This is a fairly substantial upgrade of the cvsup-mirror port. In

honor of the occasion I have bumped the version number to 1.1.

The port now depends upon the cvsup-bin and cvsupd-bin ports rather
than on the more trouble-prone cvsup port.

The CVSup server is run with "-C 100" (max. 100 clients at a time)
and the true limit is set in the "/usr/local/etc/cvsup/cvsupd.access"
file.  This is nice because you can change the limit by editing
the file; you don't have to restart the server.  The cvsupd.access
file also contains a rule to limit each individual host to one
connection at a time.

The CVSup client is now run under its own unprivileged user ID
instead of root.  This is a security enhancement.  It makes it
impossible for a compromised master site to install files into
places outside the mirror area of the filesystem.  The permissions
of various other files such as /usr/local/etc/cvsup have also been
strengthened to enhance security.

Both client and server now cd to /var/tmp to run, so that if they
decide to croak they'll be able to write the core file. :-)

The /usr/local/etc/rc.d/cvsupd.sh script now honors the "start"
and "stop" arguments.

The configure script no longer attempts to tell you the sizes of
the various collections.  That's impossible to maintain.  When I
have time I plan to make a web page where one can obtain that
information from an automatically-updated source.  Then I will
reference the URL in the configure script.

It is possible to upgrade an existing cvsup-mirror-1.0 installation
to this new version, but it is tricky because of the change in
ownership of the mirrored files.  I will post instructions to the
freebsd-hubs mailing list after I make sure I have the procedure
just right.

net/cvsup-mirror/Makefile

@@ -6,13 +6,14 @@
 # $FreeBSD$
 #
 
-DISTNAME=	cvsup-mirror-1.0
+DISTNAME=	cvsup-mirror-1.1
 CATEGORIES=	net
 DISTFILES=
 
 MAINTAINER=	jdp@FreeBSD.org
 
-RUN_DEPENDS=	${PREFIX}/sbin/cvsupd:${PORTSDIR}/net/cvsup
+RUN_DEPENDS=	${PREFIX}/bin/cvsup:${PORTSDIR}/net/cvsup-bin \
+		${PREFIX}/sbin/cvsupd:${PORTSDIR}/net/cvsupd-bin
 
 NO_WRKSUBDIR=	true
 NO_CHECKSUM=	true
@@ -33,6 +34,7 @@ do-install:
 	@test -d ${distrib} || ${MKDIR} ${distrib}
 	@test -d ${rc} || ${MKDIR} ${rc}
 	@${INSTALL_DATA} ${WRKSRC}/config.sh ${base}
+	@${INSTALL_DATA} ${WRKSRC}/cvsupd.access ${base}
 	@${INSTALL_SCRIPT} ${FILESDIR}/update.sh ${base}
 	@${INSTALL_DATA} ${FILESDIR}/supfile ${base}
 	@${INSTALL_DATA} ${FILESDIR}/supfile.crypto ${base}

net/cvsup-mirror/files/cvsupd.sh

@@ -5,14 +5,24 @@ if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/cvsupd\.sh\$"); then
     exit 1
 fi
 base=${PREFIX}/etc/cvsup
-out=/var/tmp/cvsupd.out
+rundir=/var/tmp
+out=${rundir}/cvsupd.out
 
 export PATH=/bin:/usr/bin:${PREFIX}/sbin
 umask 2
 
 test -x ${PREFIX}/sbin/cvsupd || exit 1
 echo -n " cvsupd"
-cd ${base} || exit
-. ./config.sh || exit
-su -m ${user} -c \
-    "cvsupd -e -C ${maxclients} -l @${facility} -s sup.client" >>${out} 2>&1
+cd ${rundir} || exit
+. ${base}/config.sh || exit
+
+arg=${1:-start}
+case $arg in
+start)
+    su -m ${user} -c \
+	"cvsupd -e -C 100 -l @${facility} -b ${base} -s sup.client" \
+	>>${out} 2>&1;;
+
+stop)
+    killall cvsupd;;
+esac

net/cvsup-mirror/files/update.sh

@@ -34,8 +34,9 @@ date "+CVSup update begins at %Y/%m/%d %H:%M:%S"
 lockf -t 0 ${lock} /bin/sh << 'E*O*F'
 
 base=${PREFIX}/etc/cvsup
-cd ${base} || exit
-. ./config.sh || exit
+rundir=/var/tmp
+cd ${rundir} || exit
+. ${base}/config.sh || exit
 
 colldir=sup.client
 startup=${PREFIX}/etc/rc.d
@@ -45,24 +46,27 @@ umask 2
 ok=yes
 if [ ${host_crypto} = ${host} ]; then
     echo "Updating from ${host}"
-    cvsup ${options} -h ${host} supfile || ok=no
+    su -m ${cuser} -c \
+	"cvsup ${options} -h ${host} ${base}/supfile" || ok=no
 else
     if [ -d prefixes/FreeBSD-crypto.cvs ]; then
 	echo "Updating from ${host_crypto}"
-	cvsup ${options} -h ${host_crypto} supfile.crypto || ok=no
+	su -m ${cuser} -c \
+	    "cvsup ${options} -h ${host_crypto} ${base}/supfile.crypto" || ok=no
     fi
     echo "Updating from ${host}"
-    cvsup ${options} -h ${host} supfile.non-crypto || ok=no
+    su -m ${cuser} -c \
+	"cvsup ${options} -h ${host} ${base}/supfile.non-crypto" || ok=no
 fi
 
 if [ ${ok} = yes ]; then
-    if [ -f .start_server ]; then
+    if [ -f ${base}/.start_server ]; then
 	if [ -x ${startup}/cvsupd.sh ]; then
 	    echo -n "Starting the server:"
-	    /bin/sh ${startup}/cvsupd.sh
+	    /bin/sh ${startup}/cvsupd.sh start
 	    echo "."
 	fi
-	rm -f .start_server
+	rm -f ${base}/.start_server
     fi
 fi
 

net/cvsup-mirror/pkg-deinstall

@@ -29,6 +29,21 @@ yesno() {
     done
 }
 
+delete_account() {
+    local u g
+
+    u=$1
+    g=$2
+    if yesno "Do you want me to remove group \"${g}\"" y; then
+	pw groupdel -n ${g}
+	echo "Done."
+    fi
+    if yesno "Do you want me to remove user \"${u}\"" y; then
+	pw userdel -n ${u}
+	echo "Done."
+    fi
+}
+
 if [ x$2 != xDEINSTALL ]; then
     exit
 fi
@@ -80,11 +95,5 @@ if yesno "Do you want me to remove the cvsupd log entry from \
     echo "Done."
 fi
 
-if yesno "Do you want me to remove group \"${group}\"" y; then
-    pw groupdel -n ${group}
-    echo "Done."
-fi
-if yesno "Do you want me to remove user \"${user}\"" y; then
-    pw userdel -n ${user}
-    echo "Done."
-fi
+delete_account ${user} ${group}
+delete_account ${cuser} ${cgroup}

net/cvsup-mirror/pkg-install

@@ -60,9 +60,10 @@ EOF
 	      fi
 	      test -d ${path} || mkdir -p ${path} || exit ) || exit
 	    if ! expr "${chmods_done}" : ".* ${path} " >/dev/null 2>&1; then
-		echo -n "  Making the ${path} tree world-readable ..."
-		( chdir ${prefixes} || exit
-		  chmod -R a+rX ${path} || exit ) || exit
+		echo -n "  Fixing ownerships and modes in ${path} ..."
+		( chdir ${prefixes} && \
+		  chown -R ${cuser}:${cgroup} ${path} && \
+		  chmod -R a+rX ${path} ) || exit
 		echo " done."
 		chmods_done="${chmods_done}${path} "
 	    fi
@@ -71,6 +72,43 @@ EOF
     done
 }
 
+make_account() {
+    local u g
+
+    u=$1
+    g=$2
+    if pw group show "${g}" >/dev/null 2>&1; then
+	echo "You already have a group \"${g}\", so I will use it."
+    else
+	echo "You need a group \"${g}\"."
+	if which -s pw && yesno "Would you like me to create it" y; then
+	    pw groupadd ${g} || exit
+	    echo "Done."
+	else
+	    echo "Please create it, and try again."
+	    if ! grep -q "^${u}:" /etc/passwd; then
+		echo "While you're at it, please create a user \"${u}\" too,"
+		echo "with a default group of \"${g}\"."
+	    fi
+	    exit 1
+	fi
+    fi
+    
+    if pw user show "${u}" >/dev/null 2>&1; then
+	echo "You already have a user \"${u}\", so I will use it."
+    else
+	echo "You need a user \"${u}\"."
+	if which -s pw && yesno "Would you like me to create it" y; then
+	    pw useradd ${u} -g ${g} -h - -d /nonexistent \
+		-s /nonexistent -c "CVSup Daemon" || exit
+	    echo "Done."
+	else
+	    echo "Please create it, and try again."
+	    exit 1
+	fi
+    fi
+}
+
 case $2 in
 
 POST-INSTALL)
@@ -94,40 +132,15 @@ EOF
     fi
 
     echo ""
-    if pw group show "${group}" 2>/dev/null; then
-	echo "You already have a group \"${group}\", so I will use it."
-    else
-	echo "You need a group \"${group}\"."
-	if which -s pw && yesno "Would you like me to create it" y; then
-	    pw groupadd ${group} || exit
-	    echo "Done."
-	else
-	    echo "Please create it, and try again."
-	    if ! grep -q "^${user}:" /etc/passwd; then
-		echo "While you're at it, please create a user \"${user}\" too,"
-		echo "with a default group of \"${group}\"."
-	    fi
-	    exit 1
-	fi
-    fi
-    
-    if pw user show "${user}" 2>/dev/null; then
-	echo "You already have a user \"${user}\", so I will use it."
-    else
-	echo "You need a user \"${user}\"."
-	if which -s pw && yesno "Would you like me to create it" y; then
-	    pw useradd ${user} -g ${group} -h - -d /nonexistent \
-		-s /nonexistent -c "CVSup Daemon" || exit
-	    echo "Done."
-	else
-	    echo "Please create it, and try again."
-	    exit 1
-	fi
-    fi
+    make_account ${user} ${group}
+    make_account ${cuser} ${cgroup}
 
     echo "Fixing ownerships and modes in \"${base}\"."
-    chown -R root.${group} ${base}
-    chmod -R g=u,o=u-w ${base}
+    chown -R root:wheel ${base}
+    test -d ${base}/sup || mkdir -p ${base}/sup
+    test -d ${base}/sup.client || mkdir -p ${base}/sup.client
+    chown -R ${cuser}:${cgroup} ${base}/sup ${base}/sup.client
+    chmod -R go=u-w ${base}
 
     echo "Setting up links and directories for distributions."
     test -d ${prefixes} || mkdir ${prefixes} || exit

net/cvsup-mirror/pkg-plist

@@ -1,4 +1,5 @@
 etc/cvsup/config.sh
+etc/cvsup/cvsupd.access
 etc/cvsup/sup.client/distrib/refuse.self
 etc/cvsup/supfile
 etc/cvsup/supfile.crypto

net/cvsup-mirror/scripts/configure

@@ -1,7 +1,8 @@
 #! /bin/sh
 
 base=${PREFIX}/etc/cvsup
-variables="user group host host_crypto interval maxclients facility distribs"
+variables="user group cuser cgroup host host_crypto interval \
+    maxclients facility distribs"
 
 ask() {
     local question default answer
@@ -48,6 +49,11 @@ EOF
 	fi
 	while :; do
 	    dir=$(ask "Where would you like to put it" ${dflt})
+	    case ${dir} in
+	    /*)	;;
+	    *)	echo "Please specify an absolute pathname."
+		continue;;
+	    esac
 	    if [ "${subdir}" = "." ]; then
 		break
 	    fi
@@ -130,31 +136,34 @@ EOF
 
 distribs="distrib.self .. ."
 ask_distrib FreeBSD.cvs /home/ncvs . \
-    "main source tree, except crypto code (350 MB)"
+    "main source tree, except crypto code"
 ask_distrib FreeBSD-crypto.cvs /home/ncvs . \
-    "crypto code (7 MB)"
+    "crypto code"
 ask_distrib FreeBSD-www.current /usr/local/www . \
-    "installed World Wide Web data (16 MB)"
+    "installed World Wide Web data"
 ask_distrib FreeBSD-gnats.current /home/gnats gnats \
-    "GNATS bug tracking database (12 MB)"
+    "GNATS bug tracking database"
 ask_distrib FreeBSD-mail.current /home/mail . \
-    "mailing list archive (150 MB)"
+    "mailing list archive"
 
 cat <<EOF
 
 Now, a few questions so that I can set up your CVSup server properly.
 
-For security reasons, the CVSup server should run under its own
-unique user and group IDs.  These IDs should have no special access
-privileges.  Normally, the user "cvsup" and group "cvsup" are used,
-but you can choose other names if you wish.  At "make install"
-time, I will create the user and group, if they don't already exist.
+For security reasons, both the CVSup client and server should run
+under their own unique user and group IDs.  These IDs should have no
+special access privileges.  Normally, the user:group "cvsupin:cvsupin"
+is used for the client and "cvsup:cvsup" is used for the server, but
+you can choose other names if you wish.  At "make install" time, I
+will create the users and groups, if they don't already exist.
 
-For security reasons, you must use unique user and group IDs for
-this.  Do NOT use "nobody", "nonroot", or "nogroup".
+Use unique user and group IDs for these.  Do not use "nobody",
+"nonroot", or "nogroup".
 
 EOF
 
+cuser=$(ask "Unique unprivileged user ID for running the client" cvsupin)
+cgroup=$(ask "Unique unprivileged group ID for running the client" cvsupin)
 user=$(ask "Unique unprivileged user ID for running the server" cvsup)
 group=$(ask "Unique unprivileged group ID for running the server" cvsup)
 
@@ -200,3 +209,11 @@ for var in ${variables}; do
     eval echo ${var}=\\\"\${${var}}\\\"
 done > ${WRKSRC}/config.sh
 echo "Done."
+
+echo -n "Building the \"cvsupd.access\" file ... "
+cat <<EOF > ${WRKSRC}/cvsupd.access
+-0.0.0.0/0	${maxclients}	# Limit total connections
+-0.0.0.0/0/32	1	# Allow only 1 connection from each host
++0.0.0.0/0		# If we reach this rule, we let the client in
+EOF
+echo "Done."