From owner-freebsd-cvsweb@FreeBSD.ORG Tue Dec 14 15:08:13 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 385DF16A4CE for ; Tue, 14 Dec 2004 15:08:13 +0000 (GMT) Received: from kazi.fit.vutbr.cz (kazi.fit.vutbr.cz [147.229.8.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87CB043D31 for ; Tue, 14 Dec 2004 15:08:12 +0000 (GMT) (envelope-from kasparek@fit.vutbr.cz) Received-SPF: pass (kazi.fit.vutbr.cz: domain of kasparek@fit.vutbr.cz designates 127.0.0.1 as permitted sender) receiver=kazi.fit.vutbr.cz; client_ip=127.0.0.1; envelope-from=kasparek@fit.vutbr.cz; Received: from kazi.fit.vutbr.cz (localhost [127.0.0.1]) by kazi.fit.vutbr.cz (8.12.11/8.12.11) with ESMTP id iBEF8AYt056125 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Tue, 14 Dec 2004 16:08:10 +0100 (CET) Received: (from kasparek@localhost) by kazi.fit.vutbr.cz (8.12.11/8.12.5/Submit) id iBEF8AhT056123 for freebsd-cvsweb@freebsd.org; Tue, 14 Dec 2004 16:08:10 +0100 (CET) X-Authentication-Warning: kazi.fit.vutbr.cz: kasparek set sender to kasparek@fit.vutbr.cz using -f Date: Tue, 14 Dec 2004 16:08:10 +0100 From: Kasparek Tomas To: freebsd-cvsweb@freebsd.org Message-ID: <20041214150809.GM93532@fit.vutbr.cz> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline User-Agent: Mutt/1.4.2i X-Scanned-By: MIMEDefang 2.16 (www . roaringpenguin . com / mimedefang) Subject: Patch for non-anonymouse CVS access X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 15:08:13 -0000 --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello, I include patch with changes I used to allow accessing of nonanonymous CVS repository. It run the CGI script with suidperl as root and changes to UID and GID of authenticated user as soon as possible. This is enough to make it work, it the just adds the name of the user (via really simple hack). (the patch i against 3.0.4) Bye -- Tomas Kasparek, PhD student E-mail: kasparek@fit.vutbr.cz CVT FIT VUT Brno, BI/140a Web: http://www.fit.vutbr.cz/~kasparek Bozetechova 2, 612 66 Fax: +420 54114-1270 Brno, Czech Republic Phone: +420 54114-1220 ICQ: 293092805 jabber:tomas.kasparek@jabber.cz GPG: 2F1E 1AAF FD3B CFA3 1537 63BD DCBE 18FF A035 53BC --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=cvsweb-patch --- cvsweb.cgi 2004-11-06 09:47:21.000000000 +0100 +++ cvsweb 2004-12-14 15:58:46.812235616 +0100 @@ -1,4 +1,4 @@ -#!/usr/bin/perl -T +#!/usr/bin/suidperl -T -W # # cvsweb - a CGI interface to CVS trees. # @@ -88,7 +88,7 @@ $allow_tar @tar_options @gzip_options @zip_options @cvs_options @annotate_options @rcsdiff_options $HTML_DOCTYPE $HTML_META $cssurl $CSS $cvshistory_url - $allow_enscript @enscript_options %enscript_types + $allow_enscript @enscript_options %enscript_types $UID $USER ); use Cwd qw(abs_path cwd); @@ -208,6 +208,31 @@ # Get rid of unsafe environment vars. Don't do this in BEGIN... delete(@ENV{qw(PATH IFS CDPATH ENV BASH_ENV)}); +#------------------------------------------------- +#Added by Si + +# Get rid of EUID of root + +#is there something reasonable there? +if ($ENV{REMOTE_USER} =~ /^([a-zA-Z0-9]+)$/) { + $UID=getpwnam($1); # $data now untainted +} + +if (! defined $UID) { + #bad user - use Real UID instead + $UID = $<; + print "Unknown user $ENV{REMOTE_USER}, using ". getpwuid($UID) . "

\n"; +} + +#set it as EUID - never can get UID of 0 back! +$USER= getpwuid($UID); + +$) = `/usr/bin/id -G $USER = $UID; + +#End of modification by Si +#------------------------------------------------- + my ($mydir) = (dirname($0) =~ /(.*)/); # untaint # == EDIT this == @@ -4294,7 +4319,12 @@ $title $HTML_META$CSS -$l

$title

+$l

$title


+
+ +Logged in as user: $USER + +
EOH } --vtzGhvizbBRQ85DL-- From owner-freebsd-cvsweb@FreeBSD.ORG Fri Dec 17 06:30:46 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57A3F16A525; Fri, 17 Dec 2004 06:30:45 +0000 (GMT) Received: from triangle.rtp.FreeBSD.Org (triangle.rtp.FreeBSD.org [192.58.184.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8EE7443D55; Fri, 17 Dec 2004 06:30:44 +0000 (GMT) (envelope-from kris@8ball.rtp.freebsd.org) Received: from 8ball.rtp.freebsd.org (8ball.rtp.FreeBSD.Org [172.21.1.5]) iBH6UPD6013520; Fri, 17 Dec 2004 01:30:25 -0500 (EST) (envelope-from kris@8ball.rtp.freebsd.org) Received: (from kris@localhost) by 8ball.rtp.freebsd.org (8.12.9/8.12.9/Submit) id iBH6UDww025880; Fri, 17 Dec 2004 01:30:13 -0500 (EST) (envelope-from kris) Date: Fri, 17 Dec 2004 01:30:13 -0500 (EST) From: Kris Kennaway Message-Id: <200412170630.iBH6UDww025880@8ball.rtp.freebsd.org> To: autrijus@autrijus.org, freebsd-cvsweb@FreeBSD.org, gerald@FreeBSD.org, kiri@FreeBSD.org, kiri@kiri.toba-cmt.ac.jp, knu@FreeBSD.org, lofi@FreeBSD.org, marcus@corp.grupos.com.br, markun@onohara.to, martin@tradex.sk, olgeni@FreeBSD.org, pat@FreeBSD.org, perky@FreeBSD.org, ports@FreeBSD.org, riggs@rrr.de, trevor@FreeBSD.org, vangyzen@stat.duke.edu X-Mailman-Approved-At: Fri, 17 Dec 2004 13:11:44 +0000 Subject: Ports with duplicate LATEST_LINKS X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 06:30:46 -0000 Dear port maintainers, The following list includes ports maintained by you that have duplicate LATEST_LINK values. They should either be modified to use a unique LATEST_LINK or suppressed using NO_LATEST_LINK, to avoid overwriting each other in the packages/Latest directory. If your ports conflict with ports maintained by another person, please coordinate your efforts with them. Thanks, Kris "Annoying Reminder Guy II" Kennaway LATEST_LINK PORTNAME MAINTAINER ========================================================================== cvsweb devel/cvsweb freebsd-cvsweb@FreeBSD.org cvsweb devel/cvsweb3 freebsd-cvsweb@FreeBSD.org gcc40 lang/gcc40 gerald@FreeBSD.org gcc40 lang/gfortran gerald@FreeBSD.org gpgme security/gpgme lofi@FreeBSD.org gpgme security/gpgme03 markun@onohara.to jags net/jags pat@FreeBSD.org jags math/jags vangyzen@stat.duke.edu jedit editors/jedit ports@FreeBSD.org jedit editors/jedit-devel ports@FreeBSD.org jgraph graphics/jgraph ports@FreeBSD.org jgraph java/jgraph ports@FreeBSD.org linux-netscape7 german/netscape7 riggs@rrr.de linux-netscape7 french/netscape7 trevor@FreeBSD.org linux-netscape7 japanese/netscape7 trevor@FreeBSD.org linux-netscape7 portuguese/netscape7 trevor@FreeBSD.org linux-netscape7 www/netscape7 trevor@FreeBSD.org mew-emacs20 mail/mew-emacs20 kiri@FreeBSD.org mew-emacs20 mail/mew2-emacs20 kiri@FreeBSD.org mew-emacs20 mail/mew3-emacs20 kiri@FreeBSD.org mew-emacs21 mail/mew2 kiri@FreeBSD.org mew-emacs21 mail/mew3 kiri@FreeBSD.org mew-xemacs21-mule mail/mew-xemacs21-mule kiri@FreeBSD.org mew-xemacs21-mule mail/mew2-xemacs21-mule kiri@FreeBSD.org mew-xemacs21-mule mail/mew3-xemacs21-mule kiri@FreeBSD.org pfe lang/forth ports@FreeBSD.org pfe lang/pfe-devel ports@FreeBSD.org py-MySQLdb databases/py-MySQLdb marcus@corp.grupos.com.br py-MySQLdb databases/py-MySQLdb-devel marcus@corp.grupos.com.br python23 lang/python23 perky@FreeBSD.org python23 lang/stackless_python perky@FreeBSD.org rt www/rt3 autrijus@autrijus.org rt www/rt32 autrijus@autrijus.org ruby-devel lang/ruby18 knu@FreeBSD.org ruby-devel lang/ruby18_r knu@FreeBSD.org ruby18-xmlscan textproc/ruby-xmlscan knu@FreeBSD.org ruby18-xmlscan textproc/ruby-xmlscan-old knu@FreeBSD.org star archivers/star-devel martin@tradex.sk star archivers/star olgeni@FreeBSD.org w3 www/w3-4 kiri@FreeBSD.org w3 www/w3 kiri@kiri.toba-cmt.ac.jp Total: 41 ports From owner-freebsd-cvsweb@FreeBSD.ORG Fri Dec 17 18:08:18 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD0E416A4CE for ; Fri, 17 Dec 2004 18:08:18 +0000 (GMT) Received: from scoe.org (mail.scoe.org [216.102.13.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AAE843D1D for ; Fri, 17 Dec 2004 18:08:18 +0000 (GMT) (envelope-from jmccarty@scoe.org) X-ExtScanner: Niversoft's FindAttachments (free) Received: by scoe.org (CommuniGate Pro PIPE 4.1.8) with PIPE id 6263160; Fri, 17 Dec 2004 10:08:18 -0800 X-ExtScanner: Niversoft's FindAttachments (free) Received: from [10.0.16.101] (HELO tech-jmccarty.ms.scoe.org) by scoe.org (CommuniGate Pro SMTP 4.1.8) with ESMTP id 6263158 for freebsd-cvsweb@freebsd.org; Fri, 17 Dec 2004 10:08:04 -0800 Date: Fri, 17 Dec 2004 10:08:03 -0800 To: freebsd-cvsweb@freebsd.org From: "Joe McCarty" Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: X-ProcessedID: opsi5zbpp72dmtgr@tech-jmccarty.ms.scoe.org User-Agent: Opera M2/7.51 (Win32, build 3798) Subject: CVSRepositories X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 18:08:18 -0000 I have installed RANCID and CVSWeb on a Fedora Core 2 box. RANCID is fully funcitonal--it can log into my devices, get the configs, increment versions, and email diffs. I have the following lines in cvsweb.conf pointing to my RANCID CVS repository: @CVSrepositories = ( # 'local' => ['Local Repository', '/var/cvs'], # 'freebsd' => ['FreeBSD', '/var/ncvs'], # 'openbsd' => ['OpenBSD', '/var/ncvs'], # 'netbsd' => ['NetBSD', '/var/ncvs'], # 'ruby' => ['Ruby', '/var/anoncvs/ruby'], 'rancid' => ['Rancid', '/home/rancid/var/rancid/CVS'], ); # The default CVS root. Note that @CVSrepositories is list, not a hash, # so you'll want to use 2 * 0-based-index-number here; or set this directly # to the default's symbolic name. Unless specified, the first valid one in # @CVSrepositories is used as the default. # # For example: # #$cvstreedefault = $CVSrepositories[2 * 0]; $cvstreedefault = 'rancid'; Pointing my browser at http:/foo.org/cgi-bin/cvsweb.cgi, I draw an error message, "Error: No valid CVS roots found! See @CVSrepositories in the configuration file (/etc/cvsweb/cvsweb.conf)." log/httpd/error_log states, "Root '/home/rancid/var/rancid/CVS' defined in @CVSrepositories is not a directory, entry ignored at /var/www/cgi-bin/cvsweb.cgi line 491." The referenced line in cvsweb.cgi is in the following block: 483 # CVS roots 484 # 485 my $rootfound = 0; 486 for (my $i = 0; $i < scalar(@CVSrepositories); $i += 2) { 487 my $key = $CVSrepositories[$i]; 488 my ($descr, $root) = @{$CVSrepositories[$i+1]}; 489 $root = canonpath($root); 490 unless (-d $root) { 491 warn("Root '$root' defined in \@CVSrepositories is not a directory, " . 492 'entry ignored'); 493 next; 494 } /home/rancid/var/rancid/CVS is indeed a directory, and is the root of the RANCID CVS tree. An evironmental variable "CVSROOT" is define for root, pointing at this folder. What is my error, and what is the fix? Thanks! Notice to Recipient: Information contained in this message may be privileged, confidential and protected from disclosure. If you are not an intended recipient, it is strictly prohibited to use, disseminate or copy this communication. If you have received this in error, please reply to the sender and then delete the message. Thank you. From owner-freebsd-cvsweb@FreeBSD.ORG Fri Dec 17 21:22:24 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C50616A4CE for ; Fri, 17 Dec 2004 21:22:24 +0000 (GMT) Received: from smtp1.pp.htv.fi (smtp1.pp.htv.fi [213.243.153.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id B71A943D54 for ; Fri, 17 Dec 2004 21:22:23 +0000 (GMT) (envelope-from scop@FreeBSD.org) Received: from cs78134122.pp.htv.fi (cs78134122.pp.htv.fi [62.78.134.122]) by smtp1.pp.htv.fi (Postfix) with ESMTP id 1C8BB7FC72 for ; Fri, 17 Dec 2004 23:22:22 +0200 (EET) From: Ville =?ISO-8859-1?Q?Skytt=E4?= To: freebsd-cvsweb@freebsd.org In-Reply-To: References: Content-Type: text/plain Organization: FreeBSD Date: Fri, 17 Dec 2004 23:22:21 +0200 Message-Id: <1103318541.7746.63.camel@bobcat.mine.nu> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 (2.0.2-3) Content-Transfer-Encoding: 7bit Subject: Re: CVSRepositories X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 21:22:24 -0000 On Fri, 2004-12-17 at 10:08 -0800, Joe McCarty wrote: > I have installed RANCID and CVSWeb on a Fedora Core 2 box. RANCID is > fully funcitonal--it can log into my devices, get the configs, increment > versions, and email diffs. What's RANCID? > Pointing my browser at http:/foo.org/cgi-bin/cvsweb.cgi, I draw an error > message, "Error: No valid CVS roots found! See @CVSrepositories in the > configuration file (/etc/cvsweb/cvsweb.conf)." > > log/httpd/error_log states, "Root '/home/rancid/var/rancid/CVS' defined in > @CVSrepositories is not a directory, entry ignored at > /var/www/cgi-bin/cvsweb.cgi line 491." [...] > /home/rancid/var/rancid/CVS is indeed a directory, and is the root of the > RANCID CVS tree. Do you happen to have SELinux enabled? If yes, additional clues might be found in /var/log/messages. At least in FC3, CGI scripts have heavy restrictions in what files they can access by default. cvsweb.cgi cannot even access /etc/cvsweb/cvsweb.conf unless explicitly permitted, let alone anything below /home/$something... Is RANCID some kind of a CGI script too? > An evironmental variable "CVSROOT" is define for root, > pointing at this folder. That should not affect the operation of CVSweb in any way. > What is my error, and what is the fix? Dunno yet. Check the SELinux part first. From owner-freebsd-cvsweb@FreeBSD.ORG Sat Dec 18 08:52:06 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58D3616A4CE for ; Sat, 18 Dec 2004 08:52:06 +0000 (GMT) Received: from smtp2.pp.htv.fi (smtp2.pp.htv.fi [213.243.153.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EF3A43D4C for ; Sat, 18 Dec 2004 08:52:06 +0000 (GMT) (envelope-from scop@FreeBSD.org) Received: from cs78128192.pp.htv.fi (cs78128192.pp.htv.fi [62.78.128.192]) by smtp2.pp.htv.fi (Postfix) with ESMTP id 8A6D4296B9B; Sat, 18 Dec 2004 10:52:04 +0200 (EET) From: Ville =?ISO-8859-1?Q?Skytt=E4?= To: Joe McCarty In-Reply-To: References: <1103318541.7746.63.camel@bobcat.mine.nu> Content-Type: text/plain Organization: FreeBSD Date: Sat, 18 Dec 2004 10:52:04 +0200 Message-Id: <1103359924.9615.16.camel@bobcat.mine.nu> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 (2.0.2-3) Content-Transfer-Encoding: 7bit cc: freebsd-cvsweb@freebsd.org Subject: Re: CVSRepositories X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 08:52:06 -0000 On Fri, 2004-12-17 at 14:14 -0800, Joe McCarty wrote: > Hi, Ville. > > RANCID is the Really Awesome New Cisco confIg Differ, and is found at > http://www.shrubbery.net/rancid/. I was refered to your project from > RANCID's documentation. > > I had never heard of SELinux until I looked it up in response to your > question. I'll check it out. Then it might be that you don't have it enabled, it has to be explicitly done in FC2 whereas in FC3 it's the default. > I think I would have gotten a different error message from an httpd.conf > access control. The message I got seems to indicate that cvsweb.cgi is > executing, since cvsweb.conf is being parsed. So would I have thought until I first tried CVSweb on SELinux-enabled FC3. The error message was exactly the same, the OS prevents Perl from accessing that dir altogether, so it thinks the dir doesn't exist. Very confusing until one happens to peek into /var/log/messages. > Permissions on CVSROOT are: drwxrwxr-x 5 rancid rancid 4096 Dec 16 14:04 > CVS > > Permissions on cvsweb.cgi are: -rwxr-xr-x 1 root root 125762 Nov 6 > 01:15 cvsweb.cgi. > > I presume user apache calls the CGI. The CVS folder is world readable, > although most of the files under it are not. Ok. Please keep the CVSweb mailing list Cc'd in these discussions. Others might be able to help too, or might be looking for a solution to the same problem.