On Mon, Aug 17, 2009 at 11:58 AM, Miklos Vajna <[email protected]>wrote:
> On Mon, Aug 17, 2009 at 11:09:56AM -0700, Jason Dagit < > [email protected]> wrote: > > In the past darcs has always been developed with the conceptual model > that > > anyone who can push to your repository is trusted. In other words, > security > > is handled at a layer external to darcs. Changing that assumption would > > take careful planning and consensus. Not impossible, but not simple > either > > :) > > The problem is that scripts like contrib/darcs-shell suggests that you > can just give users a restricted shell and that will be secure. It's > based on my original git-shell script, which *is* secure, but just > porting to darcs makes it insecure, since in darcs it's possible to > modify the commit hooks via patches, so basically you still have full > shell access. It's good that you've identified this. Do you propose a way to implement setpref so that this path of injection is not possible? Once upon a time, I had written code so that the repository could disallow post-hooks. But this approach was no more secure and it was not fine grained either (except in interactive use). Jason
_______________________________________________ darcs-users mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/darcs-users
