subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bert Huijben" <b...@qqmail.nl>
Subject RE: ssh+svn vs. bash security bug?
Date Thu, 25 Sep 2014 09:25:04 GMT


> -----Original Message-----
> From: Stefan Sperling [mailto:stsp@elego.de]
> Sent: donderdag 25 september 2014 10:09
> To: Nico Kadel-Garcia
> Cc: Les Mikesell; users
> Subject: Re: ssh+svn vs. bash security bug?
> 
> On Wed, Sep 24, 2014 at 07:30:57PM -0400, Nico Kadel-Garcia wrote:
> > Setting up a chroot for Subversion for just this purpose gets...
> > potentially adventuresome. The maintainers of OpenSSH have generically
> > refused to support chroot changes, so it's a bit awkward to even set
> > up. Various folks have published patches or integration kits to
> > support genuine chroot cages: heck, even I used to publish patches for
> > OpenSSH to provide them.
> 
> I have to admit that while I did successfully chroot svnserve with
> svn:// once, I've never tried to chroot svn+ssh://
> 
> But I'd be surprised if OpenSSH was making this difficult.
> The ChrootDirectory configuration option of OpenSSH won't do?
> If so, why not?
> 
> Upgrading bash is a better solution to this particular problem,
> of course, but using a chroot containing the minimum components
> could still be a good idea in general.

Also switching these users to a shell with far less features than bash might
be an even better solution. 

If the users are only allowed to use 'svnserve' they don't need all the
features of a shell...

	Bert



Mime
View raw message