It would be best if darcs could do all its work by only invoking
darcs on the remote side.
This really wouldn't be ideal (see below).
Actually, it would be best if it were clear in
the code that darcs won't read or write any file that isn't under the
repodir for any operation. This would lessen possible exploits.
That would indeed be nice. But effectively chrooting oneself is a bit
tricky.
Well - okay - let me restate what I'm trying to achieve. I don't
want darcs to be the guarantor. What I want is to be able to do is
to limit what it can do with a wrapper script on the server. I'm
trying to lessen the number of things that need to be checked in the
script - and can be done once the command is executed.
I'd rather people didn't make assumptions
about darcs' behavior, and instead relied on existing unix
safeguards (such
as permissions) to enforce policy.
Agreed. However, due to the design of unix, it is hard to enforce a
policy as narrow as "can only run darcs in this sub tree". Unix
safeguards are based on accounts, and accounts are rather corse in
what they can and cannot do. And - as is often the case - I don't
want to give accounts for each developer.
(Methinks it is time I learned about SELinux...., but that option
isn't available to everyone.)
I believe you can get similar functionality by setting something like
DARCS_APPLY_HTTP='ssh [EMAIL PROTECTED] darcs apply --repodir /repodir
&& echo'
I thought about this, and it would work in my case, as my project's
repo is public (and already available via http). But I didn't like
the awkwardness when pushing to multiple repos.
What you describe would either require weird convolutions, or
require that
darcs be installed on a machine when you want to *pull* from it via
ssh,
which wouldn't be a Good Thing.
I wonder - do people have machines with repos that are only pulled
via ssh and so don't have to have darcs installed? Somehow, the
extra protection of not having darcs installed seems to pale in
comparison with giving people full scp and sftp access to the machine
as a real account!
For me, I have publicly readable repos on a server available by http,
and indeed, I don't need darcs on that machine - I keep a mirror repo
on my disk and sync it across (with WebDAV, though rsync over ssh
would be another option). But for my current project - since I want
a few developers to be able to push to that machine, I have to have
darcs there anyway.
I'm going to look into making my wrapper on the server enter a choot
jail. Between darcs, scp, and sftp they only use 21 libraries....
Ack! :-)
- mark
Mark Lentczner
http://www.ozonehouse.com/mark/
[EMAIL PROTECTED]
_______________________________________________
darcs-users mailing list
[email protected]
http://www.abridgegame.org/mailman/listinfo/darcs-users
