Skip to content

Anoncvs

This guide assumes you have already created a new CVS root and imported repositories. Committers will use the real CVS repo for reading and writing, whereas in this guide, we create an anoncvs mirror for guest read-only access.

$ mkdir ~/anoncvs
$ cd ~/anoncvs
$ ftp https://www.openbsd.org/anoncvs.shar
$ sh anoncvs.shar

Edit the first line of ~/Makefile:

CVSROOT=anoncvs@anoncvs.example.com:/cvs

Replace anoncvs.example.com with your domain. You want to leave /cvs as-is

because CVS runs inside a chroot jail.

$ make
$ doas useradd -m -d /open/anoncvs -s /open/anoncvssh anoncvs
$ doas cp anoncvssh /open/anoncvssh
$ doas chmod 4111 /open/anoncvssh

You will need to set anoncvs so it has no password. Run doas vipw

and edit the line so it looks like this (except with the uid and gid 1001

perhaps changed to another value):

anoncvs::1001:1001::0:0::/open/anoncvs:/open/anoncvssh

Add this to the bottom of /etc/ssh/sshd_config:

Match User anoncvs
        PermitEmptyPasswords yes
        AllowTcpForwarding no
        AllowAgentForwarding no
        X11Forwarding no
        PermitTTY no

Then restart sshd:

$ doas rcctl restart sshd

Run as root to create the chroot jail:

export CVSYNCUSER=$USER
mkdir /open/anoncvs/cvs
chown -R $CVSYNCUSER:commit /open/anoncvs/cvs
chmod -R g+w /open/anoncvs/cvs

The person maintaining the cvs archive is $CVSYNCUSER . Replace $USER with the maintainer's username.

The commands below are needed for OpenBSD 6.9 stable:

touch /open/anoncvs/.hushlogin
touch /open/anoncvs/.profile
mkdir /open/anoncvs/{bin,dev,tmp,usr,var,etc}
cp /bin/{cat,pwd,rm,sh} /open/anoncvs/bin/
mknod -m 666 /open/anoncvs/dev/null c 2 2
mknod -m 666 /open/anoncvs/dev/zero c 2 12
cp /etc/{hosts,protocols,resolv.conf,services,ttys} /open/anoncvs/etc/
chmod 444 /open/anoncvs/etc/{hosts,protocols,resolv.conf,services,ttys}
ln -s /open/anoncvs/tmp /open/anoncvs/var/tmp
chmod a+rwx /open/anoncvs/tmp
mkdir /open/anoncvs/usr/{bin,lib}
cp /usr/bin/cvs /open/anoncvs/usr/bin/
mkdir /open/anoncvs/usr/libexec
cp /usr/libexec/ld.so /open/anoncvs/usr/libexec/
cp /usr/lib/libz.so.5.0 /open/anoncvs/usr/lib/
cp /usr/lib/libc.so.96.0 /open/anoncvs/usr/lib/
chown -R root:wheel /open/anoncvs

(:if false:)

This was recommended by the README in the shar file from OpenBSD's anoncvs instructions, but I found it was unnecessary and potentially leaks system information:

cp /etc/{group,hosts,passwd,protocols} /open/anoncvs/etc/

cp /etc/{pwd.db,resolv.conf,services,ttys} /open/anoncvs/etc/

(:ifend:)

Syncing repos

You now want to sync repos from the committers' CVSROOT to the anoncvs CVSROOT. You want to run this command while logged in as the CVS maintainer:

$ openrsync -a --delete --rsync-path=openrsync /CVS/ /open/anoncvs/cvs/

We will set up a cronjob so the repos are synced daily:

$ crontab -e


@daily  -s /usr/bin/openrsync -a --delete --rsync-path=/usr/bin/openrsync /CVS/ /open/anoncvs/cvs/

Results

The /open/anoncvs/cvs/ directory should look like this:

# ls -lha /open/anoncvs/cvs
total 28
drwxr-xr-x   7 root  wheel   512B Oct  9 06:19 .
drwxr-xr-x  10 root  wheel   512B Oct  9 06:10 ..
drwxrwxr-x   3 jrmu  commit  1.0K Apr 29 06:48 CVSROOT
drwxrwxr-x   9 jrmu  commit  512B May  8 11:42 acopm
drwxrwxr-x   2 jrmu  commit  1.0K Aug 26 04:17 botnow
drwxrwxr-x   8 jrmu  commit  512B May 27 16:57 brogue-ce
drwxrwxr-x   6 jrmu  commit  512B May  7 06:46 ircnowd

Publish SSH fingerprints

Make sure to publish your SSH fingerprints so users can be certain that the source code was transported securely.

Test anoncvs

You'll want to test anoncvs to make sure it's working.

Recommended Reading:

https://www.openbsd.org/anoncvs.html

https://www.openbsd.org/anoncvs.shar

See Also:

CVS repo Guide

Cvsweb Guide

CVS Intro