mirror of
https://git.FreeBSD.org/ports.git
synced 2024-11-15 23:50:44 +00:00
3176ec22e7
honor of the occasion I have bumped the version number to 1.1. The port now depends upon the cvsup-bin and cvsupd-bin ports rather than on the more trouble-prone cvsup port. The CVSup server is run with "-C 100" (max. 100 clients at a time) and the true limit is set in the "/usr/local/etc/cvsup/cvsupd.access" file. This is nice because you can change the limit by editing the file; you don't have to restart the server. The cvsupd.access file also contains a rule to limit each individual host to one connection at a time. The CVSup client is now run under its own unprivileged user ID instead of root. This is a security enhancement. It makes it impossible for a compromised master site to install files into places outside the mirror area of the filesystem. The permissions of various other files such as /usr/local/etc/cvsup have also been strengthened to enhance security. Both client and server now cd to /var/tmp to run, so that if they decide to croak they'll be able to write the core file. :-) The /usr/local/etc/rc.d/cvsupd.sh script now honors the "start" and "stop" arguments. The configure script no longer attempts to tell you the sizes of the various collections. That's impossible to maintain. When I have time I plan to make a web page where one can obtain that information from an automatically-updated source. Then I will reference the URL in the configure script. It is possible to upgrade an existing cvsup-mirror-1.0 installation to this new version, but it is tricky because of the change in ownership of the mirrored files. I will post instructions to the freebsd-hubs mailing list after I make sure I have the procedure just right.
220 lines
5.7 KiB
Bash
220 lines
5.7 KiB
Bash
#! /bin/sh
|
|
|
|
base=${PREFIX}/etc/cvsup
|
|
variables="user group cuser cgroup host host_crypto interval \
|
|
maxclients facility distribs"
|
|
|
|
ask() {
|
|
local question default answer
|
|
|
|
question=$1
|
|
default=$2
|
|
if [ -z "${PACKAGE_BUILDING}" ]; then
|
|
read -p "${question} [${default}]? " answer
|
|
fi
|
|
if [ x${answer} = x ]; then
|
|
answer=${default}
|
|
fi
|
|
echo ${answer}
|
|
}
|
|
|
|
yesno() {
|
|
local dflt question answer
|
|
|
|
question=$1
|
|
dflt=$2
|
|
while :; do
|
|
answer=$(ask "${question}" "${dflt}")
|
|
case "${answer}" in
|
|
[Yy]*) return 0;;
|
|
[Nn]*) return 1;;
|
|
esac
|
|
echo "Please answer yes or no."
|
|
done
|
|
}
|
|
|
|
ask_distrib() {
|
|
local desc dflt link dir subdir
|
|
|
|
link=$1
|
|
dflt=$2
|
|
subdir=$3
|
|
desc=$4
|
|
if yesno "Do you wish to mirror the ${desc}" y; then
|
|
if [ "${subdir}" != "." ]; then
|
|
cat <<EOF
|
|
Note: the location for this must match "*/${subdir}", and
|
|
"${subdir}" must be a true subdirectory, not a symbolic link.
|
|
EOF
|
|
fi
|
|
while :; do
|
|
dir=$(ask "Where would you like to put it" ${dflt})
|
|
case ${dir} in
|
|
/*) ;;
|
|
*) echo "Please specify an absolute pathname."
|
|
continue;;
|
|
esac
|
|
if [ "${subdir}" = "." ]; then
|
|
break
|
|
fi
|
|
dir=$(expr "${dir}" : "\(.*\)/${subdir}\$")
|
|
if [ "x${dir}" != x ]; then
|
|
break
|
|
fi
|
|
echo "The location must match \"*/${subdir}\""
|
|
done
|
|
distribs="${distribs} ${link} ${dir} ${subdir}"
|
|
return 0
|
|
else
|
|
distribs="${distribs} ${link} SKIP ${subdir}"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
canonicalize() {
|
|
echo $1 | tr "[:upper:]" "[:lower:]"
|
|
}
|
|
|
|
#------------------------------------------------------------------------------
|
|
|
|
cat <<EOF
|
|
I am going to ask you a few questions so that I can set up your
|
|
FreeBSD mirror configuration. Every question has a [default]
|
|
answer. To accept the default, just press ENTER.
|
|
|
|
At this point, I am just gathering information. I will not touch
|
|
your system until you type "make install".
|
|
|
|
EOF
|
|
|
|
if [ x${USA_RESIDENT} = xYES ]; then
|
|
dflt_domestic=y
|
|
else
|
|
dflt_domestic=n
|
|
fi
|
|
if yesno "Is this host in the USA or Canada" ${dflt_domestic}; then
|
|
domestic=yes
|
|
else
|
|
domestic=no
|
|
fi
|
|
|
|
host=$(ask "Master site for your non-crypto updates" cvsup-master.freebsd.org)
|
|
if [ ${domestic} = yes ]; then
|
|
dflt_host_crypto=${host}
|
|
else
|
|
dflt_host_crypto=cvsup.internat.freebsd.org
|
|
fi
|
|
|
|
cat <<EOF
|
|
|
|
If you are not planning to mirror the crypto files, just accept
|
|
the default answer for the next question.
|
|
|
|
EOF
|
|
host_crypto=$(ask "Master site for your crypto updates" ${dflt_host_crypto})
|
|
|
|
host=$(canonicalize ${host})
|
|
host_crypto=$(canonicalize ${host_crypto})
|
|
|
|
while :; do
|
|
interval=$(ask "How many hours between updates of your files" 1)
|
|
case ${interval} in
|
|
1|2|3|4|6|8|12|24) break;;
|
|
esac
|
|
echo "Please answer 1, 2, 3, 4, 6, 8, 12, or 24"
|
|
done
|
|
|
|
cat <<EOF
|
|
|
|
Now you must decide which sets of files you wish to make available
|
|
from your mirror site. You can choose any combination, and you
|
|
can put each set anywhere you want to on your disks. Although each
|
|
set is optional, we strongly encourage every mirror site to carry
|
|
at least the main source tree.
|
|
|
|
EOF
|
|
|
|
distribs="distrib.self .. ."
|
|
ask_distrib FreeBSD.cvs /home/ncvs . \
|
|
"main source tree, except crypto code"
|
|
ask_distrib FreeBSD-crypto.cvs /home/ncvs . \
|
|
"crypto code"
|
|
ask_distrib FreeBSD-www.current /usr/local/www . \
|
|
"installed World Wide Web data"
|
|
ask_distrib FreeBSD-gnats.current /home/gnats gnats \
|
|
"GNATS bug tracking database"
|
|
ask_distrib FreeBSD-mail.current /home/mail . \
|
|
"mailing list archive"
|
|
|
|
cat <<EOF
|
|
|
|
Now, a few questions so that I can set up your CVSup server properly.
|
|
|
|
For security reasons, both the CVSup client and server should run
|
|
under their own unique user and group IDs. These IDs should have no
|
|
special access privileges. Normally, the user:group "cvsupin:cvsupin"
|
|
is used for the client and "cvsup:cvsup" is used for the server, but
|
|
you can choose other names if you wish. At "make install" time, I
|
|
will create the users and groups, if they don't already exist.
|
|
|
|
Use unique user and group IDs for these. Do not use "nobody",
|
|
"nonroot", or "nogroup".
|
|
|
|
EOF
|
|
|
|
cuser=$(ask "Unique unprivileged user ID for running the client" cvsupin)
|
|
cgroup=$(ask "Unique unprivileged group ID for running the client" cvsupin)
|
|
user=$(ask "Unique unprivileged user ID for running the server" cvsup)
|
|
group=$(ask "Unique unprivileged group ID for running the server" cvsup)
|
|
|
|
cat <<EOF
|
|
|
|
The CVSup server does its logging via syslog. At "make install"
|
|
time, I will set up the logging for you, if necessary. I will use
|
|
the "!program" feature of syslog to keep your CVSup log messages
|
|
separate from the messages of your other daemons.
|
|
|
|
EOF
|
|
|
|
while :; do
|
|
facility=$(ask "Syslog facility for the server log" daemon)
|
|
case ${facility} in
|
|
daemon|local[0-7]|ftp|user) break;;
|
|
esac
|
|
echo "Please answer daemon, local0-local7, ftp, or user"
|
|
done
|
|
|
|
cat <<EOF
|
|
|
|
You can control the load on your machine by limiting the number of
|
|
clients that the CVSup server will serve at once. CVSup won't load
|
|
your network especially heavily, but it is more CPU and disk
|
|
intensive than most other file server software.
|
|
|
|
EOF
|
|
|
|
while :; do
|
|
maxclients=$(ask "Maximum simultaneous client connections" 8)
|
|
if expr "${maxclients}" : "[0-9][0-9]*\$" >/dev/null 2>&1; then
|
|
break
|
|
fi
|
|
echo "Please answer with a number"
|
|
done
|
|
|
|
#------------------------------------------------------------------------------
|
|
|
|
echo ""
|
|
echo -n "Building the \"config.sh\" file ... "
|
|
for var in ${variables}; do
|
|
eval echo ${var}=\\\"\${${var}}\\\"
|
|
done > ${WRKSRC}/config.sh
|
|
echo "Done."
|
|
|
|
echo -n "Building the \"cvsupd.access\" file ... "
|
|
cat <<EOF > ${WRKSRC}/cvsupd.access
|
|
-0.0.0.0/0 ${maxclients} # Limit total connections
|
|
-0.0.0.0/0/32 1 # Allow only 1 connection from each host
|
|
+0.0.0.0/0 # If we reach this rule, we let the client in
|
|
EOF
|
|
echo "Done."
|