[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: chrooted server?

From: Dirk Schenkewitz <schenkewitz_at_docomolab-euro.com>
Date: 2005-03-02 00:54:04 CET

Hi Chris,

Chris Jensen wrote:
> Hi Dirk,
> I've not much experience with chrooting things, so I can't say much
> about here about how to do it, but here's some other things to think
> about.
>
>> I searched around but did not find any clear advice. Can it be done?
>> Should I better user Apache 2, perhaps also because svnserve cannot
>> deal with IPv6 adresses?

Meanwhile I searched some more... This has turned out to be the 2nd
problem, the first one is wheter svnserver supports IPv6 adresses or
not. Meanwhile, I suspect ist does not and if that's true, I must
use apache instead of svnserve anyway. I found some descriptions about
how to chroot apache2 in the net.

> It depends what why you want to chroot. If you simply don't want to give
> svn users general access to everything via ssh, then apache or chroot
> are both fine ways to do that. (You may also want to check out
> "restricted shell" or rssh which can limit the commands users make over
> ssh)

My intention was to keep a hacker as restricted as possible, if he/she
manages to get into the system via svnserve. Ssh would require to create
user accounts and I don't know about apache yet.

Being rather new to all this, it seemed to me that svnserve could be
safer than apache, because it serves exactly one thing, access to a
subversion repository. And the setup is simpler. I also liked the
authentication mechanisms better. But meanwhile I'm not so convinced
anymore... maybe apache is safer...

> If you're worried about problems with buffer overflows or the like being
> used to gain access to the system via the service, then you still run
> that risk with Apache and if the svn server is holding other sensitive
> data that you don't want svn users to get at, then you should be
> chrooting Apache2 too.

Exactly. That's what I'm concerned about. And yes, if apache2 will be used
as a server for subversion, it will be chrooted.
I was hoping that someone on the mailing list has experience with chrooting
svnserve and can give me a few hints.

Anyway, thank you very much, Chris

Have fun
   Dirk

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Mar 2 00:54:43 2005

This is an archived mail posted to the Subversion Users mailing list.