_Launching_CVSTrac_Into_A_Chroot_Jail_ CVSTrac will automatically put itself into a chroot jail if its first argument is _chroot_ and it is started as root. After the _chroot_ argument, the next two arguments are the directory which should be the new root directory and the user that the program should run as after it is chrooted. (CVSTrac always drops any superuser privileges before doing any real work, regardless of whether or not you use the _chroot_ option.) After the _chroot_ argument and its two parameters, the usual _cgi_ or _http_ keyword and its arguments appear. For the http://cvs.hwaci.com:2080/cvstrac/ site, CVSTrac is run from inetd. The inetd.conf configuration line looks like this: 2080 steam tcp nowait.1000 root /usr/bin/cvstrac \ cvstrac chroot /home/cvs cvs http / The three arguments _chroot_/home/cvs_cvs_ tell the server to put itself into a chroot jail located at _/home/cvs_ and drop superuser privilege and become user _cvs_ before continuing. The first three arguments are then removed and processing continues as if the command had been launched as cvstrac http / Notice that the directory argument to the _http_ directive, the argument that tells CVSTrac where to look for its database, is specified relative to the chroot jail, not to the regular filesystem. _Configuring_The_Jail_ CVSTrac does a _popen()_ of a few commands for some of its operations. It uses the following external programs: _rlog_rcsdiff_co_. The _popen()_ procedure uses _/bin/sh_ and _rcsdiff_ uses _diff_. All of these external programs most be available inside the chroot jail. In addition, CVSTrac needs to access a stripped-down version of _/etc/passwd_ at one point. It also needs access to the _/tmp_ directory and to the special file _/dev/null_. The _/etc/localhost_ file is optional, but without it, all times are shown in UTC. The following listing shows all the files and directories in the chroot jail for the canonical CVSTrac installation: bin bin/sh bin/bash dev dev/null etc etc/localtime etc/passwd lib lib/libc.so.6 lib/ld-linux.so.2 lib/libtermcap.so.2 tmp usr usr/bin usr/bin/rcsdiff usr/bin/co usr/bin/rlog usr/bin/diff A similar set of files will be required in any chroot jail for CVSTrac, though the details may vary. For example, the required libraries might change. Or you might use a different shell. (The _bin/sh_ above is a hard link to _bin/bash_) _Setup_Changes_ After you get CVSTrac running inside a chroot jail, you'll need to log in as the "setup" user, go to the "setup" page, and change the path to the CVS repository and the log file so that they are relative to the chroot jail not the regular filesystem. Other than that, though, no additional setup changes are required.