Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Small improvements to the new Fossil Chroot Jail section of www/server.wiki |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | server-docs |
| Files: | files | file ages | folders |
| SHA3-256: |
4c837bc3430fcd464023685c75d5941d |
| User & Date: | wyoung 2019-08-16 11:41:03.651 |
Context
|
2019-08-16
| ||
| 11:42 | Markdownism fixes... ... (check-in: 1428f59ec9 user: wyoung tags: server-docs) | |
| 11:41 | Small improvements to the new Fossil Chroot Jail section of www/server.wiki ... (check-in: 4c837bc343 user: wyoung tags: server-docs) | |
| 11:08 | Small clarity tweak to the new "Methods" discussion in www/server.wiki. ... (check-in: fc00b7b297 user: wyoung tags: server-docs) | |
Changes
Changes to www/server.wiki.
| ︙ | ︙ | |||
164 165 166 167 168 169 170 | <h2 id="chroot">The Fossil Chroot Jail</h2> <blockquote> If you run Fossil as root in any mode that serves data on the network, and you're running it on Unix or a compatible OS, Fossil will drop itself into a [https://en.wikipedia.org/wiki/Chroot | | | | | | > | | > | < | | > | | 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 |
<h2 id="chroot">The Fossil Chroot Jail</h2>
<blockquote>
If you run Fossil as root in any mode that serves data on the
network, and you're running it on Unix or a compatible OS, Fossil
will drop itself into a [https://en.wikipedia.org/wiki/Chroot |
chroot jail] shortly after starting up, after
it's done everything that requires root access. Most
commonly, you run Fossil as root to allow it to bind to TCP port 80
for HTTP service, since normal users are restricted to ports 1024
and up on OSes where this behavior occurs.
Fossil uses the owner of the Fossil repository file as its new user
ID when dropping root privileges.
When this happens, Fossil needs to have all of its dependencies
inside the chroot jail. There are several things you typically need
in order to make things work properly:
<ul>
<li>the repository file(s)
<li><tt>/dev/null</tt> — create it with <tt>mknod(8)</tt> inside the
jail directory ([https://fossil-scm.org/forum/forumpost/90caff30cb |
Linux example])
<li><tt>/dev/urandom</tt> — ditto
<li>any shared libraries your <tt>fossil</tt> binary is linked to,
such as <tt>/lib/libssl.so</tt>; consider
<tt>[https://www.fossil-scm.org/fossil/doc/trunk/www/build.wiki |
./configure --static]</tt> to avoid the need for this
</ul> </blockquote>
<blockquote>
Fossil does all of this in order to protect the host OS. You can make it
bypass the jail part of this by passing `--nojail` to `fossil server`,
but you cannot make it skip the dropping of root privileges, on purpose.
</blockquote>
<h2 id="loadmgmt">Managing Server Load</h2>
<blockquote>
A Fossil server is very efficient and normally presents a very light
|
| ︙ | ︙ |