[darcs-users] scponly, rssh, darcs-server, jail

Guillaume Hoffmann guillaumh at gmail.com
Sat Apr 4 14:06:03 UTC 2009 

Hi,

I have followed the instructions of
http://wiki.darcs.net/DarcsWiki/HintsAndTips#head-b0e65fffb81623b4862802160f3e1437713d8b59
in order to use scponly to restrict ssh access for a darcs project,
but I am not able to push patches. I'm using darcs 2.2.1 on a Ubuntu
9.04 machine. scponly is version 4.6-1.4ubuntu1.

After a little searching, I found that scponly is not compatible with
darcs . It does have flags to be build to be compatible with SVN for
instance (http://www.sublimation.org/scponly/wiki/index.php/Features),
but darcs compatibility has been rejected by the developers of scponly
( https://lists.ccs.neu.edu/pipermail/scponly/2007-July/001804.html )
. I am surprised that one can not simply tell scponly "please also
this program to be run" in a configuration file, but well, there are
certainly good reasons for that.

I should precise my intentions: I want an easy (but not necessary
unbreakable) way to restrict permissions of users solely created to
commit into a darcs repository on a Linux box. I'm conscious of the
"not unbreakable" aspect because, as the manpage of rssh says about
CVS:

"If you are using rssh to allow CVS access, it should be noted that it
is not possible to prevent a  user  who
 is very familiar with CVS from bypassing rssh and getting a shell,
unless the user does not have write access
 in the repository.  Obviously, the user must have write access to the
repository in order to update it, which
 allows  them to upload arbitrary programs into the repository.  CVS
provides several mechanisms for executing
 such arbitrary programs...  "

Then, the manpage suggests using chroot jails, but it starts seeming a
little too tedious for my lazy person :-)

So, two questions:

* is the abovementioned paragraph on
http://wiki.darcs.net/DarcsWiki/HintsAndTips really outdated or wrong
?
* what are you using to restrict user freedom ? scponly, rssh ? a
chroot jail ? nothing ?

[after more searching]

* I found this page : http://wiki.darcs.net/DarcsWiki/RepoViaSSH which
provides a patch for rssh to use darcs.
* I also found a darcs shell posted on this list a few months ago :
http://lists.osuosl.org/pipermail/darcs-users/2008-April/011825.html
I do not know how to use it.
* and finally there is : http://www.equational.org/darcs-server/

Which leads to a third question:

Shoud we give some love to the page
http://wiki.darcs.net/DarcsWiki/RepoViaSSH to reflect these resources
?

guillaume

More information about the darcs-users mailing list