https://bugzilla.gnome.org/show_bug.cgi?id=599066 sysadmin | Git | unspecified
--- Comment #47 from Owen Taylor <[email protected]> 2013-09-06 17:37:20 UTC --- (In reply to comment #44) > I don't see much point in having a separate user to do the push on the client > side. The only point would be if the sudo'ed command tried to restrict exactly > what was pushed - if you can push anything then there is no security > improvement at all. And duplicating complicated checks on client and server > seems like too much. Thinking about it, there is one significant thing you do get out of a sudo setup which is preventing a directory traversal (or other read-only) vulnerability from exposing the private key for someone to take and try to do stuff on their own system. But hopefully locking the key to one IP *mostly* handles that. So there would be some advantage, but I don't see it as blocking getting something going. -- Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the QA contact of the bug. You are watching the assignee of the bug. _______________________________________________ gnome-infrastructure mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
