[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CVS w/ ssh - chroot
RE: CVS w/ ssh - chroot
Fri, 14 Jan 2005 13:56:18 -0800
> However, instead of using a rssh or a smrsh type of shell, I am
> do a classic chroot.
Why would one not use smrsh? I know a number of places that use smrsh
for securing cvs, so I'm interested to know if there are any advantages
to rolling your own solution. Google didn't show anything obvious, this
may be rather off-topic.
> -----Original Message-----
> From: address@hidden
> On Behalf Of Mark D. Baushke
> Sent: Friday, January 14, 2005 11:14 AM
> To: Grand Poohbah
> Cc: address@hidden
> Subject: Re: CVS w/ ssh - chroot
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Grand Poohbah <address@hidden> writes:
> > I am setting up a FreeBSD 5.x machine with cvs 1.11.17.
> > My goal is to have a "guest" style read-only access to a
> cvs repository
> > under a strict chroot environment. I have setup my
> repository with file
> > permissions similar to those found in the how-to
> > http://www.idealx.org/doc/chrooted-ssh-cvs-server.en.html
> However, instead
> > of using a rssh or a smrsh type of shell, I am attempting
> to do a classic
> > chroot.
> > The cvs user logs into the server with ssh and get dropped
> into a chroot
> > directory. I have place what I believe to be all the
> necessary files (cvs
> > binary, permission/group files and repository files) for
> cvs to work inside
> > this chroot environment and it *seems* to be working as
> intended as a chroot
> > environment. However, when my remote system attempts a
> "cvs update -Ad" (or
> > diff or other client command) I get the following errors.
> > Root: not found
> > Valid-responses: not found
> > valid-requests: not found
> > Then the process just hangs until a ^C
> > Question: is there a debug or verbose mode I can use to get
> more output? I
> > have the mirrored repository file structure and permissions set up
> > correctly, my only binaries I have are the following
> > /bin/sh
> > /bin/chroot.sh
> > /bin/ls
> > /dev/null
> > /usr/bin/rsync
> > /usr/bin/cvs
> You will likely also need some libraries. A stock version of FreeBSD
> comes with a patched version of cvs 1.11.5-FreeBSD and needs
> a number of
> % uname -a
> FreeBSD test52 5.2-RELEASE FreeBSD 5.2-RELEASE #0: Sun Jan 11
> 04:21:45 GMT 2004
> address@hidden:/usr/obj/usr/src/sys/GENERIC i386
> % /usr/bin/cvs -v
> Concurrent Versions System (CVS) 1.11.5-FreeBSD (client/server)
> Copyright (c) 1989-2002 Brian Berliner, david d `zoo' zuhn,
> Jeff Polk, and other authors
> CVS may be copied only under the terms of the GNU General
> Public License,
> a copy of which can be found with the CVS distribution kit.
> Specify the --help option for further information about CVS
> % ldd /usr/bin/cvs
> libgnuregex.so.2 => /usr/lib/libgnuregex.so.2 (0x280f3000)
> libmd.so.2 => /lib/libmd.so.2 (0x280fb000)
> libcrypt.so.2 => /lib/libcrypt.so.2 (0x28105000)
> libz.so.2 => /lib/libz.so.2 (0x2811e000)
> libgssapi.so.7 => /usr/lib/libgssapi.so.7 (0x2812c000)
> libkrb5.so.7 => /usr/lib/libkrb5.so.7 (0x2813a000)
> libasn1.so.7 => /usr/lib/libasn1.so.7 (0x28177000)
> libcrypto.so.3 => /lib/libcrypto.so.3 (0x2819d000)
> libroken.so.7 => /usr/lib/libroken.so.7 (0x282ab000)
> libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x282ba000)
> libc.so.5 => /lib/libc.so.5 (0x282bc000)
> Your cvs might be more static, but you should look closely to be sure.
> > Does cvs server need more binaries to work properly? Is
> there a way I can
> > run "cvs server" by hand from the chroot environment to
> simulate what my
> > client should be doing?
> Look at what 'cvs -t' does (for cvs 1.12.x you may use up to
> three '-t'
> options at once).
> Look at what the environment variable CVS_CLIENT_LOG provides (when
> given a prefix pathname it will create a .in and a .out that contains
> the conversation that occurs across the client/server connection).
> Read the doc/cvsclient.text file (or one of the generated
> output formats
> of it) to better understand the client/server protocol being used.
> At a guess, your cvs is not properly getting the 'server'
> argument right
> now somehow.
> If the client is using
> cvs -t :ext:host.dom.ain/path/to/repository
> then you should end up seing something like this output
> $CVS_RSH host.dom.ain $CVS_SERVER server
> where the values of $CVS_RSH may be replaced with 'ssh' or 'rsh'
> and $CVS_SERVER is probably replaced with 'cvs'
> Good luck,
> -- Mark
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (FreeBSD)
> -----END PGP SIGNATURE-----
> Info-cvs mailing list