[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
chroot jail redux
|
From: |
Dan Kegel |
|
Subject: |
chroot jail redux |
|
Date: |
Sun, 05 Nov 2000 09:32:46 -0800 |
I read through some of the archived thread about
chroot jails for cvs with great interest.
I agree with both sides - for best security, the
cvs daemon should be run without root privs at all,
but various practical considerations make that hard to
do for some people.
Me, I'm willing to run it without root privs, but
given how utterly insecure cvs pserver mode is,
I still plan to run it in a chroot jail.
Since it won't have root privs, it won't be able to
break out of the jail. And if someone exploits any
of the gaping security holes in cvs pserver, he'll only
be able to corrupt the files in the jail, and
won't compromise any other data.
The two posts that seem the most informative about
how to run cvs in a chroot jail were
http://www.egroups.com/message/info-cvs/24219
http://www.egroups.com/message/info-cvs/24544
and their followups. Also,
http://www.unixtools.org/cvs/server-how-to.html
describes a way to do it without Justin's patch.
(See http://www.kegel.com/cvs.html#links.security
for my collected links on the subject.)
Is there a resource I'm missing here? Has Justin put
up a web page about what's involved in really running
cvs in a chroot jail?
- Dan
- chroot jail redux,
Dan Kegel <=