On Fri, Apr 25, 2008 at 4:02 PM, Gwern Branwen <[EMAIL PROTECTED]> wrote: > On 2008.04.24 10:06:18 -0400, David Roundy <[EMAIL PROTECTED]> scribbled 5.5K > characters: > > On Wed, Apr 23, 2008 at 9:19 PM, Greg Holtz <[EMAIL PROTECTED]> wrote: > > > I know this is really wrong, but I changed all instances of > > > getSymbolicLinkStatus to getFileStatus, and things seem to > > > work now. I did double check the whole tree to make sure > > > there were no symbolic links. > > > > It shouldn't actually cause trouble. In fact, some folks argue that > > we should use getFileStatus instead of getSymbolicLinkStatus, so that > > we'd automatically follow symlinks. (I think there's a bug on the > > tracker for this.) So there's no danger that I'm aware of, of using > > getFileStatus as a workaround for a bug in getSymbolicLinkStatus. > > Do you know any more specifics about that bug? I tried searching for > symbolic links and getSymbolicLinkStatus and getFileStatus, and I eyeballed > the link of outstanding bugs, but I didn't see anything. > > If switching would solve Greg's bug, and there's no particularly compelling > reason to not follow symbolic links, I guess we should just ask Greg for a > patch and apply it?
The main reason to avoid following symlinks is just to avoid possible security issues. If someone could create a symlink out of a darcs repository, I'd rather not have darcs follow it (e.g. and possibly try to overwrite ~/.ssh/authorized_keys or something). The simplest way to do this is to avoid following symlinks. Maybe this doesn't actually gain us anything, I don't know. Perhaps anyone who could construct a malicious symlink could just as easily replace your ~/.ssh/authorized_keys. The other reason for not following symlinks is to make it a smaller change if/when we want to add symlink support to darcs, which is to say, to allow darcs to manage symlinks. Actually, I think either reason is an adequate one for the current behavior, although neither are very strong reasons. At this point, it seems unlikely that anyone will ever add symlink support, so perhaps we don't care whether we make doing so very tricky to manage without severe pain to our users. And the security issue was never a very serious one. I feel more comfortable having a reasonable belief that darcs pull will only modify files in the repository, but this isn't quite true when you consider posthooks. And to be honest, almost everyone (except, I suppose, folks like me trying to reproduce darcs bugs) who interacts with a remote repository intends to run code contained within said repository, and once that happens, it's much easier for an attacker to simply insert malicious (obfuscated) code. Still, a bug on OpenSolaris is not a good reason for a semantics change like following symlinks, unless we also decide that this change is a good idea apart from the bug on OpenSolaris. David _______________________________________________ darcs-users mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/darcs-users
