Gitolite chroot setup
24 views
Skip to first unread message
Ken Hornstein
Aug 13, 2024, 11:37:05 AM8/13/24
to gito...@googlegroups.com
During our gitolite deployment I was asked by out security people to run
gitolite in a chroot jail. I couldn't find a recipe to do that, but
after I fiddled with it I found it wasn't too difficult and I thought it
might be helpful for others. Here's what I did:
- In this setup the git user's home directory is /home/git, and the chroot
jail location is /var/lib/gitolite. Adjust as appropriate for your site.
- Create the following directory structure in /var/lib/gitolite to replicate
a similar structure in / (note that the symlinks are the same as appear
in / for RHEL systems, you'd want to replicate that for whatever is
appropriate for your distribution). Note carefully the permissions on
the 'tmp' subdirectory; they should replicate the permissions in the
system /tmp.
lrwxrwxrwx. 1 root root 7 Jul 27 23:28 bin -> usr/bin
drwxr-xr-x. 2 root root 52 Jul 29 20:03 dev
drwxr-xr-x. 96 root root 8192 Aug 4 03:30 etc
drwxr-xr-x. 3 root root 17 Jul 27 23:25 home
lrwxrwxrwx. 1 root root 7 Jul 27 23:29 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jul 27 23:29 lib64 -> usr/lib64
lrwxrwxrwx. 1 root root 8 Jul 27 23:29 sbin -> usr/sbin
drwxrwxrwt. 2 root root 6 Aug 13 09:53 tmp
drwxr-xr-x. 14 root root 167 Jul 3 2021 usr
- Create the directory "/var/lib/gitolite/home/git" and the following
plain files with the 'touch' command:
/var/lib/gitolite/dev/null
/var/lib/gitolite/dev/zero
/var/lib/gitolite/dev/tty
/var/lib/gitolite/dev/log
- Create the following mountpoints; I simply put these in /etc/fstab
and that worked fine.
#
# Mount points for gitolite chroot jail
#
/usr /var/lib/gitolite/usr none defaults,ro,bind 0 0
/etc /var/lib/gitolite/etc none defaults,ro,bind 0 0
/home/git /var/lib/gitolite/home/git none defaults,bind 0 0
/dev/null /var/lib/gitolite/dev/null none defaults,bind 0 0
/dev/zero /var/lib/gitolite/dev/zero none defaults,bind 0 0
/dev/tty /var/lib/gitolite/dev/tty none defaults,bind 0 0
/dev/log /var/lib/gitolite/dev/log none defaults,bind 0 0
- Configure sshd to run the git user in a chroot jail:
Match User git
ChrootDirectory /var/lib/gitolite
And that's it. Note that another request by our security people was that
gitolite use syslog for logging instead of the default file-based logging,
so that's why /dev/log is mounted into the chroot jail; if you didn't
use syslog that would not be necessary.
I hope this is helpful for others and of course feedback is welcome.
--Ken
gitolite in a chroot jail. I couldn't find a recipe to do that, but
after I fiddled with it I found it wasn't too difficult and I thought it
might be helpful for others. Here's what I did:
- In this setup the git user's home directory is /home/git, and the chroot
jail location is /var/lib/gitolite. Adjust as appropriate for your site.
- Create the following directory structure in /var/lib/gitolite to replicate
a similar structure in / (note that the symlinks are the same as appear
in / for RHEL systems, you'd want to replicate that for whatever is
appropriate for your distribution). Note carefully the permissions on
the 'tmp' subdirectory; they should replicate the permissions in the
system /tmp.
lrwxrwxrwx. 1 root root 7 Jul 27 23:28 bin -> usr/bin
drwxr-xr-x. 2 root root 52 Jul 29 20:03 dev
drwxr-xr-x. 96 root root 8192 Aug 4 03:30 etc
drwxr-xr-x. 3 root root 17 Jul 27 23:25 home
lrwxrwxrwx. 1 root root 7 Jul 27 23:29 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jul 27 23:29 lib64 -> usr/lib64
lrwxrwxrwx. 1 root root 8 Jul 27 23:29 sbin -> usr/sbin
drwxrwxrwt. 2 root root 6 Aug 13 09:53 tmp
drwxr-xr-x. 14 root root 167 Jul 3 2021 usr
- Create the directory "/var/lib/gitolite/home/git" and the following
plain files with the 'touch' command:
/var/lib/gitolite/dev/null
/var/lib/gitolite/dev/zero
/var/lib/gitolite/dev/tty
/var/lib/gitolite/dev/log
- Create the following mountpoints; I simply put these in /etc/fstab
and that worked fine.
#
# Mount points for gitolite chroot jail
#
/usr /var/lib/gitolite/usr none defaults,ro,bind 0 0
/etc /var/lib/gitolite/etc none defaults,ro,bind 0 0
/home/git /var/lib/gitolite/home/git none defaults,bind 0 0
/dev/null /var/lib/gitolite/dev/null none defaults,bind 0 0
/dev/zero /var/lib/gitolite/dev/zero none defaults,bind 0 0
/dev/tty /var/lib/gitolite/dev/tty none defaults,bind 0 0
/dev/log /var/lib/gitolite/dev/log none defaults,bind 0 0
- Configure sshd to run the git user in a chroot jail:
Match User git
ChrootDirectory /var/lib/gitolite
And that's it. Note that another request by our security people was that
gitolite use syslog for logging instead of the default file-based logging,
so that's why /dev/log is mounted into the chroot jail; if you didn't
use syslog that would not be necessary.
I hope this is helpful for others and of course feedback is welcome.
--Ken
Reply all
Reply to author
Forward
0 new messages