[darcs-users] Repo via SSH
Mark Lentczner
markl at glyphic.com
Sat Jun 25 15:32:56 UTC 2005
>> It would be best if darcs could do all its work by only invoking
>> darcs on the remote side.
>>
> This really wouldn't be ideal (see below).
>
>
>> Actually, it would be best if it were clear in
>> the code that darcs won't read or write any file that isn't under the
>> repodir for any operation. This would lessen possible exploits.
>>
> That would indeed be nice. But effectively chrooting oneself is a bit
> tricky.
>
Well - okay - let me restate what I'm trying to achieve. I don't
want darcs to be the guarantor. What I want is to be able to do is
to limit what it can do with a wrapper script on the server. I'm
trying to lessen the number of things that need to be checked in the
script - and can be done once the command is executed.
> I'd rather people didn't make assumptions
> about darcs' behavior, and instead relied on existing unix
> safeguards (such
> as permissions) to enforce policy.
>
Agreed. However, due to the design of unix, it is hard to enforce a
policy as narrow as "can only run darcs in this sub tree". Unix
safeguards are based on accounts, and accounts are rather corse in
what they can and cannot do. And - as is often the case - I don't
want to give accounts for each developer.
(Methinks it is time I learned about SELinux...., but that option
isn't available to everyone.)
> I believe you can get similar functionality by setting something like
> DARCS_APPLY_HTTP='ssh user at machine darcs apply --repodir /repodir
> && echo'
>
I thought about this, and it would work in my case, as my project's
repo is public (and already available via http). But I didn't like
the awkwardness when pushing to multiple repos.
> What you describe would either require weird convolutions, or
> require that
> darcs be installed on a machine when you want to *pull* from it via
> ssh,
> which wouldn't be a Good Thing.
>
I wonder - do people have machines with repos that are only pulled
via ssh and so don't have to have darcs installed? Somehow, the
extra protection of not having darcs installed seems to pale in
comparison with giving people full scp and sftp access to the machine
as a real account!
For me, I have publicly readable repos on a server available by http,
and indeed, I don't need darcs on that machine - I keep a mirror repo
on my disk and sync it across (with WebDAV, though rsync over ssh
would be another option). But for my current project - since I want
a few developers to be able to push to that machine, I have to have
darcs there anyway.
I'm going to look into making my wrapper on the server enter a choot
jail. Between darcs, scp, and sftp they only use 21 libraries....
Ack! :-)
- mark
Mark Lentczner
http://www.ozonehouse.com/mark/
markl at glyphic.com
More information about the darcs-users
mailing list