[darcs-users] Darcs Servers

Miklos Vajna vmiklos at frugalware.org
Mon Aug 17 20:46:56 UTC 2009


On Mon, Aug 17, 2009 at 12:34:13PM -0700, Jason Dagit <dagit at codersbase.com> wrote:
> It's good that you've identified this.  Do you propose a way to implement
> setpref so that this path of injection is not possible?  Once upon a time, I
> had written code so that the repository could disallow post-hooks.  But this
> approach was no more secure and it was not fine grained either (except in
> interactive use).

I tried not proposing anything, as in case I say "just look at how git
does it" some people on this list may become angry. ;-)

Anyway, the approach used by them is just not allowing modifying
preferences via patches. That sounds a bit too manual, but in fact works
quite well:

There are different hooks, let's take 'post-apply' as an example. (Sorry
if that's not the proper name, but you get it.) There could be a
_darcs/hooks dir, and in case there is a _darcs/hooks/post-apply file,
it would be invoked.

So basically the name of the command would be hardwired. Now let's see
what happens with two use cases:

1) A system where there are trusted users only and setprefs is handy,
getting rid of them would be 'getting rid of a nice feature'.

There you can still just symlink (for example) hooks/post-apply to
_darcs/hooks/post-apply, so changing hooks via patches will be still
allowed.

2) A system where not everybody is a trusted user: setpref can no longer
be set to any problematic value, darcs is not considered 'insecure by
design' by sysadmins.

Just my two cents.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/darcs-users/attachments/20090817/59bedc4d/attachment.pgp>


More information about the darcs-users mailing list