We want to build an environment into which our Subversion server will be able to run securely with as few resources as possible in order to reduce the potential risks in the eventuality that a malintentioned individual infiltrates our system.
We create a minimal file hierarchy system for the jail :
$ mkdir -p /var/jails/svn
$ cd /var/jails/svn
$ mkdir -p dev lib usr/bin usr/lib var/lib tmp
$ chmod 777 tmp
$ mknod dev/null c 1 3
$ mknod dev/random c 1 8
$ chmod 666 dev/null dev/random
Then, we need to identify the required binary resources of our Subversion server to run. We need the /usr/bin/svnserve, of course, and the shared libraries it uses. To find these, we do :
$ ldd /usr/bin/svnserve
libsvn_repos-1.so.0 => /usr/lib/libsvn_repos-1.so.0 (0x46caa000)
libsvn_fs-1.so.0 => /usr/lib/libsvn_fs-1.so.0 (0x46cc3000)
libsvn_delta-1.so.0 => /usr/lib/libsvn_delta-1.so.0 (0x46cc8000)
libsvn_subr-1.so.0 => /usr/lib/libsvn_subr-1.so.0 (0x46cd1000)
libsvn_ra_svn-1.so.0 => /usr/lib/libsvn_ra_svn-1.so.0 (0x46cf9000)
libaprutil-0.so.0 => /usr/lib/libaprutil-0.so.0 (0x46d09000)
libldap.so.2 => /usr/lib/libldap.so.2 (0x46d1e000)
liblber.so.2 => /usr/lib/liblber.so.2 (0x46d52000)
libdb-4.2.so => /usr/lib/libdb-4.2.so (0x46d5f000)
libexpat.so.1 => /usr/lib/libexpat.so.1 (0x46e35000)
libapr-0.so.0 => /usr/lib/libapr-0.so.0 (0x46e56000)
librt.so.1 => /lib/librt.so.1 (0x46e76000)
libm.so.6 => /lib/libm.so.6 (0x46e88000)
libnsl.so.1 => /lib/libnsl.so.1 (0x46eaa000)
libpthread.so.0 => /lib/libpthread.so.0 (0x46ebf000)
libc.so.6 => /lib/libc.so.6 (0x46f10000)
libsvn_fs_fs-1.so.0 => /usr/lib/libsvn_fs_fs-1.so.0 (0x47044000)
libsvn_fs_base-1.so.0 => /usr/lib/libsvn_fs_base-1.so.0 (0x4705e000)
libdl.so.2 => /lib/libdl.so.2 (0x47083000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x47086000)
libresolv.so.2 => /lib/libresolv.so.2 (0x470b3000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x470c6000)
libgnutls.so.11 => /usr/lib/libgnutls.so.11 (0x470db000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x46c8e000)
libtasn1.so.2 => /usr/lib/libtasn1.so.2 (0x47141000)
libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0x47151000)
libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x4719e000)
libz.so.1 => /usr/lib/libz.so.1 (0x471a3000)
We copy these files into the jail :
$ cp /usr/bin/svnserve usr/bin
$ cp /lib/ld-linux.so.2 lib
$ cp /lib/libc.so.6 lib
$ cp /lib/libcrypt.so.1 lib
$ cp /lib/libdl.so.2 lib
$ cp /lib/libm.so.6 lib
$ cp /lib/libnsl.so.1 lib
$ cp /lib/libpthread.so.0 lib
$ cp /lib/libresolv.so.2 lib
$ cp /lib/librt.so.1 lib
$ cp /usr/lib/libapr-0.so.0 usr/lib
$ cp /usr/lib/libaprutil-0.so.0 usr/lib
$ cp /usr/lib/libdb-4.2.so usr/lib
$ cp /usr/lib/libexpat.so.1 usr/lib
$ cp /usr/lib/libgcrypt.so.11 usr/lib
$ cp /usr/lib/libgnutls.so.11 usr/lib
$ cp /usr/lib/libgpg-error.so.0 usr/lib
$ cp /usr/lib/liblber.so.2 usr/lib
$ cp /usr/lib/libldap.so.2 usr/lib
$ cp /usr/lib/libsasl2.so.2 usr/lib
$ cp /usr/lib/libsvn_delta-1.so.0 usr/lib
$ cp /usr/lib/libsvn_fs-1.so.0 usr/lib
$ cp /usr/lib/libsvn_fs_base-1.so.0 usr/lib
$ cp /usr/lib/libsvn_fs_fs-1.so.0 usr/lib
$ cp /usr/lib/libsvn_ra_svn-1.so.0 usr/lib
$ cp /usr/lib/libsvn_repos-1.so.0 usr/lib
$ cp /usr/lib/libsvn_subr-1.so.0 usr/lib
$ cp /usr/lib/libtasn1.so.2 usr/lib
$ cp /usr/lib/libz.so.1 usr/lib
The last step to complete the jail is to move our repository inside :
$ mv /var/lib/svn var/lib/.
That's it! The jail is built.
The final step consists of writing an initialization script that will launch our Subversion server inside the jail and under a non-root user as an additional safety precaution.
Running Chrooted SVN on Debian Mini-HOWTO
0.1.0 - February 2005fbergeron@fbergeron.com