Hi all,
I just wrote a page on the Wiki that explains how to set up a repo on
a server available via SSH, without giving all developers accounts on
the machine:
http://www.darcs.net/DarcsWiki/RepoViaSSH
I choose this method over using "darcs send" and mailing patches to
the server for several reasons:
1. Many people can't send mail via "sendmail" on their laptops
2. GPG isn't installed and set up on all peoples machines
3. Most developers have SSH set up and know how to use it
However, as the page reports, there quite a number of security
problems with this approach. In particular, it is very hard to limit
what the authorized users can do on the machine because darcs does
its work over SSH using so many different commands.
In particular it:
1. Reads files with scp. This is difficult, though possible to
restrict to a given directory using a wrapper script.
2. Transfers whole trees with sftp. There is no way to restrict
this. Hence, anyone authorized to do darcs, can actually read and
write any file on the machine that the repo user on the server can.
3. Applies patches with the command line "cd <dir> && darcs apply --
all". I'm don't know why it doesn't do "darcs apply --all --repodir
<dir>". In any event, this command line requires a shell - or at
least careful picking apart by a wrapper script.
What is wanted is a way to restrict the commands available via ssh
for the authorized keys to a very limited set, say one. And we want
to be able to limit that to repos only under a particular directory.
It would be best if darcs could do all its work by only invoking
darcs on the remote side. Then a wrapper script could check and
ensure that only "darcs" was being run. It could also check that
there is exactly "--repodir" argument and that the value is within
the allowable tree.
To do this, darcs would probably need a "cat" command to just copy a
file. The command should ensure that it can only copy files within
the repo dir:
darcs cat --repodir repos/test ../../../../etc/passwd
would not be allowed. Actually, it would be best if it were clear in
the code that darcs won't read or write any file that isn't under the
repodir for any operation. This would lessen possible exploits.
I don't think darcs ever writes files with scp or sftp, so there is
no need for a command for the other direction.
What do people think?
- Mark
Mark Lentczner
http://www.ozonehouse.com/mark/
[EMAIL PROTECTED]
_______________________________________________
darcs-users mailing list
[email protected]
http://www.abridgegame.org/mailman/listinfo/darcs-users
