[ On Thursday, August 10, 2000 at 16:15:36 (+0800), Mark Harrison wrote: ]
> Subject: Re: patch to make CVS chroot
>
> Greg A. Woods <[EMAIL PROTECTED]> wrote:
> > It's best to assume that shell access is possible even while you do
> > everything you can to mitigate the risks that such access might pose.
>
> So wouldn't this make the chroot strategy a good thing?
Not necessarily. It has been independently shown many times that it is
very difficult to correctly configure a safe chroot environment for
anything but the most trivially simple uses. For example even chrooting
an FTP server into the user's home directory has caused problems for
some people (now the NetBSD ftp server, and perhaps a few others, don't
rely on any outside binaries, not even /bin/ls, so now finally it's
possible to make chrooting it a total no-brainer).
Indeed in a scenario where anonymous read-only access is all that's
granted it may be of some benefit to chroot CVS into a restricted area,
but at the moment I think you'd have to either modify your SSH server to
support this or write a secure wrapper that can do this, and you still
need at least a partly complete /bin/sh in the chrooted area.
The only times chroot becomes valuable enough to warrant trying to
deploy it is either when you absolutely must combine several low-risk
services, such as perhaps several unrelated anonymous read-only CVS
repositories on the same box; or when you've got to use a system that's
harder to secure (eg. Irix or Solaris :-) than it is to set up the
chroot wrapper.
However if you're suggesting that using cvspserver with chroot is still
a good thing, then you're still completely wrong because that's the
broken window in the barn with no door scenario (assuming of course that
your repository is the only, and most valuable thing, on the server).
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
