[darcs-users] Repo via SSH

Mark Lentczner markl at glyphic.com
Sat Jun 25 15:32:56 UTC 2005


>> It would be best if darcs could do all its work by only invoking
>> darcs on the remote side.
>>
> This really wouldn't be ideal (see below).
>
>
>> Actually, it would be best if it were clear in
>> the code that darcs won't read or write any file that isn't under the
>> repodir for any operation.  This would lessen possible exploits.
>>
> That would indeed be nice.  But effectively chrooting oneself is a bit
> tricky.
>

Well - okay - let me restate what I'm trying to achieve.  I don't  
want darcs to be the guarantor.  What I want is to be able to do is  
to limit what it can do with a wrapper script on the server.  I'm  
trying to lessen the number of things that need to be checked in the  
script - and can be done once the command is executed.


> I'd rather people didn't make assumptions
> about darcs' behavior, and instead relied on existing unix  
> safeguards (such
> as permissions) to enforce policy.
>

Agreed.  However, due to the design of unix, it is hard to enforce a  
policy as narrow as "can only run darcs in this sub tree".  Unix  
safeguards are based on accounts, and accounts are rather corse in  
what they can and cannot do.  And - as is often the case - I don't  
want to give accounts for each developer.

(Methinks it is time I learned about SELinux...., but that option  
isn't available to everyone.)


> I believe you can get similar functionality by setting something like
> DARCS_APPLY_HTTP='ssh user at machine darcs apply --repodir /repodir  
> && echo'
>

I thought about this, and it would work in my case, as my project's  
repo is public (and already available via http).  But I didn't like  
the awkwardness when pushing to multiple repos.


> What you describe would either require weird convolutions, or  
> require that
> darcs be installed on a machine when you want to *pull* from it via  
> ssh,
> which wouldn't be a Good Thing.
>

I wonder - do people have machines with repos that are only pulled  
via ssh and so don't have to have darcs installed?  Somehow, the  
extra protection of not having darcs installed seems to pale in  
comparison with giving people full scp and sftp access to the machine  
as a real account!

For me, I have publicly readable repos on a server available by http,  
and indeed, I don't need darcs on that machine - I keep a mirror repo  
on my disk and sync it across (with WebDAV, though rsync over ssh  
would be another option).  But for my current project - since I want  
a few developers to be able to push to that machine, I have to have  
darcs there anyway.

I'm going to look into making my wrapper on the server enter a choot  
jail.  Between darcs, scp, and sftp they only use 21 libraries....  
Ack! :-)

     - mark


Mark Lentczner
http://www.ozonehouse.com/mark/
markl at glyphic.com







More information about the darcs-users mailing list