On Fri, Aug 15, 2014 at 3:14 PM, Abilio Marques <amarq...@smartappsla.com> wrote:
> The extra mile question is: is there any security risk involved with > giving 'nobody' the chance to clone? Lets say I keep a fossil server > running all the time too. I believe there is not, but maybe I'm mistaken... > i can't speak for ssh access, but _all_ of my public fossil repos (CGI) allow nobody (as in (select * from user where login='nobody')) to clone (that is, 'nobody' has the 'g' permission). Have been that way for 7+ years. The only security problem (if it can be called that) i ever personally faced wrt Fossil was when i accidentally gave the anonymous user wiki and ticket edit access. Someone wrote a bot which completely mangled all wiki pages except the home page (clever of them, as it kept the attack hidden for longer than it otherwise would have been). Disabling write access fixed the problem, of course. -- ----- stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal "Freedom is sloppy. But since tyranny's the only guaranteed byproduct of those who insist on a perfect world, freedom will have to do." -- Bigby Wolf
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
