On Fri, Jun 24, 2005 at 11:08:29PM -0700, Mark Lentczner wrote: > 2. Transfers whole trees with sftp. There is no way to restrict > this. Hence, anyone authorized to do darcs, can actually read and > write any file on the machine that the repo user on the server can.
Not whole trees, but multiple files at once--this is much faster than multiple scps (or so I've been told). > 3. Applies patches with the command line "cd <dir> && darcs apply -- > all". I'm don't know why it doesn't do "darcs apply --all --repodir > <dir>". In any event, this command line requires a shell - or at > least careful picking apart by a wrapper script. I don't remember. Probably just because push predated --repodir. > It would be best if darcs could do all its work by only invoking > darcs on the remote side. Then a wrapper script could check and > ensure that only "darcs" was being run. It could also check that > there is exactly "--repodir" argument and that the value is within > the allowable tree. This really wouldn't be ideal (see below). > To do this, darcs would probably need a "cat" command to just copy a > file. The command should ensure that it can only copy files within > the repo dir: > darcs cat --repodir repos/test ../../../../etc/passwd > would not be allowed. Actually, it would be best if it were clear in > the code that darcs won't read or write any file that isn't under the > repodir for any operation. This would lessen possible exploits. That would indeed be nice. But effectively chrooting oneself is a bit tricky. We've got a bit of a framework moving in this direction, but it doesn't yet provide any such safety. Until someone who knows what he's doing does a full audit of darcs, I'd rather people didn't make assumptions about darcs' behavior, and instead relied on existing unix safeguards (such as permissions) to enforce policy. > What do people think? I believe you can get similar functionality by setting something like DARCS_APPLY_HTTP='ssh [EMAIL PROTECTED] darcs apply --repodir /repodir && echo' and then using http to access the repository. This doesn't help if it's an ultrasecret repository, but otherwise I think it would address your concerns. Also note that it assumes that there's only one repository you want to push to in this way. Otherwise you'd need to write a little script that knows how to convert an http URL into an ssh command. What you describe would either require weird convolutions, or require that darcs be installed on a machine when you want to *pull* from it via ssh, which wouldn't be a Good Thing. -- David Roundy http://www.darcs.net _______________________________________________ darcs-users mailing list [email protected] http://www.abridgegame.org/mailman/listinfo/darcs-users
