I'm using (as you will see, fossil 1.29) I have no permissions enabled for
nobody.
Next is a transcript of a test:
amarques@laptop-01 ~/tmp/resume $ fossil clone
ssh://abiliojr@raspberry1/.fossilrepos/resume.fossil
.resume.fossil
abiliojr@raspberry1's password:
Round-trips: 2 Artifacts sent: 0 received: 0
Error: not authorized to clone
Round-trips: 2 Artifacts sent: 0 received: 0
Clone finished with 569 bytes sent, 564 bytes received
server returned an error - clone aborted
amarques@laptop-01 ~/tmp/resume $ fossil version
This is fossil version 1.29 [3e5ebe2b90] 2014-06-12 17:25:56 UTC
And on the server side:
amarques@laptop-01 ~ $ ssh abiliojr@raspberry1
abiliojr@raspberry1's password:
Welcome to Arch Linux ARM
Website: http://archlinuxarm.org
Forum: http://archlinuxarm.org/forum
IRC: #archlinux-arm on irc.Freenode.net
Last login: Fri Aug 15 08:21:29 2014 from laptop-01.casa
[abiliojr@raspberry1 ~]$ fossil version
This is fossil version 1.29 [3e5ebe2b90] 2014-06-12 17:25:56 UTC
For the sake of the test, if I enable the read wiki, read ticket (which
I'll need to be off anyway), I get the same results. Am I missing something?
2014-08-16 5:08 GMT-04:30 Stephan Beal <sgb...@googlemail.com>:
> On Fri, Aug 15, 2014 at 3:14 PM, Abilio Marques <amarq...@smartappsla.com>
> wrote:
>
>> The extra mile question is: is there any security risk involved with
>> giving 'nobody' the chance to clone? Lets say I keep a fossil server
>> running all the time too. I believe there is not, but maybe I'm mistaken...
>>
>
>
> i can't speak for ssh access, but _all_ of my public fossil repos (CGI)
> allow nobody (as in (select * from user where login='nobody')) to clone
> (that is, 'nobody' has the 'g' permission). Have been that way for 7+ years.
>
> The only security problem (if it can be called that) i ever personally
> faced wrt Fossil was when i accidentally gave the anonymous user wiki and
> ticket edit access. Someone wrote a bot which completely mangled all wiki
> pages except the home page (clever of them, as it kept the attack hidden
> for longer than it otherwise would have been). Disabling write access fixed
> the problem, of course.
>
>
> --
> ----- stephan beal
> http://wanderinghorse.net/home/stephan/
> http://gplus.to/sgbeal
> "Freedom is sloppy. But since tyranny's the only guaranteed byproduct of
> those who insist on a perfect world, freedom will have to do." -- Bigby Wolf
>
> _______________________________________________
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
>
>
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
