touch /srv/cvsd/myrepos/CVSROOT/writers + edit /srv/cvsd/myrepos/CVSROOT/config + add "SystemAuth=no" + add "PamAuth=no" + add "LockDir=/tmp/myrepos" + # mkdir /srv/cvsd/tmp/myrepos + # chown cvsd:cvsd /srv/cvsd/tmp/myrepos + edit /etc/cvsd/cvsd.conf + set "Repos /myrepos" + +You should now be able to continue with the section "checking the +configuration" below. + + +setting up a chroot jail +------------------------ + +You can populate a chrooted file system with cvsd-buildroot. You should rerun +this script if your cvs binary changes or the libraries that it depends upon. +The place where you create the chroot file system should be specified in the +configuration file as the 'RootJail'. It is possible (but not advisable) to +run cvsd without a chrooted file system. + +If you plan to run stuff like the scripts from the contrib/ subdirectory in +cvs, then you have to have all necessary binaries, libraries etc. etc. in the +chrooted file system. You can just put the needed binaries in the 'bin' +directory of the chroot jail and 'cvsd-buildroot' will install the needed +libraries. Please note that this may require manual reconfiguring. + +Some systems may require extra libraries to be present in the chrooted file +system than can not be automatically detected (using ldd). See the FAQ for +details. + +disabling inetd pserver +----------------------- + +If inetd is configured to start cvs /etc/inetd.conf should contain a line +like this: + cvspserver stream tcp nowait root /usr/bin/cvs --allow-root /home/cvs +You should remove or comment out this line or tell cvsd to listen on a +different port (use Listen option in cvsd.conf). If you change inetd.conf you +should tell inetd to reload it's configuration by: + # kill -s HUP + +setting up a repository +----------------------- + +If you have configured the chroot jail and the user and group id bits you can +start adding repositories to the chroot jail. There are a couple of ways you +could do that. + +The first is creating an empty repository with something like: + # cvs -d /srv/cvsd/myrepos init +(where /srv/cvsd is the location of the chroot jail and myrepos is the +name of the new repository) + +Another way is copying an already existing repository to the chroot jail. It +is also possible to do something smart with a tool like 'rsync'. Put this in +a cronjob for extra effect. + +Symbolic linking a repository to the chroot jail is not possible since +symbolic links will be evaluated within the chroot jail. Hard linking directories +should be avoided (hard linking in general in my opinion). With Linux 2.4 (and +probably other systems) it is possible to remount an existing directory +within another directory. You can use mount: + # mount --bind /home/user/develrepos /srv/cvsd/userrepos +or add something like this to /etc/fstab: + /home/user/develrepos /srv/cvsd/userrepos none bind 0 0 +(don't forget to create the /srv/cvsd/userrepos directory) + +After you have created or copied a repository into the chroot jail you should +add it to the cvsd.conf configuration file so cvs can access it. Use the +'Repos' option for this and remember to specify it relative to the chroot +jail. So if your repository is /srv/cvsd/myrepos you should add 'Repos +/myrepos' to the configuration file. + +The last step for making your repository accessible is to add a passwd file +to the 'CVSROOT' directory of the repository. The cvsd-passwd tool will do +this for you. + cvsd-passwd /srv/cvsd/myrepos anonymous +This will add user 'anonymous' to the list of users that can access the +repository. You will be prompted for a password which can optionally be +blank. + +Note that the cvsd user needs to have the correct permissions to the +repository. The cvsd user probably should have read access to the repository +but probably no write permission. You can add all users in the repository +passwd file to a file named 'readers' in the 'CVSROOT' directory or create an +empty 'writers' file. Without any of these files all users have write access! + +If you set up your repository so that the cvsd user only has read access to +the files and directories in the repository (through unix file permissions) +you need to take some extra provisions since cvs creates lockfiles when +checking out files from the repository. The best way to do this is to create +a directory for the cvsd user to write the lockfiles to (e.g. +/srv/cvsd/tmp/myrepos) and add "LockDir=/tmp/myrepos" to the +/srv/cvsd/myrepos/CVSROOT/config file. Be sure to create the directory +and make it writable for the cvsd user. If your cvsd user has write access to +the repository this should be no problem. + +It is also a good idea to put "SystemAuth=no" and maybe "PamAuth=no" in your +CVSROOT/config file. This way password lookups will only be done to +CVSROOT/config and not to /etc/passwd inside the chroot jail (that passwd +file shouldn't contain any passwords) or PAM. + +See the "Password authentication server" section in the cvs texinfo document +for more information about running a pserver and setting up repositories. + + +CHECKING THE CONFIGURATION +========================== + +If you have started cvsd with the provided init script: + # /etc/rc.d/rc.cvsd start +and configured a repository (say myrepos) you should be able to access the +server with something like: + % cvs -d :pserver:anonymous@localhost:/myrepos login + % cvs -d :pserver:anonymous@localhost:/myrepos checkout . +For troubleshooting information see the FAQ on debugging. + + +REPORTING BUGS +============== + +If you find any bugs or missing features please send email to + arthur@arthurdejong.org +Please include as much information as needed (platform, output of configure +if compilation fails, output of the failure, etc). Most of the configuration +information can be provided by running cvsd-buginfo. Patches are more than +welcome. diff --git a/development/cvsd/cvsd.SlackBuild b/development/cvsd/cvsd.SlackBuild new file mode 100644 index 0000000000..953e4b7980 --- /dev/null +++ b/development/cvsd/cvsd.SlackBuild @@ -0,0 +1,103 @@ +#!/bin/sh +# Generated by Alien's SlackBuild Toolkit: http://slackware.com/~alien/AST +# Copyright 2009 Eric Hameleers , Eindhoven, Netherlands + +# Slackware build script for drbd +# Written by Zordrak +# Based on http://slackbuilds.org/template.SlackBuild + +PRGNAM=cvsd +VERSION=${VERSION:-1.0.18} +ARCH=${ARCH:-x86} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +fi + +set -e # Exit on most errors + +# Bail out if user or group isn't valid on your system +# For slackbuilds.org, assigned cvsd uid/gid are 233/233 +# See http://slackbuilds.org/uid_gid.txt +if ! grep ^cvsd: /etc/group 2>&1 > /dev/null; then + echo " You must have a \"cvsd\" group to run this script." + echo " # groupadd -g 233 cvsd" + exit 1 +elif ! grep ^cvsd: /etc/passwd 2>&1 > /dev/null; then + echo " You must have a \"cvsd\" user to run this script." + echo " # useradd -u 233 -g cvsd -d /srv/cvsd -s /bin/false cvsd" + exit 1 +fi + + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/man \ + --docdir=/usr/doc/$PRGNAM-$VERSION \ + --build=$ARCH-slackware-linux + +make +make install DESTDIR=$PKG + +find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +( cd $PKG/usr/man + find . -type f -exec gzip -9 {} \; + for i in $( find . -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done +) + +mkdir -p $PKG/etc/rc.d +mv $PKG/etc/init.d/cvsd $PKG/etc/rc.d/rc.cvsd.new +rmdir $PKG/etc/init.d +mv $PKG/etc/cvsd/cvsd.conf $PKG/etc/cvsd/cvsd.conf.new + +sed -i 's/\/var\/lib\/cvsd/\/srv\/cvsd/g' $PKG/etc/cvsd/cvsd.conf.new +sed -i 's/^Repos/# Repos/g' $PKG/etc/cvsd/cvsd.conf.new +sed -i 's/^#Listen \* 2401/Listen 0.0.0.0 2401/g' $PKG/etc/cvsd/cvsd.conf.new +mkdir -p $PKG/srv/cvsd + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a \ + AUTHORS COPYING ChangeLog* FAQ INSTALL NEWS README TODO \ + $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/development/cvsd/cvsd.info b/development/cvsd/cvsd.info new file mode 100644 index 0000000000..c8e0897f1f --- /dev/null +++ b/development/cvsd/cvsd.info @@ -0,0 +1,10 @@ +PRGNAM="cvsd" +VERSION="1.0.18" +HOMEPAGE="http://arthurdejong.org/cvsd/" +DOWNLOAD="http://arthurdejong.org/cvsd/cvsd-1.0.18.tar.gz" +MD5SUM="1117d78572619597ece45c04aab75e2d" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +MAINTAINER="Zordrak" +EMAIL="slackbuilds@tpa.me.uk" +APPROVED="rworkman" diff --git a/development/cvsd/doinst.sh b/development/cvsd/doinst.sh new file mode 100644 index 0000000000..52f4fdc866 --- /dev/null +++ b/development/cvsd/doinst.sh @@ -0,0 +1,23 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +# Keep same perms on rc.cvsd.new: +if [ -e etc/rc.d/rc.cvsd ]; then + cp -a etc/rc.d/rc.cvsd etc/rc.d/rc.cvsd.new.incoming + cat etc/rc.d/rc.cvsd.new > etc/rc.d/rc.cvsd.new.incoming + mv etc/rc.d/rc.cvsd.new.incoming etc/rc.d/rc.cvsd.new +fi + +config etc/rc.d/rc.cvsd.new +config etc/cvsd/cvsd.conf.new + diff --git a/development/cvsd/slack-desc b/development/cvsd/slack-desc new file mode 100644 index 0000000000..fa486862bf --- /dev/null +++ b/development/cvsd/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +cvsd: cvsd (a cvs pserver daemon) +cvsd: +cvsd: cvsd is a wrapper program for cvs in pserver mode. It will run +cvsd: 'cvs pserver' under a special uid/gid in a chroot jail. +cvsd: +cvsd: cvsd is run as a daemon and is controlled through a configuration +cvsd: file. It is relatively easy to configure and tools are provided for +cvsd: setting up a rootjail. +cvsd: +cvsd: Home: http://arthurdejong.org/cvsd/ +cvsd: -- cgit v1.2.3-65-gdbad