CVSTrac Legacy Code

Tech-note a4a1f5e662


CVS is legacy. Nobody uses it for new work any more. And the same is true of CVSTrac. We continue to maintain it for the sake of sites that continue to use it, and to continue to be able to display historical tickets and wiki pages that where entered years ago when CVS and CVSTrac where still in active use. But the world has move on. Projects should transition to newer and better systems that are now available. CVSTrac has become an historical artifact.

We recently upgraded the server that hosts, and as part of that upgrade, we purposely did not install CVS, since it is a security risk. All of the CVSTrac source code is now on Fossil - a distributed version control system that incorporates many of the features originally developed for CVSTrac. In other words, CVSTrac is no longer self-hosting. It has been moved into a retirement home.

Server Configuration

CVSTrac is still run in order to provide access to historical tickets and wiki pages. The current manifestation of CVSTrac runs as a stand-alone CGI process inside a chroot jail. No other software is necessary for CVSTrac to run. Formerly, we needed /bin/sh and /usr/bin/cvs. But those executables are a security risk and so CVSTrac has been enhanced to no longer require them.

The HTTP server on the website is althttpd.c. This server is implemented as a single file of ANSI-C code. Documentation on how to configure althttpd.c is found in a comment in the first 50 or 60 lines of the source code file. A separate instance of the server is launched for each inbound TCP/IP connection via xinetd. xinetd is configured using the file /etc/xinetd.d/http which looks like this:

service http
  port = 80
  socket_type = stream
  wait = no
  user = root
  server = /usr/bin/althttpd
  server_args = -logfile /logs/http.log -root /home/www -user www-data

This same HTTP server also servers site and and several other domains. The HOST parameter on the HTTP header determines which content is served. Everything runs on a single low-power Linode virtual machine.

You can infer from the "server_args" line above that althttpd.c puts itself in a chroot jail at /home/www and changes to the www-data user before doing anything else. This chroot jail contains no shared libraries and a minimal number of executables (fossil and cvstrac, for example). Note in particular that this chroot jail does not contain /bin/sh or /usr/bin/cvs, which limits the functionality of CVSTrac somewhat.

There is a file on the website named "cvstrac". That file has its execute permission bit set (rwxr-xr-x) so that althttpd.c will run it as CGI whenever it is specified on the URL path. The file is a script, as follows:

directory: /cvstrac
project: cvstrac

The /usr/bin/cvstrac executable is really found in /home/www/usr/bin, but the /home/www is omitted because of the chroot jail. /usr/bin/cvstrac is compiled with -static so that it uses no shared libraries. The CVSTrac database for the CVSTrac project is located in the directory "/cvstrac" (relative to the chroot jail, or "/home/www/cvstrac" in reality) and the name of the CVSTrac database is "cvstrac.db". Note that the ".db" suffix is added automatically.

Building The CVSTrac Executable

The cvstrac executable found in /home/www/usr/bin (or /usr/bin relative to the chroot jail) is built as follows:

  1. Checkout the CVSTrac source tree into a subdirectory named "cvstrac". This involves cloning the repository if necessary, then doing "mkdir cvstrac; cd cvstrac" and finally "fossil open ../cvstrac.fossil".
  1. Create a sibling directory "bld". Copy "" from the source directory into "makefile" in the "bld" directory.
  1. Edit "makefile": (a) Set SRCDIR to "../cvstrac". (b) Change TCC to "gcc -Os -static -I. -DSQLITE_THREADSAFE=0 -DSQLITE_OMIT_LOAD_EXTENSION". (c) Change LIBSQLITE to "./sqlite3.c -lcrypt -lm".
  1. Move a copy of the SQLite amalgamation and header into the build directory.
  1. Type "make".

The steps above build a statically linked binary that can then be copied into /home/www/usr/bin. Not all features of CVSTrac are supported by this build, but enough features are support to provide access to legacy wiki pages and tickets in the CVSTrac database files.