On Thu, Sep 25, 2014 at 12:46 PM, Stephan Beal <sgb...@googlemail.com> wrote:
> On Thu, Sep 25, 2014 at 6:43 PM, Stephan Beal <sgb...@googlemail.com> > wrote: > >> Some of this article is downright FUD[1], some of it is not _necessarily_ >> FUD. i pass it on primarily because all my CGI Fossil repos (currently) use >> /bin/bash instead of /bin/sh (will be resolved momentarily). >> > > Actually... Fossil CGI scripts typically use the fossil binary directly, > as opposed to a shell between the script and binary. So this is essentially > a false alarm for most configs (the ones which follow the fossil setup > docs) but might affect those with more elaborate CGI script setups. e.g. my > ~40 repos all use #!/path/to/fossil. > > The Fossil binaries on the www.fossil-scm.org server run inside a chroot jail that omits both /bin/bash and /bin/sh. In fact, that chroot jail has very little in it at all. None of the standard system utilities. No shared libraries. No devices. Just a handful of statically linked binaries in /usr/bin for running desired services (such as Fossil) and the databases needed to support them. Hasn't that been the recommended practice for public-facing internet services for decades? -- D. Richard Hipp d...@sqlite.org
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users