On Thu, Aug 10, 2000 at 12:56:24PM -0400, Greg A. Woods wrote:
> Not necessarily. It has been independently shown many times that it is
> very difficult to correctly configure a safe chroot environment for
> anything but the most trivially simple uses.
It's not difficult. There are only a few things to remember:
1) don't put any setuid binaries in the chroot area
2) make sure and chdir("/path") and chroot(".") instead of chroot("/path")
The second one is handled by the CVS code so all you have to do is tell
the admin not to put setuid binaries inside the chroot area. It's not
something people area really like to go anjd do ANYWAY.
> Indeed in a scenario where anonymous read-only access is all that's
> granted it may be of some benefit to chroot CVS into a restricted area,
> but at the moment I think you'd have to either modify your SSH server to
> support this or write a secure wrapper that can do this, and you still
> need at least a partly complete /bin/sh in the chrooted area.
You can give away shells inside the chroot area and a non-root user
won't be able to break out unless you also put a setuid binary there.
> The only times chroot becomes valuable enough to warrant trying to
> deploy it is either when you absolutely must combine several low-risk
> services, such as perhaps several unrelated anonymous read-only CVS
> repositories on the same box; or when you've got to use a system that's
> harder to secure (eg. Irix or Solaris :-) than it is to set up the
> chroot wrapper.
Or Linux, or FreeBSD, or Compaq Unix, or NetBSD. Even with OpenBSD I
wouldn't really trust any random Joe user with a shell.
> However if you're suggesting that using cvspserver with chroot is still
> a good thing, then you're still completely wrong because that's the
> broken window in the barn with no door scenario (assuming of course that
> your repository is the only, and most valuable thing, on the server).
It's a better thing than pserver without chroot.
Justin
