[darcs-users] suggestion: each push should identify its targe t repo internally
David Roundy
droundy at abridgegame.org
Mon Aug 18 14:17:40 UTC 2003
On Fri, Aug 15, 2003 at 03:45:15PM +1000, BARBOUR Timothy wrote:
> > From: David Roundy [mailto:droundy at abridgegame.org]:
> > [...] I'm not comfortable building infrastructure into darcs for
> > dispatching patches patches to repos because unless you are rather
> > careful (or only include your own key in allowed_keys), you could be
> > opening up security holes in your system by running multiple pushable
> > repos as the same user. Anyone who has write access to a repo that
> > runs the test on applied patches can run arbitrary code on your system.
>
> It seems highly desirable to limit the security consequences by running
> the test as a low-privileged user (similar to nobody). If I understand
> correctly, darcs check will use the patches in the repository to
> re-create the current tree, then presumably run the test on it. Perhaps
> it could be modified to re-create the current tree, then chown -R that to
> the low-privileged user (darcs_test ?) and run the test as that
> user. That probably does not eliminate the security risk, but should
> reduce it a lot.
Hmmmm. That does sound like a good idea. The biggest problem being that
I've never done anything like this before. I'm not sure how to switch
users, though, when darcs is not run as root. I guess it must be doable,
I'm just not sure how to do it...
> For the truly paranoid, it might be desirable to be able to specify that
> the test will be run inside a chroot or even a virtual machine (such as
> user-mode linux).
Running inside a chroot would generally be tough, since the test usually
will require dev tools, so the chroot wouldn't be very empty.
--
David Roundy
http://www.abridgegame.org
More information about the darcs-users
mailing list