On Thu, Aug 06, 2009 at 08:35:58PM +0000, Reinier Lamers wrote:
> Yes, I indeed once said that I, as a system administrator, would not
> expect that it's possible to give people the right to run darcs when
> they're not supposed to have access to an interactive shell.
>
> If we would want to make it possible to restrict users to just using
> darcs on a system, we'd have to worry about the --pre-hook and
> --post-hook first.
>
> So I support marking as wont-fix. However, Trent appears to be a
> knowledgeable Unix geek, so he's welcome to reopen it if he
> discovers a flaw in my reasoning.
I'm happy with WONTFIXing this (and the other) gaping security holes
if we document VERY explicitly that you cannot give darcs push access
to a user without also giving them a full shell.
I'm not sure where this caveat should be tacked on; certainly darcs
help should mention it, but in which command?
I'd also very much like a detailed list of known exposures on a wiki
page, so that anyone who thinks "pshaw, I can lock down darcs apply!"
will have a checklist of things to address.
|