Re: [fossil-users] Fossil security question from a newbie
The repo is an open SQLite db. You can browse it easily with any 3rd party SQLite viewer/editor or your own code. The passwords are hashed but available. As are the user settings. So, someone could edit the user guest cap to 'as' and do whatever. Better to encrypt the repo when in transit. On Tue, Mar 17, 2015 at 11:44 PM, Byung-Jae Kwak wrote: > Hello, > > Suppose I have .fossil file on a thumb drive and I lost it. > If all the privileges of all the accounts in the repository have > been disabled except for the admin account, and the admin > account is protected with a fairly strong password, > can I assume the content in the repository is reasonably > safe? > > BJ > ___ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil security question from a newbie
No, the authentication/authorisation is only to protect if the repository is accessed over a protocol (http, command line etc.), if someone has direct access to the file, they have access to _all_ of the repository data. To protect any file on a USB drive against theft or loss, you'll need to either _encrypt_ the USB drive or a subset of its file-system that contains the .fossil file. If you are on Linux you can look into dm-crypt for full-disk encryption: https://en.wikipedia.org/wiki/Dm-crypt Or eCryptfs for file-system level encryption: https://en.wikipedia.org/wiki/ECryptfs Cheers. - Vikrant On 18 March 2015 at 09:14, Byung-Jae Kwak wrote: > Hello, > > Suppose I have .fossil file on a thumb drive and I lost it. > If all the privileges of all the accounts in the repository have > been disabled except for the admin account, and the admin > account is protected with a fairly strong password, > can I assume the content in the repository is reasonably > safe? > > BJ > ___ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Fossil security question from a newbie
On Mar 18, 2015 5:01 AM, "Vikrant Chaudhary" wrote: > > No, the authentication/authorisation is only to protect if the > repository is accessed over a protocol (http, command line etc.), if Minor correction: in cli mode the user is effectively an admin. No rights are checked in cli-mode commands. There might be one or two exceptions to that, but none come to mind. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users