On 7/13/18, Warren Young <war...@etr-usa.com> wrote:
> chroot() might even be strong enough given the tight scoping.

Just checking to make sure you know:  If you launch Fossil as root, it
will automatically put itself into a chroot jail in the directory
containing the repository, then change its userid and groupid to match
the owner of the repository.  It does this prior to reading any
content from the wire.

The chroot jail that Fossil runs in can be very lean.  It does not
need a shell nor a bunch of libraries (assuming you have statically
linked).  You will need to mknod a /dev/null, /dev/random, and
/dev/urandom inside the jail, but that seems harmless enough.

As a defense against DoS attacks, Fossil has a feature were it refuses
to run certain expense web pages (ex: creating new tarballs) if the
system load averages is too high.  Fossil uses the getloadavg()
interface to compute this.  On Linux, getloadavg() requires that /proc
be mounted.  So, if you want to use the rate limiting feature on
Linux, you will need /proc mounted in your chroot jail.  I wish there
were a better way...

D. Richard Hipp
fossil-users mailing list

Reply via email to