SECURITY

Here are a few important things to know about security and scponly.  This is a
brief attempt to document what should be done to correctly secure scponly.

1) Configure scponly to use a chroot

2) Configure scponly to use as few extra options and services as possible.  If
   possible, try to use something similar to the following:

   ./configure --disable-wildcards --enable-chrooted-binary \
   --disable-gftp-compat --with-sftp-server=/path/to/sftp-server

3) NOTE THE FOLLOWING SECURITY RISKS:

   -- by enabling wildcards, there is a slightly higher chance of an exploit
   -- by enabling scp and/or scp compatibility, more programs will need to be
      installed in the chroot which increases the risk
   -- CAUTION: by enabling svn/svnserve the user WILL BE ABLE TO EXECUTE
      SCRIPTS OR PROGRAMS INDIRECTLY!  svn and svnserve will try to execute
      pre-commit, post-commit hooks, as well as a few others.  These files
      have specific filenames at specific locations relative to the svn
      repository root.  Thus, unless you are *very* careful about security,
      the user WILL BE ABLE TO EXECUTE SCRIPTS OR PROGRAMS INDIRECTLY!  This
      can be prevented by a careful configuration.
   -- The following programs use configuration files that might allow the user
      to bypass security restrictions placed on command line arguments:

	  svn, svnserve, rsync, and unison

	  Note specifically that rsync uses popt for parsing command line arguments
	  and popt explicitly checks /etc/popt and $HOME/.popt for aliases. Thus,
	  users can likely bypass argument checking for rsync.

4) Make sure that all files required for the chroot have the IMMUTABLE and
   UNDELETABLE bits set.  Other bits might also be prudent. See: man 1 chattr.

5) Only put files in the chroot that are absolutely essential to its
   functionality.

6) Make sure the following directories are locked down appropriately:

   ~/.ssh, ~/.unison, ~/.subversion

   NOTE: depending on file permissions in the above, ssh, unison, and
   subversion may not work correctly.  Also note that the location of the
   above directories is sometimes system dependent, so please check the
   documentation specific to your system.

7) Make sure that every directory the users have write permissions to are
   on a filesystem that is mounted NODEV, NOEXEC.  Eg. Make sure that they
   cannot execute files that they have permissions to upload.  They should
   also not need permissions to create any devices.  If the user can't execute
   any files that he has access to upload and the executable files on the
   system are not considered harmful, then you need not worry about the
   security problems referencing svn/svnserve above!

8) Monitor your logs!  If you start to see something funny, odd, or strange in
   the logs, please let us know so that we can investigate and make sure any
   problems are resolved.

9) Stay up-to-date with the scponly installs.  We don't have releases too
   often, but the changes we do make are usually important!

10) Enjoy!

Lastly, if you have other suggestions and thoughts that would help secure an
scponly install, please send them to us!

Thanks for using scponly!