Daniel Carrera <[EMAIL PROTECTED]> writes: > Jamie Webb wrote: >> At least some people are finding this sort of thing not so simple: >> http://www.snailbook.com/faq/restricted-scp.auto.html >> http://www.pizzashack.org/rssh/security.shtml [...] > In our project we made a shell that allows three commands: scp, darcs, > svn. We're still experimenting, so I can't say if this is what we'll use > at the end. I think we'll need to replace svn by svnserve (haven't > tested that yet). But you get the idea.
Only limiting the possible commands isn't quite enough if you don't limit the arguments too (--posthook, ...). You have to find out exactly which arguments are used when the local darcs calls darcs apply via ssh and only allow these (see RemoteApply.lhs apply_via_ssh). There is another problem with commit access for people you don't really trust when you run a testsuite or start a build _before_ looking at all the changes since they can insert arbitray commands into the testsuite/build script. If you don't make sure that the no-test argument is given to darcs apply, then someone can commit a "setpref test cmd" patch and cmd is run when the next patch gets applied. Of course some of these problems apply for push-over-http as well. Benedikt _______________________________________________ darcs-users mailing list [email protected] http://www.abridgegame.org/mailman/listinfo/darcs-users
