Chroot Jail For Cvstrac

Launching CVSTrac Into A Chroot Jail

CVSTrac will automatically put itself into a chroot jail if its first argument is chroot and it is started as root. After the chroot argument, the next two arguments are the directory which should be the new root directory and the user that the program should run as after it is chrooted. (CVSTrac always drops any superuser privileges before doing any real work, regardless of whether or not you use the chroot option.) After the chroot argument and its two parameters, the usual cgi or http keyword and its arguments appear.

For the site, CVSTrac is run from inetd. The inetd.conf configuration line looks like this:

  2080 steam tcp nowait.1000 root /usr/bin/cvstrac \
       cvstrac chroot /home/cvs cvs http /

The three arguments chroot /home/cvs cvs tell the server to put itself into a chroot jail located at /home/cvs and drop superuser privilege and become user cvs before continuing. The first three arguments are then removed and processing continues as if the command had been launched as

  cvstrac http /

Notice that the directory argument to the http directive, the argument that tells CVSTrac where to look for its database, is specified relative to the chroot jail, not to the regular filesystem.

Configuring The Jail

CVSTrac does a popen() of a few commands for some of its operations. It uses the following external programs: rlog rcsdiff co. The popen() procedure uses /bin/sh and rcsdiff uses diff. All of these external programs most be available inside the chroot jail. In addition, CVSTrac needs to access a stripped-down version of /etc/passwd at one point. It also needs access to the /tmp directory and to the special file /dev/null. The /etc/localhost file is optional, but without it, all times are shown in UTC.

The following listing shows all the files and directories in the chroot jail for the canonical CVSTrac installation:


A similar set of files will be required in any chroot jail for CVSTrac, though the details may vary. For example, the required libraries might change. Or you might use a different shell. (The bin/sh above is a hard link to bin/bash)

Setup Changes

After you get CVSTrac running inside a chroot jail, you'll need to log in as the "setup" user, go to the "setup" page, and change the path to the CVS repository and the log file so that they are relative to the chroot jail not the regular filesystem. Other than that, though, no additional setup changes are required.