Anoncvs
This guide assumes you have already created a new CVS root and imported repositories. Committers will use the real CVS repo for reading and writing, whereas in this guide, we create an anoncvs mirror for guest read-only access.
$ mkdir ~/anoncvs $ cd ~/anoncvs $ ftp https://www.openbsd.org/anoncvs.shar $ sh anoncvs.shar
Edit the first line of ~/Makefile:
CVSROOT=anoncvs@anoncvs.example.com:/cvs
Replace anoncvs.example.com with your domain. You want to leave /cvs as-is because CVS runs inside a chroot jail.
$ make $ doas useradd -m -d /open/anoncvs -s /open/anoncvssh anoncvs $ doas cp anoncvssh /open/anoncvssh $ doas chmod 4111 /open/anoncvssh
You will need to set anoncvs so it has no password. Run doas vipw
and edit the line so it looks like this (except with the uid and gid 1001
perhaps changed to another value):
anoncvs::1001:1001::0:0::/open/anoncvs:/open/anoncvssh
Add this to the bottom of /etc/ssh/sshd_config:
Match User anoncvs
        PermitEmptyPasswords yes
        AllowTcpForwarding no
        AllowAgentForwarding no
        X11Forwarding no
        PermitTTY no
Then restart sshd:
$ doas rcctl restart sshd
Run as root to create the chroot jail:
export CVSYNCUSER=$USER mkdir /open/anoncvs/cvs chown -R $CVSYNCUSER:commit /open/anoncvs/cvs chmod -R g+w /open/anoncvs/cvs
The person maintaining the cvs archive is $CVSYNCUSER . Replace $USER with the maintainer's username.
The commands below are needed for OpenBSD 6.9 stable:
touch /open/anoncvs/.hushlogin
touch /open/anoncvs/.profile
mkdir /open/anoncvs/{bin,dev,tmp,usr,var,etc}
cp /bin/{cat,pwd,rm,sh} /open/anoncvs/bin/
mknod -m 666 /open/anoncvs/dev/null c 2 2
mknod -m 666 /open/anoncvs/dev/zero c 2 12
cp /etc/{hosts,protocols,resolv.conf,services,ttys} /open/anoncvs/etc/
chmod 444 /open/anoncvs/etc/{hosts,protocols,resolv.conf,services,ttys}
ln -s /open/anoncvs/tmp /open/anoncvs/var/tmp
chmod a+rwx /open/anoncvs/tmp
mkdir /open/anoncvs/usr/{bin,lib}
cp /usr/bin/cvs /open/anoncvs/usr/bin/
mkdir /open/anoncvs/usr/libexec
cp /usr/libexec/ld.so /open/anoncvs/usr/libexec/
cp /usr/lib/libz.so.5.0 /open/anoncvs/usr/lib/
cp /usr/lib/libc.so.96.0 /open/anoncvs/usr/lib/
chown -R root:wheel /open/anoncvs
Syncing repos
You now want to sync repos from the committers' CVSROOT to the anoncvs CVSROOT. You want to run this command while logged in as the CVS maintainer:
$ openrsync -a --delete --rsync-path=openrsync /CVS/ /open/anoncvs/cvs/
We will set up a cronjob so the repos are synced daily:
$ crontab -e
@daily -s /usr/bin/openrsync -a --delete --rsync-path=/usr/bin/openrsync /CVS/ /open/anoncvs/cvs/
Results
The /open/anoncvs/cvs/ directory should look like this:
# ls -lha /open/anoncvs/cvs total 28 drwxr-xr-x 7 root wheel 512B Oct 9 06:19 . drwxr-xr-x 10 root wheel 512B Oct 9 06:10 .. drwxrwxr-x 3 jrmu commit 1.0K Apr 29 06:48 CVSROOT drwxrwxr-x 9 jrmu commit 512B May 8 11:42 acopm drwxrwxr-x 2 jrmu commit 1.0K Aug 26 04:17 botnow drwxrwxr-x 8 jrmu commit 512B May 27 16:57 brogue-ce drwxrwxr-x 6 jrmu commit 512B May 7 06:46 ircnowd
Publish SSH fingerprints
Make sure to publish your SSH fingerprints so users can be certain that the source code was transported securely.
Test anoncvs
You'll want to test anoncvs to make sure it's working.
Recommended Reading:
https://www.openbsd.org/anoncvs.html
https://www.openbsd.org/anoncvs.shar
See Also:
