Thor Lancelot Simon wrote:

>On Sat, Feb 26, 2005 at 05:07:02PM -0800, Jeff Rizzo wrote:
>  
>
>>I'm talking about the CVSREADONLYFS env variable that (for example) 
>>OpenBSD's cvs seems to support, and that I think I saw mention of in the 
>>cvs 1.12.X distribution, but does not appear to be in NetBSD's cvs 
>>1.11.17.  It's quite possible (even likely) that I'm just missing 
>>something, but I can't get things to work unless I set LockDir to a 
>>writeable directory in CVSROOT/config.
>>    
>>
>
>You're missing the "-u" flag to cvs server.
>  
>

Ah, nice.  Even nicer if it was in the documentation.  :)

>You may find the attached program useful.  It is a login shell for
>an unprivileged 'anoncvs' user, but should be setuid 'checkout'.
>The idea is that, inside your chroot, you run the sshd as an
>unprivileged user (you can use systrace to allow it to bind port
>22 on the appropriate IP address, or use ipf to translate port 22
>on the appropriate address to some high port that it can bind without
>using root privs at all), "anoncvs".  This means that
>your chroot should have spwd.db copied over pwd.db in /etc and
>so forth so that all the password stuff works for a non-root user;
>tnis way you have no process in the chroot running as root *at all*.
>
>  
>

Thanks, I was originally using a more recent version of anoncvssh from 
OpenBSD, but I think I prefer the changes you've made to it.  Now that 
I've gotten everything repartitioned and separated on disks as you 
recommended, the machine is _much_ happier under the testing load I've 
put on it.  (I still haven't tweaked vfs_bio, though)

If anyone else would like to test it out, it's now publically accessible 
- I'd appreciate any feedback on its performance or problems it may 
have.  (ssh only for the moment - pserver is giving me trouble and I'm 
not entirely comfortable with it) Set your CVSROOT to:

:ext:anoncvs@anoncvs.netbsd.tastylime.net:/cvsroot

Thanks for all the help and feedback.

+j