Anoncvs
This guide assumes you have already created a new CVS root and imported repositories. Committers will use the real CVS repo for reading and writing, whereas in this guide, we create an anoncvs mirror for guest read-only access.
$ mkdir ~/anoncvs
$ cd ~/anoncvs
$ ftp https://www.openbsd.org/anoncvs.shar
$ sh anoncvs.shar
Edit the first line of ~/Makefile:
CVSROOT=anoncvs@anoncvs.example.com:/cvs
Replace anoncvs.example.com with your domain. You want to leave /cvs as-is
because CVS runs inside a chroot jail.
$ make
$ doas useradd -m -d /open/anoncvs -s /open/anoncvssh anoncvs
$ doas cp anoncvssh /open/anoncvssh
$ doas chmod 4111 /open/anoncvssh
You will need to set anoncvs so it has no password. Run doas vipw
and edit the line so it looks like this (except with the uid and gid 1001
perhaps changed to another value):
anoncvs::1001:1001::0:0::/open/anoncvs:/open/anoncvssh
Add this to the bottom of /etc/ssh/sshd_config:
Match User anoncvs
PermitEmptyPasswords yes
AllowTcpForwarding no
AllowAgentForwarding no
X11Forwarding no
PermitTTY no
Then restart sshd:
$ doas rcctl restart sshd
Run as root to create the chroot jail:
export CVSYNCUSER=$USER
mkdir /open/anoncvs/cvs
chown -R $CVSYNCUSER:commit /open/anoncvs/cvs
chmod -R g+w /open/anoncvs/cvs
The person maintaining the cvs archive is $CVSYNCUSER . Replace $USER with the maintainer's username.
The commands below are needed for OpenBSD 6.9 stable:
touch /open/anoncvs/.hushlogin
touch /open/anoncvs/.profile
mkdir /open/anoncvs/{bin,dev,tmp,usr,var,etc}
cp /bin/{cat,pwd,rm,sh} /open/anoncvs/bin/
mknod -m 666 /open/anoncvs/dev/null c 2 2
mknod -m 666 /open/anoncvs/dev/zero c 2 12
cp /etc/{hosts,protocols,resolv.conf,services,ttys} /open/anoncvs/etc/
chmod 444 /open/anoncvs/etc/{hosts,protocols,resolv.conf,services,ttys}
ln -s /open/anoncvs/tmp /open/anoncvs/var/tmp
chmod a+rwx /open/anoncvs/tmp
mkdir /open/anoncvs/usr/{bin,lib}
cp /usr/bin/cvs /open/anoncvs/usr/bin/
mkdir /open/anoncvs/usr/libexec
cp /usr/libexec/ld.so /open/anoncvs/usr/libexec/
cp /usr/lib/libz.so.5.0 /open/anoncvs/usr/lib/
cp /usr/lib/libc.so.96.0 /open/anoncvs/usr/lib/
chown -R root:wheel /open/anoncvs
(:if false:)
This was recommended by the README in the shar file from OpenBSD's anoncvs instructions, but I found it was unnecessary and potentially leaks system information:
cp /etc/{group,hosts,passwd,protocols} /open/anoncvs/etc/
cp /etc/{pwd.db,resolv.conf,services,ttys} /open/anoncvs/etc/
(:ifend:)
Syncing repos
You now want to sync repos from the committers' CVSROOT to the anoncvs CVSROOT. You want to run this command while logged in as the CVS maintainer:
$ openrsync -a --delete --rsync-path=openrsync /CVS/ /open/anoncvs/cvs/
We will set up a cronjob so the repos are synced daily:
$ crontab -e
@daily -s /usr/bin/openrsync -a --delete --rsync-path=/usr/bin/openrsync /CVS/ /open/anoncvs/cvs/
Results
The /open/anoncvs/cvs/ directory should look like this:
# ls -lha /open/anoncvs/cvs
total 28
drwxr-xr-x 7 root wheel 512B Oct 9 06:19 .
drwxr-xr-x 10 root wheel 512B Oct 9 06:10 ..
drwxrwxr-x 3 jrmu commit 1.0K Apr 29 06:48 CVSROOT
drwxrwxr-x 9 jrmu commit 512B May 8 11:42 acopm
drwxrwxr-x 2 jrmu commit 1.0K Aug 26 04:17 botnow
drwxrwxr-x 8 jrmu commit 512B May 27 16:57 brogue-ce
drwxrwxr-x 6 jrmu commit 512B May 7 06:46 ircnowd
Publish SSH fingerprints
Make sure to publish your SSH fingerprints so users can be certain that the source code was transported securely.
Test anoncvs
You'll want to test anoncvs to make sure it's working.
Recommended Reading:
https://www.openbsd.org/anoncvs.html
https://www.openbsd.org/anoncvs.shar
See Also: