Fossil SCM
| f146e21… | drh | 1 | # The Server Chroot Jail |
| f146e21… | drh | 2 | |
| f146e21… | drh | 3 | If you run Fossil as root in any mode that [serves data on the |
| f146e21… | drh | 4 | network][srv], and you're running it on Unix or a compatible OS, Fossil |
| f146e21… | drh | 5 | will drop itself into a [`chroot(2)` jail][cj] shortly after starting |
| 5209582… | drh | 6 | up. The usual reason for launching Fossil |
| 200f486… | brickviking | 7 | as root is to allow it to bind to TCP port 80 for HTTP |
| 5209582… | drh | 8 | service, since normal users are restricted to ports 1024 and higher. |
| f146e21… | drh | 9 | |
| f146e21… | drh | 10 | Fossil uses the owner of the Fossil repository file as its new user |
| 5209582… | drh | 11 | ID when it drops root privileges. |
| f146e21… | drh | 12 | |
| 5209582… | drh | 13 | When Fossil enters a chroot jail, it needs to have all of its dependencies |
| 5209582… | drh | 14 | inside the chroot jail in order to continue work. There are several |
| 5209582… | drh | 15 | resources that need to be inside the chroot jail with Fossil in order for |
| 5209582… | drh | 16 | Fossil to work correctly: |
| f146e21… | drh | 17 | |
| f146e21… | drh | 18 | * the repository file(s) |
| f146e21… | drh | 19 | |
| f146e21… | drh | 20 | * `/dev/null` — create it with `mknod(8)` inside the jail directory |
| 311f169… | jamsek | 21 | ([Linux example][mnl], [OpenBSD example][obsd]) |
| f146e21… | drh | 22 | |
| f146e21… | drh | 23 | * `/dev/urandom` — ditto |
| f146e21… | drh | 24 | |
| f146e21… | drh | 25 | * `/proc` — you might need to mount this virtual filesystem inside the |
| f146e21… | drh | 26 | jail on Linux systems that make use of [Fossil’s server load |
| f146e21… | drh | 27 | shedding feature][fls] |
| f146e21… | drh | 28 | |
| f146e21… | drh | 29 | * any shared libraries your `fossil` binary is linked to, unless you |
| f146e21… | drh | 30 | [configured Fossil with `--static`][bld] to avoid it |
| f146e21… | drh | 31 | |
| 5209582… | drh | 32 | Fossil does all of this as one of many layers of defense against |
| 5209582… | drh | 33 | hacks and exploits. You can prevent Fossil from entering the chroot |
| 5209582… | drh | 34 | jail using the <tt>--nojail</tt> option to the |
| c64f28d… | drh | 35 | [fossil server command](/help/server) |
| 5209582… | drh | 36 | but you cannot make Fossil hold onto root privileges. Fossil always drops |
| 5209582… | drh | 37 | root privilege before accepting inputs, for security. |
| f146e21… | drh | 38 | |
| f146e21… | drh | 39 | |
| 09908ab… | drh | 40 | [bld]: https://fossil-scm.org/home/doc/trunk/www/build.wiki |
| f146e21… | drh | 41 | [cj]: https://en.wikipedia.org/wiki/Chroot |
| f146e21… | drh | 42 | [fls]: ./loadmgmt.md |
| f146e21… | drh | 43 | [mnl]: https://fossil-scm.org/forum/forumpost/90caff30cb |
| f146e21… | drh | 44 | [srv]: ./server/ |
| 0fd7302… | jamsek | 45 | [obsd]: ./server/openbsd/fastcgi.md#chroot |