On Sat, Feb 26, 2005 at 05:07:02PM -0800, Jeff Rizzo wrote:
> 
> I'm talking about the CVSREADONLYFS env variable that (for example) 
> OpenBSD's cvs seems to support, and that I think I saw mention of in the 
> cvs 1.12.X distribution, but does not appear to be in NetBSD's cvs 
> 1.11.17.  It's quite possible (even likely) that I'm just missing 
> something, but I can't get things to work unless I set LockDir to a 
> writeable directory in CVSROOT/config.

You're missing the "-u" flag to cvs server.

You may find the attached program useful.  It is a login shell for
an unprivileged 'anoncvs' user, but should be setuid 'checkout'.
The idea is that, inside your chroot, you run the sshd as an
unprivileged user (you can use systrace to allow it to bind port
22 on the appropriate IP address, or use ipf to translate port 22
on the appropriate address to some high port that it can bind without
using root privs at all), "anoncvs".  This means that
your chroot should have spwd.db copied over pwd.db in /etc and
so forth so that all the password stuff works for a non-root user;
tnis way you have no process in the chroot running as root *at all*.

But that user has to be able to read the ssh private key for the sshd,
so you don't want *that* exposed to bugs in cvs itself.  Therefore,
you use a second unprivileged user "checkout", and use this login
shell to run cvs as that user.  It also will *only* run "cvs -u
server" no matter what the user tries to do, so no LockDir worries,
etc.

This is based on a very very old version of the OpenBSD 'anoncvssh.c'
code that had no copyright header at all.  I place my changes to the
code in the public domain.

You will also want to ensure that your inetd.conf line, assuming
you are doing pserver, puts -u on the cvs command line.

Thor