[darcs-users] Darcs Servers
Miklos Vajna
vmiklos at frugalware.org
Mon Aug 17 20:46:56 UTC 2009
On Mon, Aug 17, 2009 at 12:34:13PM -0700, Jason Dagit <dagit at codersbase.com> wrote:
> It's good that you've identified this. Do you propose a way to implement
> setpref so that this path of injection is not possible? Once upon a time, I
> had written code so that the repository could disallow post-hooks. But this
> approach was no more secure and it was not fine grained either (except in
> interactive use).
I tried not proposing anything, as in case I say "just look at how git
does it" some people on this list may become angry. ;-)
Anyway, the approach used by them is just not allowing modifying
preferences via patches. That sounds a bit too manual, but in fact works
quite well:
There are different hooks, let's take 'post-apply' as an example. (Sorry
if that's not the proper name, but you get it.) There could be a
_darcs/hooks dir, and in case there is a _darcs/hooks/post-apply file,
it would be invoked.
So basically the name of the command would be hardwired. Now let's see
what happens with two use cases:
1) A system where there are trusted users only and setprefs is handy,
getting rid of them would be 'getting rid of a nice feature'.
There you can still just symlink (for example) hooks/post-apply to
_darcs/hooks/post-apply, so changing hooks via patches will be still
allowed.
2) A system where not everybody is a trusted user: setpref can no longer
be set to any problematic value, darcs is not considered 'insecure by
design' by sysadmins.
Just my two cents.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/darcs-users/attachments/20090817/59bedc4d/attachment.pgp>
More information about the darcs-users
mailing list