Date: Fri, 01 Feb 2002 14:04:59 +0100 From: Bernd Luevelsmeyer <bdluevel@heitec.net> To: Daniel Lang <dl@leo.org>, hubs@FreeBSD.org Cc: adminmail@heitec.net Subject: Re: FTP mirror; anonymous CVS Message-ID: <20020201130459.74650B8101@christel.heitec.net> References: <20020130043616.BD197B8206@christel.heitec.net> <20020130131414.I81625@atrbg11.informatik.tu-muenchen.de> <20020201044900.3B8C9B8101@christel.heitec.net> <20020201100953.A90046@atrbg11.informatik.tu-muenchen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Lang wrote:
>
> Hi,
>
> Bernd Luevelsmeyer wrote on Fri, Feb 01, 2002 at 05:49:00AM +0100:
[..]
> > In an attempt to have it *really* read-only, I set up the inetd.conf
> > line like this:
> > cvspserver stream tcp nowait/1/5 nobody /usr/bin/cvs cvs \
> > -f -R -T /var/tmp --allow-root=/home/ftp/repo pserver
>
> I use pretty much the same, with an additional -l (don't log
> into the history file, IIRC, we don't have one anyway).
Thanks for the hint. There's no history file, but better to be safe than
sorry ;-)
> Oh, and I've created a special user 'anoncvs' with no
> rights for it. Abusing nobody for too many purposes gives
> me a bad feeling...
Well I'm pretty sure 'nobody' doesn't own anything and we'll keep it
that way, so that should not be a problem.
> > Now my theory is that the entire cvs thing will now run as 'nobody', and
> > because of the -R and the existing but empty 'writers' file this nobody
> > surely will never even attempt to write anything. Does this sound
> > plausible?
> Aye.
I'm trying to chroot it into the CVSROOT directory. I've got a
statically linked cvs binary already, and I also get it running from a
portalfs so I don't need an inetd in the chroot directory. The remaining
problem is to get it all running at the same time ;-)
That's what doesn't work currently:
su -m nobody -c 'chroot . ./cvs_static -R -l -f --allow-root=/\
pserver <> /p/tcplisten/ANY/2401 >&0'
where /p is the portalfs mountpoint. Only root may chroot, that's the
problem :-/
When I get it to run there needs to be an endless loop around it and
that's all there is to do for a cheap inetd.
> > I'd be glad if people willing to spend the time would test the cvs
> > access; of course also feel free to break it, as I'm not sure I got it
> > right; it's only the second anonymous cvs server I set up.
> > Just in case someone didn't guess it, the CVSROOT is
> > :pserver:anoncvs@cvsup.heitec.net:/home/ftp/repo
> Seems to work, checkout showed no problems.
Thanks very much, your advice has been most helpful!
Greetings,
Bernd
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hubs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020201130459.74650B8101>