[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Zmailer CVS: LockDir=/var/lock/cvs in the config?

To: Eugene Crosser <crosser@rol.ru>
Subject: Re: Zmailer CVS: LockDir=/var/lock/cvs in the config?
From: Matti Aarnio <mea@nic.funet.fi>
Date: Tue, 4 Mar 2003 22:00:49 +0200
Cc: zmailer@nic.funet.fi
In-Reply-To: <1046801911.10996.51.camel@ariel.sovam.com>; from crosser@rol.ru on Tue, Mar 04, 2003 at 09:18:32PM +0300
Original-Recipient: rfc822;zmailer-log@nic.funet.fi
References: <1046801911.10996.51.camel@ariel.sovam.com>
Sender: zmailer-owner@nic.funet.fi

On Tue, Mar 04, 2003 at 09:18:32PM +0300, Eugene Crosser wrote:
> Matti,
> 
> I am now setting up public access to the mirror of Zmailer CVS dir that
> is living on my site for quite a while, and I strongly wish to make
> repository unreadable for the anonymous "cvs" user.  For that, there
> needs to be a "config" file in the CVSROOT/ with the line
...
> See this page for instructions:
> http://www.thornleyware.com/scm/cvsconfig/readonly.html

I have actually a rsynced copy of data within a chroot subtree.
Every connection to my cvs server does at first run rsync copying,
chroot(2)s (+ chdir("/");), and then execs real pserver in there.

The wrapper I have is rather messy one from  Andrew Tridgell (Mr. Samba),
whose code I encountered at vger.kernel.org  years ago.

Tridge didn't trust cvs code not to contain ways to attack it
with e.g. stack overflow (like there was reported few weeks ago!),
so he did put the beast in chroot jail.

xinetd runs it with:

$ more /etc/xinetd.d/cvspserver 
# Converted by inetdconvert
service cvspserv
{
        socket_type             = stream
        protocol                = tcp
        wait                    = no
        user                    = root
        flags   =       NOLIBWRAP IPv6
        server                  = /home/anoncvs/bin/pserver
        disable                 = no
}

And that program (C) would in SHish script be something like:

#!/bin/sh

CVSROOT=/home/.../CVSROOT/
ACVSHOME=/home/anoncvs
ACVSROOT=$ACVSHOME/root/cvsroot/
FAKECVSROOT=/cvsroot

# Running rsync as root to be able to overwrite in the copy

/usr/bin/rsync -a --delete --exclude-from $ACVSHOME/anoncvs.exclude \
	--exclude '*.lock'   $CVSROOT $ACVSROOT

## Now turn gid&uid to e.g. ftp/ftp ?
## and finally run CVS PSERVER under CHROOT(2).

exec chroot  $ACVSHOME  /bin/cvs -b/bin -l -z5 --allow-root $FAKECVSROOT pserver
#-------------------

Doing a  perl  overcoat with finely controlled  chroot()+chdir()
should be simple -- oh yes, some operating systems do (in error, IMO)
demand that  chroot(2)   caller is root.    In such systems perl
(and C) allow you to do  chroot()+chdir()  at first, and then
to do gid/uid change.

> (one extra mirror won't hurt anyone, especially if it's on a different
> continent, right?)
> Eugene

-- 
/Matti Aarnio	<mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi

References:
- Zmailer CVS: LockDir=/var/lock/cvs in the config?
  - From: Eugene Crosser <crosser@rol.ru>

Prev by Date: Zmailer CVS: LockDir=/var/lock/cvs in the config?
Next by Date: Re: Zmailer CVS: LockDir=/var/lock/cvs in the config?
Prev by thread: Zmailer CVS: LockDir=/var/lock/cvs in the config?
Next by thread: Re: Zmailer CVS: LockDir=/var/lock/cvs in the config?
Index(es):
- Date
- Thread