Initial import of cvsd, a cvs pserver wrapper that chroots the pserver.

Based on the work by Eric Schnoebelen and virtus@ in pkgsrc-wip.

DESCR:
cvsd is a wrapper program for cvs in pserver mode. It will run 'cvs
pserver' under a special uid/gid in a chroot jail.

cvsd is run as a daemon and is controlled through a configuration
file. It is relatively easy to configure and tools are provided
for easily setting up a rootjail.

This server can be useful if you want to run a public cvs pserver.
You should however be aware of the security limitations of running
a cvs pserver. If you want any kind of authentication you should
really consider using secure shell as a secure authentication
mechanism and transport. Passwords used in cvs pserver are transmitted
in plaintext and this wrapper won't change that.

This server adds a layer of security to cvs. cvs is a very powerful
tool and is capable of running scripts and other things. By running
cvs in a rootjail it is possible to limit the amount of "damage"
cvs can do if it is exploited.  It is generally a good idea to run
cvsd without any write permissions to any directory on the system.

10 files changed, 191 insertions, 0 deletions

diff --git a/devel/cvsd/DESCR b/devel/cvsd/DESCR
new file mode 100644
index 00000000000..338a35b7948
--- /dev/null
+++ b/devel/cvsd/DESCR
@@ -0,0 +1,19 @@
+cvsd is a wrapper program for cvs in pserver mode. It will run 'cvs
+pserver' under a special uid/gid in a chroot jail.
+
+cvsd is run as a daemon and is controlled through a configuration
+file. It is relatively easy to configure and tools are provided
+for easily setting up a rootjail.
+
+This server can be useful if you want to run a public cvs pserver.
+You should however be aware of the security limitations of running
+a cvs pserver. If you want any kind of authentication you should
+really consider using secure shell as a secure authentication
+mechanism and transport. Passwords used in cvs pserver are transmitted
+in plaintext and this wrapper won't change that.
+
+This server adds a layer of security to cvs. cvs is a very powerful
+tool and is capable of running scripts and other things. By running
+cvs in a rootjail it is possible to limit the amount of "damage"
+cvs can do if it is exploited.  It is generally a good idea to run
+cvsd without any write permissions to any directory on the system.
diff --git a/devel/cvsd/MESSAGE b/devel/cvsd/MESSAGE
new file mode 100644
index 00000000000..bdceea4f95a
--- /dev/null
+++ b/devel/cvsd/MESSAGE
@@ -0,0 +1,8 @@
+===========================================================================
+$NetBSD: MESSAGE,v 1.1.1.1 2006/05/20 23:38:16 wiz Exp $
+
+    You should set up create a chrooted filesystem and create
+    repositories.  Read the README file in ${PREFIX}/share/doc/cvsd
+    for more details on setting up the environment.
+
+===========================================================================
diff --git a/devel/cvsd/Makefile b/devel/cvsd/Makefile
new file mode 100644
index 00000000000..f14511acb5f
--- /dev/null
+++ b/devel/cvsd/Makefile
@@ -0,0 +1,32 @@
+# $NetBSD: Makefile,v 1.1.1.1 2006/05/20 23:38:16 wiz Exp $
+
+DISTNAME=		cvsd-1.0.10
+CATEGORIES=		devel
+MASTER_SITES=		http://ch.tudelft.nl/~arthur/cvsd/
+
+MAINTAINER=		eric@cirr.com
+HOMEPAGE=		http://ch.tudelft.nl/~arthur/cvsd/
+COMMENT=		Run CVS pserver in a chroot-ed environment
+
+USE_TOOLS+=		gmake perl
+GNU_CONFIGURE=		YES
+
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR:Q}
+CONFIGURE_ARGS+=	--with-libwrap
+
+RCD_SCRIPTS=		cvsd
+
+EGDIR=			${PREFIX}/share/examples/cvsd
+CONF_FILES=		${EGDIR}/cvsd.conf.example ${PKG_SYSCONFDIR}/cvsd.conf
+
+CVSD_USER?=		cvsd
+CVSD_GROUP?=		cvsd
+PKG_USERS=		${CVSD_USER}:${CVSD_GROUP}
+PKG_GECOS.${CVSD_USER}=	CVS wrapper
+PKG_GROUPS=		${CVSD_GROUP}
+
+pre-install:
+	${INSTALL_DATA_DIR} ${EGDIR}
+
+.include "../../security/tcp_wrappers/buildlink3.mk"
+.include "../../mk/bsd.pkg.mk"
diff --git a/devel/cvsd/PLIST b/devel/cvsd/PLIST
new file mode 100644
index 00000000000..3e0beb481c5
--- /dev/null
+++ b/devel/cvsd/PLIST
@@ -0,0 +1,15 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2006/05/20 23:38:16 wiz Exp $
+man/man5/cvsd.conf.5
+man/man8/cvsd-buginfo.8
+man/man8/cvsd-buildroot.8
+man/man8/cvsd-passwd.8
+man/man8/cvsd.8
+sbin/cvsd
+sbin/cvsd-buginfo
+sbin/cvsd-buildroot
+sbin/cvsd-passwd
+share/doc/cvsd/README
+share/examples/cvsd/cvsd.conf.example
+share/examples/rc.d/cvsd
+@dirrm share/examples/cvsd
+@dirrm share/doc/cvsd
diff --git a/devel/cvsd/distinfo b/devel/cvsd/distinfo
new file mode 100644
index 00000000000..9414267472a
--- /dev/null
+++ b/devel/cvsd/distinfo
@@ -0,0 +1,9 @@
+$NetBSD: distinfo,v 1.1.1.1 2006/05/20 23:38:16 wiz Exp $
+
+SHA1 (cvsd-1.0.10.tar.gz) = f615a8830bb2a4f415b3267dc628b64561b53d9f
+RMD160 (cvsd-1.0.10.tar.gz) = 9a7129d9fa9b200bfeb8c54abeaae5e9c563cbcc
+Size (cvsd-1.0.10.tar.gz) = 206048 bytes
+SHA1 (patch-aa) = adfcecc2412aa30828c5b5cec1b0763bca599abb
+SHA1 (patch-ab) = f24f3ceac0c5e5d156c3ffc094b679d165e45e21
+SHA1 (patch-ac) = 02f4caa955d88eeadef14a05dd6e4ec19b9ee4b9
+SHA1 (patch-ad) = 2da407e6037ee3cd187b48d8ee668df281ae6907
diff --git a/devel/cvsd/files/cvsd.sh b/devel/cvsd/files/cvsd.sh
new file mode 100644
index 00000000000..959f226b18e
--- /dev/null
+++ b/devel/cvsd/files/cvsd.sh
@@ -0,0 +1,29 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: cvsd.sh,v 1.1.1.1 2006/05/20 23:38:16 wiz Exp $
+#
+# PROVIDE: cvsd
+# REQUIRE: DAEMON
+
+if [ -e /etc/rc.subr ]
+then
+       . /etc/rc.subr
+fi
+
+name="cvsd"
+rcvar=$name
+command="@PREFIX@/sbin/${name}"
+required_files="@PREFIX@/etc/${name}.conf"
+pidfile=$(awk '/^#/ {next}; /PidFile/ {print $2}' ${required_files})
+# pidfile=/var/run/cvsd.pid
+command_args=""              
+                               # add more flags through ${${name}_flags}
+
+if [ -e /etc/rc.subr ]
+then
+       load_rc_config $name
+       run_rc_command "$1"
+else
+       echo -n ' ${name}'
+       ${command} ${cvsd_flags} ${command_args}
+fi
diff --git a/devel/cvsd/patches/patch-aa b/devel/cvsd/patches/patch-aa
new file mode 100644
index 00000000000..4db1fa600f4
--- /dev/null
+++ b/devel/cvsd/patches/patch-aa
@@ -0,0 +1,9 @@
+$NetBSD: patch-aa,v 1.1.1.1 2006/05/20 23:38:16 wiz Exp $
+
+--- configure.ac.orig	2004-08-07 23:11:01.000000000 +0300
++++ configure.ac	2004-09-13 14:25:08.000000000 +0300
+@@ -274,3 +274,3 @@
+ # TODO: this should probably be fixed to be nicer
+-CONFIGFILE=`eval echo $sysconfdir/cvsd/cvsd.conf | \
++CONFIGFILE=`eval echo $sysconfdir/cvsd.conf | \
+             sed "s%^NONE/%${prefix}/%" | \
diff --git a/devel/cvsd/patches/patch-ab b/devel/cvsd/patches/patch-ab
new file mode 100644
index 00000000000..d48517aa950
--- /dev/null
+++ b/devel/cvsd/patches/patch-ab
@@ -0,0 +1,9 @@
+$NetBSD: patch-ab,v 1.1.1.1 2006/05/20 23:38:16 wiz Exp $
+
+--- configure.orig	2004-08-07 23:11:20.000000000 +0300
++++ configure	2004-09-13 14:25:34.000000000 +0300
+@@ -9983,3 +9983,3 @@
+ # TODO: this should probably be fixed to be nicer
+-CONFIGFILE=`eval echo $sysconfdir/cvsd/cvsd.conf | \
++CONFIGFILE=`eval echo $sysconfdir/cvsd.conf | \
+             sed "s%^NONE/%${prefix}/%" | \
diff --git a/devel/cvsd/patches/patch-ac b/devel/cvsd/patches/patch-ac
new file mode 100644
index 00000000000..f96c70f639a
--- /dev/null
+++ b/devel/cvsd/patches/patch-ac
@@ -0,0 +1,40 @@
+$NetBSD: patch-ac,v 1.1.1.1 2006/05/20 23:38:16 wiz Exp $
+
+--- Makefile.in.orig	2005-07-24 09:19:45.000000000 -0500
++++ Makefile.in
+@@ -184,6 +184,8 @@ libdir = @libdir@
+ libexecdir = @libexecdir@
+ localstatedir = @localstatedir@
+ mandir = @mandir@
++exampledir = $(prefix)/share/examples/@PACKAGE@
++docdir = $(prefix)/share/doc/@PACKAGE@
+ mkdir_p = @mkdir_p@
+ oldincludedir = @oldincludedir@
+ prefix = @prefix@
+@@ -763,17 +765,19 @@ uninstall-man: uninstall-man5 uninstall-
+ 
+ 
+ #  install configuration files
+-install-data-local: install-configfile install-initscript
++install-data-local: install-configfile install-readme
++
++install-readme:
++	if [ ! -d $(DESTDIR)$(docdir) ]; then \
++	    $(mkinstalldirs) $(DESTDIR)$(docdir); \
++	fi
++	$(INSTALL_DATA) $(srcdir)/README $(DESTDIR)$(docdir)
+ 
+ install-configfile:
+ 	if [ ! -d $(DESTDIR)$(sysconfdir)/cvsd ]; then \
+-	  $(mkinstalldirs) $(DESTDIR)$(sysconfdir)/cvsd;\
+-	fi
+-	if [ ! -f $(DESTDIR)$(CONFIGFILE) ]; then \
+-	  $(INSTALL_DATA) $(srcdir)/cvsd.conf-dist $(DESTDIR)$(CONFIGFILE); \
+-	else \
+-	  echo "$(DESTDIR)$(CONFIGFILE) already exists, install will not overwrite"; \
++	  $(mkinstalldirs) $(DESTDIR)$(sysconfdir);\
+ 	fi
++	$(INSTALL_DATA) $(srcdir)/cvsd.conf-dist $(DESTDIR)$(exampledir)/cvsd.conf.example
+ 
+ install-initscript:
+ 	if [ ! -d $(DESTDIR)$(sysconfdir)/init.d ]; then \
diff --git a/devel/cvsd/patches/patch-ad b/devel/cvsd/patches/patch-ad
new file mode 100644
index 00000000000..0dcf2d0673e
--- /dev/null
+++ b/devel/cvsd/patches/patch-ad
@@ -0,0 +1,21 @@
+$NetBSD: patch-ad,v 1.1.1.1 2006/05/20 23:38:16 wiz Exp $
+
+--- cvsd-buildroot.in.orig	2004-07-29 22:53:14.000000000 +0300
++++ cvsd-buildroot.in	2004-09-13 14:26:18.000000000 +0300
+@@ -51,2 +51,4 @@
+ EXTRALIBS="$EXTRALIBS /usr/libexec/ld.so"
++# for NetBSD
++EXTRALIBS="$EXTRALIBS /usr/libexec/ld.elf_so /libexec/ld.elf_so"
+ # for Solaris:
+@@ -294,3 +296,3 @@
+ 
+-# for systems with strange password files (OpenBSD)
++# for systems with strange password files (OpenBSD/NetBSD/FreeBSD)
+ if [ -r /etc/master.passwd ] && [ -r /etc/pwd.db ] && [ -x /usr/sbin/pwd_mkdb ]
+@@ -301,3 +303,5 @@
+     < "$ROOT/etc/passwd" > "$ROOT/etc/master.passwd"
+-  /usr/sbin/pwd_mkdb -p -d "$ROOT/etc" "$ROOT/etc/master.passwd"
++  # NetBSD expects -d to be the new root directory.
++  /usr/sbin/pwd_mkdb -p -d "$ROOT/etc" "$ROOT/etc/master.passwd" 2>/dev/null|| \
++  /usr/sbin/pwd_mkdb -p -d "$ROOT" "$ROOT/etc/master.passwd" 2>/dev/null
+   echo "done."