diff options
| author | John Polstra <jdp@FreeBSD.org> | 2000-01-28 06:42:37 +0000 |
|---|---|---|
| committer | John Polstra <jdp@FreeBSD.org> | 2000-01-28 06:42:37 +0000 |
| commit | 3176ec22e7def779fe7742b5aca03ac6ddefc2ff (patch) | |
| tree | d41497359a50ecac871e577c2f78727bab041b03 | |
| parent | Fix building of SML/NJ under 4-CURRENT after 1999/7/25. (diff) | |
This is a fairly substantial upgrade of the cvsup-mirror port. In
honor of the occasion I have bumped the version number to 1.1.
The port now depends upon the cvsup-bin and cvsupd-bin ports rather
than on the more trouble-prone cvsup port.
The CVSup server is run with "-C 100" (max. 100 clients at a time)
and the true limit is set in the "/usr/local/etc/cvsup/cvsupd.access"
file. This is nice because you can change the limit by editing
the file; you don't have to restart the server. The cvsupd.access
file also contains a rule to limit each individual host to one
connection at a time.
The CVSup client is now run under its own unprivileged user ID
instead of root. This is a security enhancement. It makes it
impossible for a compromised master site to install files into
places outside the mirror area of the filesystem. The permissions
of various other files such as /usr/local/etc/cvsup have also been
strengthened to enhance security.
Both client and server now cd to /var/tmp to run, so that if they
decide to croak they'll be able to write the core file. :-)
The /usr/local/etc/rc.d/cvsupd.sh script now honors the "start"
and "stop" arguments.
The configure script no longer attempts to tell you the sizes of
the various collections. That's impossible to maintain. When I
have time I plan to make a web page where one can obtain that
information from an automatically-updated source. Then I will
reference the URL in the configure script.
It is possible to upgrade an existing cvsup-mirror-1.0 installation
to this new version, but it is tricky because of the change in
ownership of the mirrored files. I will post instructions to the
freebsd-hubs mailing list after I make sure I have the procedure
just right.
Notes
Notes:
svn path=/head/; revision=25154
| -rw-r--r-- | net/cvsup-mirror/Makefile | 6 | ||||
| -rw-r--r-- | net/cvsup-mirror/files/cvsupd.sh | 20 | ||||
| -rw-r--r-- | net/cvsup-mirror/files/update.sh | 20 | ||||
| -rw-r--r-- | net/cvsup-mirror/pkg-deinstall | 25 | ||||
| -rw-r--r-- | net/cvsup-mirror/pkg-install | 83 | ||||
| -rw-r--r-- | net/cvsup-mirror/pkg-plist | 1 | ||||
| -rw-r--r-- | net/cvsup-mirror/scripts/configure | 43 |
7 files changed, 127 insertions, 71 deletions
diff --git a/net/cvsup-mirror/Makefile b/net/cvsup-mirror/Makefile index 9c58c78dbeda..e897c121ae79 100644 --- a/net/cvsup-mirror/Makefile +++ b/net/cvsup-mirror/Makefile @@ -6,13 +6,14 @@ # $FreeBSD$ # -DISTNAME= cvsup-mirror-1.0 +DISTNAME= cvsup-mirror-1.1 CATEGORIES= net DISTFILES= MAINTAINER= jdp@FreeBSD.org -RUN_DEPENDS= ${PREFIX}/sbin/cvsupd:${PORTSDIR}/net/cvsup +RUN_DEPENDS= ${PREFIX}/bin/cvsup:${PORTSDIR}/net/cvsup-bin \ + ${PREFIX}/sbin/cvsupd:${PORTSDIR}/net/cvsupd-bin NO_WRKSUBDIR= true NO_CHECKSUM= true @@ -33,6 +34,7 @@ do-install: @test -d ${distrib} || ${MKDIR} ${distrib} @test -d ${rc} || ${MKDIR} ${rc} @${INSTALL_DATA} ${WRKSRC}/config.sh ${base} + @${INSTALL_DATA} ${WRKSRC}/cvsupd.access ${base} @${INSTALL_SCRIPT} ${FILESDIR}/update.sh ${base} @${INSTALL_DATA} ${FILESDIR}/supfile ${base} @${INSTALL_DATA} ${FILESDIR}/supfile.crypto ${base} diff --git a/net/cvsup-mirror/files/cvsupd.sh b/net/cvsup-mirror/files/cvsupd.sh index 3ff96814b4a1..9a78f9a66f66 100644 --- a/net/cvsup-mirror/files/cvsupd.sh +++ b/net/cvsup-mirror/files/cvsupd.sh @@ -5,14 +5,24 @@ if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/cvsupd\.sh\$"); then exit 1 fi base=${PREFIX}/etc/cvsup -out=/var/tmp/cvsupd.out +rundir=/var/tmp +out=${rundir}/cvsupd.out export PATH=/bin:/usr/bin:${PREFIX}/sbin umask 2 test -x ${PREFIX}/sbin/cvsupd || exit 1 echo -n " cvsupd" -cd ${base} || exit -. ./config.sh || exit -su -m ${user} -c \ - "cvsupd -e -C ${maxclients} -l @${facility} -s sup.client" >>${out} 2>&1 +cd ${rundir} || exit +. ${base}/config.sh || exit + +arg=${1:-start} +case $arg in +start) + su -m ${user} -c \ + "cvsupd -e -C 100 -l @${facility} -b ${base} -s sup.client" \ + >>${out} 2>&1;; + +stop) + killall cvsupd;; +esac diff --git a/net/cvsup-mirror/files/update.sh b/net/cvsup-mirror/files/update.sh index 905a3d758b2f..166a4812f10b 100644 --- a/net/cvsup-mirror/files/update.sh +++ b/net/cvsup-mirror/files/update.sh @@ -34,8 +34,9 @@ date "+CVSup update begins at %Y/%m/%d %H:%M:%S" lockf -t 0 ${lock} /bin/sh << 'E*O*F' base=${PREFIX}/etc/cvsup -cd ${base} || exit -. ./config.sh || exit +rundir=/var/tmp +cd ${rundir} || exit +. ${base}/config.sh || exit colldir=sup.client startup=${PREFIX}/etc/rc.d @@ -45,24 +46,27 @@ umask 2 ok=yes if [ ${host_crypto} = ${host} ]; then echo "Updating from ${host}" - cvsup ${options} -h ${host} supfile || ok=no + su -m ${cuser} -c \ + "cvsup ${options} -h ${host} ${base}/supfile" || ok=no else if [ -d prefixes/FreeBSD-crypto.cvs ]; then echo "Updating from ${host_crypto}" - cvsup ${options} -h ${host_crypto} supfile.crypto || ok=no + su -m ${cuser} -c \ + "cvsup ${options} -h ${host_crypto} ${base}/supfile.crypto" || ok=no fi echo "Updating from ${host}" - cvsup ${options} -h ${host} supfile.non-crypto || ok=no + su -m ${cuser} -c \ + "cvsup ${options} -h ${host} ${base}/supfile.non-crypto" || ok=no fi if [ ${ok} = yes ]; then - if [ -f .start_server ]; then + if [ -f ${base}/.start_server ]; then if [ -x ${startup}/cvsupd.sh ]; then echo -n "Starting the server:" - /bin/sh ${startup}/cvsupd.sh + /bin/sh ${startup}/cvsupd.sh start echo "." fi - rm -f .start_server + rm -f ${base}/.start_server fi fi diff --git a/net/cvsup-mirror/pkg-deinstall b/net/cvsup-mirror/pkg-deinstall index 44d0200eb9e1..7e79cc31460c 100644 --- a/net/cvsup-mirror/pkg-deinstall +++ b/net/cvsup-mirror/pkg-deinstall @@ -29,6 +29,21 @@ yesno() { done } +delete_account() { + local u g + + u=$1 + g=$2 + if yesno "Do you want me to remove group \"${g}\"" y; then + pw groupdel -n ${g} + echo "Done." + fi + if yesno "Do you want me to remove user \"${u}\"" y; then + pw userdel -n ${u} + echo "Done." + fi +} + if [ x$2 != xDEINSTALL ]; then exit fi @@ -80,11 +95,5 @@ if yesno "Do you want me to remove the cvsupd log entry from \ echo "Done." fi -if yesno "Do you want me to remove group \"${group}\"" y; then - pw groupdel -n ${group} - echo "Done." -fi -if yesno "Do you want me to remove user \"${user}\"" y; then - pw userdel -n ${user} - echo "Done." -fi +delete_account ${user} ${group} +delete_account ${cuser} ${cgroup} diff --git a/net/cvsup-mirror/pkg-install b/net/cvsup-mirror/pkg-install index fc96e3c0fb7c..84c018fd5d1d 100644 --- a/net/cvsup-mirror/pkg-install +++ b/net/cvsup-mirror/pkg-install @@ -60,9 +60,10 @@ EOF fi test -d ${path} || mkdir -p ${path} || exit ) || exit if ! expr "${chmods_done}" : ".* ${path} " >/dev/null 2>&1; then - echo -n " Making the ${path} tree world-readable ..." - ( chdir ${prefixes} || exit - chmod -R a+rX ${path} || exit ) || exit + echo -n " Fixing ownerships and modes in ${path} ..." + ( chdir ${prefixes} && \ + chown -R ${cuser}:${cgroup} ${path} && \ + chmod -R a+rX ${path} ) || exit echo " done." chmods_done="${chmods_done}${path} " fi @@ -71,6 +72,43 @@ EOF done } +make_account() { + local u g + + u=$1 + g=$2 + if pw group show "${g}" >/dev/null 2>&1; then + echo "You already have a group \"${g}\", so I will use it." + else + echo "You need a group \"${g}\"." + if which -s pw && yesno "Would you like me to create it" y; then + pw groupadd ${g} || exit + echo "Done." + else + echo "Please create it, and try again." + if ! grep -q "^${u}:" /etc/passwd; then + echo "While you're at it, please create a user \"${u}\" too," + echo "with a default group of \"${g}\"." + fi + exit 1 + fi + fi + + if pw user show "${u}" >/dev/null 2>&1; then + echo "You already have a user \"${u}\", so I will use it." + else + echo "You need a user \"${u}\"." + if which -s pw && yesno "Would you like me to create it" y; then + pw useradd ${u} -g ${g} -h - -d /nonexistent \ + -s /nonexistent -c "CVSup Daemon" || exit + echo "Done." + else + echo "Please create it, and try again." + exit 1 + fi + fi +} + case $2 in POST-INSTALL) @@ -94,40 +132,15 @@ EOF fi echo "" - if pw group show "${group}" 2>/dev/null; then - echo "You already have a group \"${group}\", so I will use it." - else - echo "You need a group \"${group}\"." - if which -s pw && yesno "Would you like me to create it" y; then - pw groupadd ${group} || exit - echo "Done." - else - echo "Please create it, and try again." - if ! grep -q "^${user}:" /etc/passwd; then - echo "While you're at it, please create a user \"${user}\" too," - echo "with a default group of \"${group}\"." - fi - exit 1 - fi - fi - - if pw user show "${user}" 2>/dev/null; then - echo "You already have a user \"${user}\", so I will use it." - else - echo "You need a user \"${user}\"." - if which -s pw && yesno "Would you like me to create it" y; then - pw useradd ${user} -g ${group} -h - -d /nonexistent \ - -s /nonexistent -c "CVSup Daemon" || exit - echo "Done." - else - echo "Please create it, and try again." - exit 1 - fi - fi + make_account ${user} ${group} + make_account ${cuser} ${cgroup} echo "Fixing ownerships and modes in \"${base}\"." - chown -R root.${group} ${base} - chmod -R g=u,o=u-w ${base} + chown -R root:wheel ${base} + test -d ${base}/sup || mkdir -p ${base}/sup + test -d ${base}/sup.client || mkdir -p ${base}/sup.client + chown -R ${cuser}:${cgroup} ${base}/sup ${base}/sup.client + chmod -R go=u-w ${base} echo "Setting up links and directories for distributions." test -d ${prefixes} || mkdir ${prefixes} || exit diff --git a/net/cvsup-mirror/pkg-plist b/net/cvsup-mirror/pkg-plist index d7f66c09b269..ebd0672c2845 100644 --- a/net/cvsup-mirror/pkg-plist +++ b/net/cvsup-mirror/pkg-plist @@ -1,4 +1,5 @@ etc/cvsup/config.sh +etc/cvsup/cvsupd.access etc/cvsup/sup.client/distrib/refuse.self etc/cvsup/supfile etc/cvsup/supfile.crypto diff --git a/net/cvsup-mirror/scripts/configure b/net/cvsup-mirror/scripts/configure index 40f858f8262c..2732d12bdf84 100644 --- a/net/cvsup-mirror/scripts/configure +++ b/net/cvsup-mirror/scripts/configure @@ -1,7 +1,8 @@ #! /bin/sh base=${PREFIX}/etc/cvsup -variables="user group host host_crypto interval maxclients facility distribs" +variables="user group cuser cgroup host host_crypto interval \ + maxclients facility distribs" ask() { local question default answer @@ -48,6 +49,11 @@ EOF fi while :; do dir=$(ask "Where would you like to put it" ${dflt}) + case ${dir} in + /*) ;; + *) echo "Please specify an absolute pathname." + continue;; + esac if [ "${subdir}" = "." ]; then break fi @@ -130,31 +136,34 @@ EOF distribs="distrib.self .. ." ask_distrib FreeBSD.cvs /home/ncvs . \ - "main source tree, except crypto code (350 MB)" + "main source tree, except crypto code" ask_distrib FreeBSD-crypto.cvs /home/ncvs . \ - "crypto code (7 MB)" + "crypto code" ask_distrib FreeBSD-www.current /usr/local/www . \ - "installed World Wide Web data (16 MB)" + "installed World Wide Web data" ask_distrib FreeBSD-gnats.current /home/gnats gnats \ - "GNATS bug tracking database (12 MB)" + "GNATS bug tracking database" ask_distrib FreeBSD-mail.current /home/mail . \ - "mailing list archive (150 MB)" + "mailing list archive" cat <<EOF Now, a few questions so that I can set up your CVSup server properly. -For security reasons, the CVSup server should run under its own -unique user and group IDs. These IDs should have no special access -privileges. Normally, the user "cvsup" and group "cvsup" are used, -but you can choose other names if you wish. At "make install" -time, I will create the user and group, if they don't already exist. +For security reasons, both the CVSup client and server should run +under their own unique user and group IDs. These IDs should have no +special access privileges. Normally, the user:group "cvsupin:cvsupin" +is used for the client and "cvsup:cvsup" is used for the server, but +you can choose other names if you wish. At "make install" time, I +will create the users and groups, if they don't already exist. -For security reasons, you must use unique user and group IDs for -this. Do NOT use "nobody", "nonroot", or "nogroup". +Use unique user and group IDs for these. Do not use "nobody", +"nonroot", or "nogroup". EOF +cuser=$(ask "Unique unprivileged user ID for running the client" cvsupin) +cgroup=$(ask "Unique unprivileged group ID for running the client" cvsupin) user=$(ask "Unique unprivileged user ID for running the server" cvsup) group=$(ask "Unique unprivileged group ID for running the server" cvsup) @@ -200,3 +209,11 @@ for var in ${variables}; do eval echo ${var}=\\\"\${${var}}\\\" done > ${WRKSRC}/config.sh echo "Done." + +echo -n "Building the \"cvsupd.access\" file ... " +cat <<EOF > ${WRKSRC}/cvsupd.access +-0.0.0.0/0 ${maxclients} # Limit total connections +-0.0.0.0/0/32 1 # Allow only 1 connection from each host ++0.0.0.0/0 # If we reach this rule, we let the client in +EOF +echo "Done." |