Launching CVSTrac Into A Chroot Jail

CVSTrac will automatically put itself into a chroot jail if its first argument is chroot and it is started as root. After the chroot argument, the next two arguments are the directory which should be the new root directory and the user that the program should run as after it is chrooted. (CVSTrac always drops any superuser privileges before doing any real work, regardless of whether or not you use the chroot option.) After the chroot argument and its two parameters, the usual cgi or http keyword and its arguments appear.

When CVSTrac is run from inetd, the inetd.conf configuration line looks something like this:

  2080 stream tcp nowait.1000 root /usr/bin/cvstrac \
       cvstrac chroot /home/cvs cvs http /

The three arguments chroot /home/cvs cvs tell the server to put itself into a chroot jail located at /home/cvs and drop superuser privilege and become user cvs before continuing. The first three arguments are then removed and processing continues as if the command had been launched as

  cvstrac http /

Notice that the directory argument to the http directive, the argument that tells CVSTrac where to look for its database, is specified relative to the chroot jail, not to the regular filesystem.

Configuring The Jail

CVSTrac does a popen() of a few commands for some of its operations. It uses the following external programs: rlog rcsdiff co. The popen() procedure uses /bin/sh and rcsdiff uses diff. All of these external programs most be available inside the chroot jail. In addition, CVSTrac needs to access a stripped-down version of /etc/passwd at one point. It also needs access to the /tmp directory and to the special file /dev/null. The /etc/localtime file is optional, but without it, all times are shown in UTC. It should NOT be a symlink, but a copy.

The dev/null node can be created like this:

  mknod dev/null c 1 3
  chmod ugo+rw dev/null

The following listing shows all the files and directories in the chroot jail for the canonical CVSTrac installation:

  bin
  bin/sh
  bin/bash
  dev
  dev/null
  etc
  etc/localtime
  etc/passwd
  lib
  lib/libc.so.6
  lib/ld-linux.so.2
  lib/libtermcap.so.2
  tmp
  usr
  usr/bin
  usr/bin/rcsdiff
  usr/bin/co
  usr/bin/rlog
  usr/bin/diff

A similar set of files will be required in any chroot jail for CVSTrac, though the details may vary. For example, the required libraries might change. Or you might use a different shell. (The bin/sh above is a hard link to bin/bash)

You can easily create a chroot jail with Jailkit, it has useful utilities like jk_cp and jk_init to quickly create chroot jails and automatically copy the required libraries into the chroot jail.

You can determine which libraries are needed by using ldd for each executable you place within the chroot jail:

  ldd /bin/bash

        libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001b000)
        libc.so.6 => /lib/libc.so.6 (0x4001c000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000d000)

Setup Changes

After you get CVSTrac running inside a chroot jail, you'll need to log in as the "setup" user, go to the "setup" page, and change the path to the CVS repository and the log file so that they are relative to the chroot jail not the regular filesystem. Other than that, though, no additional setup changes are required.

Additional Considerations

The above instructions are intended for Linux. If you need to create a chroot jail for CVSTrac on FreeBSD 4.x or another operating system, or if you need help troubleshooting your chroot jail installation, please review the FrequentlyAskedQuestions.