> -----Original Message-----
> From: Stefan Sperling [mailto:stsp_at_elego.de]
> Sent: donderdag 25 september 2014 10:09
> To: Nico Kadel-Garcia
> Cc: Les Mikesell; users
> Subject: Re: ssh+svn vs. bash security bug?
>
> On Wed, Sep 24, 2014 at 07:30:57PM -0400, Nico Kadel-Garcia wrote:
> > Setting up a chroot for Subversion for just this purpose gets...
> > potentially adventuresome. The maintainers of OpenSSH have generically
> > refused to support chroot changes, so it's a bit awkward to even set
> > up. Various folks have published patches or integration kits to
> > support genuine chroot cages: heck, even I used to publish patches for
> > OpenSSH to provide them.
>
> I have to admit that while I did successfully chroot svnserve with
> svn:// once, I've never tried to chroot svn+ssh://
>
> But I'd be surprised if OpenSSH was making this difficult.
> The ChrootDirectory configuration option of OpenSSH won't do?
> If so, why not?
>
> Upgrading bash is a better solution to this particular problem,
> of course, but using a chroot containing the minimum components
> could still be a good idea in general.
Also switching these users to a shell with far less features than bash might
be an even better solution.
If the users are only allowed to use 'svnserve' they don't need all the
features of a shell...
Bert
Received on 2014-09-25 11:25:57 CEST