> -----Original Message----- > From: Stefan Sperling [mailto:s...@elego.de] > Sent: donderdag 25 september 2014 10:09 > To: Nico Kadel-Garcia > Cc: Les Mikesell; users > Subject: Re: ssh+svn vs. bash security bug? > > On Wed, Sep 24, 2014 at 07:30:57PM -0400, Nico Kadel-Garcia wrote: > > Setting up a chroot for Subversion for just this purpose gets... > > potentially adventuresome. The maintainers of OpenSSH have generically > > refused to support chroot changes, so it's a bit awkward to even set > > up. Various folks have published patches or integration kits to > > support genuine chroot cages: heck, even I used to publish patches for > > OpenSSH to provide them. > > I have to admit that while I did successfully chroot svnserve with > svn:// once, I've never tried to chroot svn+ssh:// > > But I'd be surprised if OpenSSH was making this difficult. > The ChrootDirectory configuration option of OpenSSH won't do? > If so, why not? > > Upgrading bash is a better solution to this particular problem, > of course, but using a chroot containing the minimum components > could still be a good idea in general.
Also switching these users to a shell with far less features than bash might be an even better solution. If the users are only allowed to use 'svnserve' they don't need all the features of a shell... Bert