On Mon, Aug 17, 2009 at 12:34:13PM -0700, Jason Dagit <[email protected]> wrote: > It's good that you've identified this. Do you propose a way to implement > setpref so that this path of injection is not possible? Once upon a time, I > had written code so that the repository could disallow post-hooks. But this > approach was no more secure and it was not fine grained either (except in > interactive use).
I tried not proposing anything, as in case I say "just look at how git does it" some people on this list may become angry. ;-) Anyway, the approach used by them is just not allowing modifying preferences via patches. That sounds a bit too manual, but in fact works quite well: There are different hooks, let's take 'post-apply' as an example. (Sorry if that's not the proper name, but you get it.) There could be a _darcs/hooks dir, and in case there is a _darcs/hooks/post-apply file, it would be invoked. So basically the name of the command would be hardwired. Now let's see what happens with two use cases: 1) A system where there are trusted users only and setprefs is handy, getting rid of them would be 'getting rid of a nice feature'. There you can still just symlink (for example) hooks/post-apply to _darcs/hooks/post-apply, so changing hooks via patches will be still allowed. 2) A system where not everybody is a trusted user: setpref can no longer be set to any problematic value, darcs is not considered 'insecure by design' by sysadmins. Just my two cents.
pgpdfu4OsrYYg.pgp
Description: PGP signature
_______________________________________________ darcs-users mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/darcs-users
