[darcs-users] Repo via SSH

David Roundy droundy at darcs.net
Sat Jun 25 11:25:18 UTC 2005 

On Fri, Jun 24, 2005 at 11:08:29PM -0700, Mark Lentczner wrote:
> 2. Transfers whole trees with sftp.  There is no way to restrict  
> this.  Hence, anyone authorized to do darcs, can actually read and  
> write any file on the machine that the repo user on the server can.

Not whole trees, but multiple files at once--this is much faster than
multiple scps (or so I've been told).

> 3. Applies patches with the command line "cd <dir> && darcs apply -- 
> all".  I'm don't know why it doesn't do "darcs apply --all --repodir  
> <dir>".  In any event, this command line requires a shell - or at  
> least careful picking apart by a wrapper script.

I don't remember.  Probably just because push predated --repodir.

> It would be best if darcs could do all its work by only invoking  
> darcs on the remote side.  Then a wrapper script could check and  
> ensure that only "darcs" was being run.  It could also check that  
> there is exactly "--repodir" argument and that the value is within  
> the allowable tree.

This really wouldn't be ideal (see below).

> To do this, darcs would probably need a "cat" command to just copy a  
> file.  The command should ensure that it can only copy files within  
> the repo dir:
>     darcs cat --repodir repos/test ../../../../etc/passwd
> would not be allowed.  Actually, it would be best if it were clear in  
> the code that darcs won't read or write any file that isn't under the  
> repodir for any operation.  This would lessen possible exploits.

That would indeed be nice.  But effectively chrooting oneself is a bit
tricky.  We've got a bit of a framework moving in this direction, but it
doesn't yet provide any such safety.  Until someone who knows what he's
doing does a full audit of darcs, I'd rather people didn't make assumptions
about darcs' behavior, and instead relied on existing unix safeguards (such
as permissions) to enforce policy.

> What do people think?

I believe you can get similar functionality by setting something like

DARCS_APPLY_HTTP='ssh user at machine darcs apply --repodir /repodir && echo'

and then using http to access the repository.  This doesn't help if it's an
ultrasecret repository, but otherwise I think it would address your
concerns.  Also note that it assumes that there's only one repository you
want to push to in this way.  Otherwise you'd need to write a little script
that knows how to convert an http URL into an ssh command.

What you describe would either require weird convolutions, or require that
darcs be installed on a machine when you want to *pull* from it via ssh,
which wouldn't be a Good Thing.
-- 
David Roundy
http://www.darcs.net

More information about the darcs-users mailing list