SECURITY
Here are a few important things to know about security and scponly. This is a
brief attempt to document what should be done to correctly secure scponly.
1) Configure scponly to use a chroot
2) Configure scponly to use as few extra options and services as possible. If
possible, try to use something similar to the following:
./configure --disable-wildcards --enable-chrooted-binary \
--disable-gftp-compat --with-sftp-server=/path/to/sftp-server
3) NOTE THE FOLLOWING SECURITY RISKS:
-- by enabling wildcards, there is a slightly higher chance of an exploit
-- by enabling scp and/or scp compatibility, more programs will need to be
installed in the chroot which increases the risk
-- CAUTION: by enabling svn/svnserve the user WILL BE ABLE TO EXECUTE
SCRIPTS OR PROGRAMS INDIRECTLY! svn and svnserve will try to execute
pre-commit, post-commit hooks, as well as a few others. These files
have specific filenames at specific locations relative to the svn
repository root. Thus, unless you are *very* careful about security,
the user WILL BE ABLE TO EXECUTE SCRIPTS OR PROGRAMS INDIRECTLY! This
can be prevented by a careful configuration.
-- The following programs use configuration files that might allow the user
to bypass security restrictions placed on command line arguments:
svn, svnserve, rsync, and unison
Note specifically that rsync uses popt for parsing command line arguments
and popt explicitly checks /etc/popt and $HOME/.popt for aliases. Thus,
users can likely bypass argument checking for rsync.
4) Make sure that all files required for the chroot have the IMMUTABLE and
UNDELETABLE bits set. Other bits might also be prudent. See: man 1 chattr.
5) Only put files in the chroot that are absolutely essential to its
functionality.
6) Make sure the following directories are locked down appropriately:
~/.ssh, ~/.unison, ~/.subversion
NOTE: depending on file permissions in the above, ssh, unison, and
subversion may not work correctly. Also note that the location of the
above directories is sometimes system dependent, so please check the
documentation specific to your system.
7) Make sure that every directory the users have write permissions to are
on a filesystem that is mounted NODEV, NOEXEC. Eg. Make sure that they
cannot execute files that they have permissions to upload. They should
also not need permissions to create any devices. If the user can't execute
any files that he has access to upload and the executable files on the
system are not considered harmful, then you need not worry about the
security problems referencing svn/svnserve above!
8) Monitor your logs! If you start to see something funny, odd, or strange in
the logs, please let us know so that we can investigate and make sure any
problems are resolved.
9) Stay up-to-date with the scponly installs. We don't have releases too
often, but the changes we do make are usually important!
10) Enjoy!
Lastly, if you have other suggestions and thoughts that would help secure an
scponly install, please send them to us!
Thanks for using scponly!
