[darcs-users] suggestion: each push should identify its targe t repo internally

[BARBOUR Timothy]

> -----Original Message-----
> From: David Roundy [mailto:droundy at abridgegame.org]
> Sent: Friday, August 15, 2003 12:27 AM
[...]
> I'm not comfortable building infrastructure into darcs for dispatching
> patches patches to repos because unless you are rather 
> careful (or only
> include your own key in allowed_keys), you could be opening 
> up security
> holes in your system by running multiple pushable repos as 
> the same user.
> Anyone who has write access to a repo that runs the test on 
> applied patches
> can run arbitrary code on your system.

It seems highly desirable to limit the security consequences by running the
test as a low-privileged user (similar to nobody).
If I understand correctly, darcs check will use the patches in the
repository to re-create the current tree, then presumably run the test on
it. Perhaps it could be modified to re-create the current tree, then chown
-R that to the low-privileged user (darcs_test ?) and run the test as that
user. That probably does not eliminate the security risk, but should reduce
it a lot. For the truly paranoid, it might be desirable to be able to
specify that the test will be run inside a chroot or even a virtual machine
(such as user-mode linux).

Tim


IMPORTANT NOTICE:
This e-mail and any attachment to it is intended only to be read or used by
the named addressee.  It is confidential and may contain legally privileged
information.  No confidentiality or privilege is waived or lost by any
mistaken transmission to you.  If you receive this e-mail in error, please
immediately delete it from your system and notify the sender.  You must not
disclose, copy or use any part of this e-mail if you are not the intended
recipient.  The RTA is not responsible for any unauthorised alterations to
this e-mail or attachment to it.