Thanks, I'll create a new account for the repositories from now on and set FOSSIL_HOME=/. The problem only appears if I run fossil as root when compiled with --with-th1-hooks as one of the options and FOSSIL_HOME is not set. Before this, I used the "Linux 3.x x86" version from fossil-scm.org, which I just noticed was not compiled with the TH1_HOOKS feature.
On Tue, Mar 1, 2016 at 12:55 AM, Ross Berteig <r...@cheshireeng.com> wrote: > > On 2/29/2016 3:01 PM, Alexandru Birsanu wrote: >> >> Thanks for the explanations. Since Fossil 1.34 didn't have this >> issue I assumed it might be a bug not a new feature :). I've tried >> the following and it works great when run as root. >> export FOSSIL_HOME=/ >> mkdir /repos && cd /repos >> fossil new repo.fossil >> fossil server repo.fossil > > > One other note. The chroot jail is strongest when the repo being served > is not itself owned by root. After calling chroot(), it lowers > privileges by impersonating the user that owns the repository. If that > user is root, it still impersonated itself but that has little or no > effect. So let some normal user own the repositories you serve, and the > folder they live in. > > This implies that the folder containing the repository must be readable > and writable by the user that owns the repository, if not actually owned > by that user. > > Incidentally, the chroot jail feature has been in fossil for a long > time. It is first mentioned in a check-in comment from August 2009, and > the oldest surviving lines of code related to it date from February > 2010. I don't know why it hasn't affected you before, unless your past > usage has generally involved running fossil as other than root when > serving files, which is exactly what would normally happen if fossil > were accessed via CGI since web servers are usually not running as root. > > -- > Ross Berteig r...@cheshireeng.com > Cheshire Engineering Corp. http://www.CheshireEng.com/ > +1 626 303 1602 > _______________________________________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
