Re: chrooted server?

[Chris Jensen <cj...@edex.com.au>]

Hi Dirk,
I've not much experience with chrooting things, so I can't say much 
about here about how to do it, but here's some other things to think about.
> I searched around but did not find any clear advice. Can it be done?
> Should I better user Apache 2, perhaps also because svnserve cannot
> deal with IPv6 adresses?

It depends what why you want to chroot. If you simply don't want to give 
svn users general access to everything via ssh, then apache or chroot 
are both fine ways to do that. (You may also want to check out 
"restricted shell" or rssh which can limit the commands users make over ssh)

If you're worried about problems with buffer overflows or the like being 
used to gain access to the system via the service, then you still run 
that risk with Apache and if the svn server is holding other sensitive 
data that you don't want svn users to get at, then you should be 
chrooting Apache2 too.

Chris

-- 
---------------------------------------------------------------------
Chris Jensen cjensen@edex.com.au

Educational Experience (Australia)
Postal Address: PO Box 860, Newcastle NSW 2300
Freecall:       1-800-025 270      International: +61-2-4923 8222
Fax:            (02) 4942 1991     International: +61-2-4942 1991

Visit our online Toy store! http://www.toysandmore.com.au/
---------------------------------------------------------------------

Re: chrooted server?

[Dirk Schenkewitz <sc...@docomolab-euro.com>]

Hi Chris,

Chris Jensen wrote:
> Hi Dirk,
> I've not much experience with chrooting things, so I can't say much 
> about here about how to do it, but here's some other things to think
> about.
> 
>> I searched around but did not find any clear advice. Can it be done?
>> Should I better user Apache 2, perhaps also because svnserve cannot
>> deal with IPv6 adresses?

Meanwhile I searched some more... This has turned out to be the 2nd
problem, the first one is wheter svnserver supports IPv6 adresses or
not. Meanwhile, I suspect ist does not and if that's true, I must
use apache instead of svnserve anyway. I found some descriptions about
how to chroot apache2 in the net.

> It depends what why you want to chroot. If you simply don't want to give 
> svn users general access to everything via ssh, then apache or chroot 
> are both fine ways to do that. (You may also want to check out 
> "restricted shell" or rssh which can limit the commands users make over 
> ssh)

My intention was to keep a hacker as restricted as possible, if he/she
manages to get into the system via svnserve. Ssh would require to create
user accounts and I don't know about apache yet.

Being rather new to all this, it seemed to me that svnserve could be
safer than apache, because it serves exactly one thing, access to a
subversion repository. And the setup is simpler. I also liked the
authentication mechanisms better. But meanwhile I'm not so convinced
anymore... maybe apache is safer...

> If you're worried about problems with buffer overflows or the like being 
> used to gain access to the system via the service, then you still run 
> that risk with Apache and if the svn server is holding other sensitive 
> data that you don't want svn users to get at, then you should be 
> chrooting Apache2 too.

Exactly. That's what I'm concerned about. And yes, if apache2 will be used
as a server for subversion, it will be chrooted.
I was hoping that someone on the mailing list has experience with chrooting
svnserve and can give me a few hints.

Anyway, thank you very much, Chris

Have fun
   Dirk

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org