"Fossies" - the Fresh Open Source Software Archive 
Member "scponly-20110526/SECURITY" (11 Jul 2009, 3206 Bytes) of package /linux/privat/old/scponly-20110526.tgz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the latest
Fossies "Diffs" side-by-side code changes report for "SECURITY":
4.8_vs_20110526.
1 SECURITY
2
3 Here are a few important things to know about security and scponly. This is a
4 brief attempt to document what should be done to correctly secure scponly.
5
6 1) Configure scponly to use a chroot
7
8 2) Configure scponly to use as few extra options and services as possible. If
9 possible, try to use something similar to the following:
10
11 ./configure --disable-wildcards --enable-chrooted-binary \
12 --disable-gftp-compat --with-sftp-server=/path/to/sftp-server
13
14 3) NOTE THE FOLLOWING SECURITY RISKS:
15
16 -- by enabling wildcards, there is a slightly higher chance of an exploit
17 -- by enabling scp and/or scp compatibility, more programs will need to be
18 installed in the chroot which increases the risk
19 -- CAUTION: by enabling svn/svnserve the user WILL BE ABLE TO EXECUTE
20 SCRIPTS OR PROGRAMS INDIRECTLY! svn and svnserve will try to execute
21 pre-commit, post-commit hooks, as well as a few others. These files
22 have specific filenames at specific locations relative to the svn
23 repository root. Thus, unless you are *very* careful about security,
24 the user WILL BE ABLE TO EXECUTE SCRIPTS OR PROGRAMS INDIRECTLY! This
25 can be prevented by a careful configuration.
26 -- The following programs use configuration files that might allow the user
27 to bypass security restrictions placed on command line arguments:
28
29 svn, svnserve, rsync, and unison
30
31 Note specifically that rsync uses popt for parsing command line arguments
32 and popt explicitly checks /etc/popt and $HOME/.popt for aliases. Thus,
33 users can likely bypass argument checking for rsync.
34
35 4) Make sure that all files required for the chroot have the IMMUTABLE and
36 UNDELETABLE bits set. Other bits might also be prudent. See: man 1 chattr.
37
38 5) Only put files in the chroot that are absolutely essential to its
39 functionality.
40
41 6) Make sure the following directories are locked down appropriately:
42
43 ~/.ssh, ~/.unison, ~/.subversion
44
45 NOTE: depending on file permissions in the above, ssh, unison, and
46 subversion may not work correctly. Also note that the location of the
47 above directories is sometimes system dependent, so please check the
48 documentation specific to your system.
49
50 7) Make sure that every directory the users have write permissions to are
51 on a filesystem that is mounted NODEV, NOEXEC. Eg. Make sure that they
52 cannot execute files that they have permissions to upload. They should
53 also not need permissions to create any devices. If the user can't execute
54 any files that he has access to upload and the executable files on the
55 system are not considered harmful, then you need not worry about the
56 security problems referencing svn/svnserve above!
57
58 8) Monitor your logs! If you start to see something funny, odd, or strange in
59 the logs, please let us know so that we can investigate and make sure any
60 problems are resolved.
61
62 9) Stay up-to-date with the scponly installs. We don't have releases too
63 often, but the changes we do make are usually important!
64
65 10) Enjoy!
66
67 Lastly, if you have other suggestions and thoughts that would help secure an
68 scponly install, please send them to us!
69
70 Thanks for using scponly!