[darcs-users] Repo via SSH
David Roundy
droundy at darcs.net
Sat Jun 25 11:25:18 UTC 2005
On Fri, Jun 24, 2005 at 11:08:29PM -0700, Mark Lentczner wrote:
> 2. Transfers whole trees with sftp. There is no way to restrict
> this. Hence, anyone authorized to do darcs, can actually read and
> write any file on the machine that the repo user on the server can.
Not whole trees, but multiple files at once--this is much faster than
multiple scps (or so I've been told).
> 3. Applies patches with the command line "cd <dir> && darcs apply --
> all". I'm don't know why it doesn't do "darcs apply --all --repodir
> <dir>". In any event, this command line requires a shell - or at
> least careful picking apart by a wrapper script.
I don't remember. Probably just because push predated --repodir.
> It would be best if darcs could do all its work by only invoking
> darcs on the remote side. Then a wrapper script could check and
> ensure that only "darcs" was being run. It could also check that
> there is exactly "--repodir" argument and that the value is within
> the allowable tree.
This really wouldn't be ideal (see below).
> To do this, darcs would probably need a "cat" command to just copy a
> file. The command should ensure that it can only copy files within
> the repo dir:
> darcs cat --repodir repos/test ../../../../etc/passwd
> would not be allowed. Actually, it would be best if it were clear in
> the code that darcs won't read or write any file that isn't under the
> repodir for any operation. This would lessen possible exploits.
That would indeed be nice. But effectively chrooting oneself is a bit
tricky. We've got a bit of a framework moving in this direction, but it
doesn't yet provide any such safety. Until someone who knows what he's
doing does a full audit of darcs, I'd rather people didn't make assumptions
about darcs' behavior, and instead relied on existing unix safeguards (such
as permissions) to enforce policy.
> What do people think?
I believe you can get similar functionality by setting something like
DARCS_APPLY_HTTP='ssh user at machine darcs apply --repodir /repodir && echo'
and then using http to access the repository. This doesn't help if it's an
ultrasecret repository, but otherwise I think it would address your
concerns. Also note that it assumes that there's only one repository you
want to push to in this way. Otherwise you'd need to write a little script
that knows how to convert an http URL into an ssh command.
What you describe would either require weird convolutions, or require that
darcs be installed on a machine when you want to *pull* from it via ssh,
which wouldn't be a Good Thing.
--
David Roundy
http://www.darcs.net
More information about the darcs-users
mailing list