This seems like bad juju to me:

    $ echo get /etc/passwd | darcs transfer-mode
    Hello user, I am darcs transfer mode
    got /etc/passwd
    [/etc/passwd's size]
    [/etc/passwd's contents]
    darcs: <stdin>: hGetLine: end of file

It ought to be trivial for transfer-mode to only fetch files within
the repo.

I think Reinier made a comment about something similar to this once.

Is it fair to mark this as wont-fix?

Yes, I indeed once said that I, as a system administrator, would not expect that
it's possible to give people the right to run darcs when they're not supposed to
have access to an interactive shell.

If we would want to make it possible to restrict users to just using darcs on a
system, we'd have to worry about the --pre-hook and --post-hook first.

So I support marking as wont-fix. However, Trent appears to be a knowledgeable
Unix geek, so he's welcome to reopen it if he discovers a flaw in my reasoning.

On Thu, Aug 06, 2009 at 08:35:58PM +0000, Reinier Lamers wrote:
> Yes, I indeed once said that I, as a system administrator, would not
> expect that it's possible to give people the right to run darcs when
> they're not supposed to have access to an interactive shell.
>
> If we would want to make it possible to restrict users to just using
> darcs on a system, we'd have to worry about the --pre-hook and
> --post-hook first.
>
> So I support marking as wont-fix. However, Trent appears to be a
> knowledgeable Unix geek, so he's welcome to reopen it if he
> discovers a flaw in my reasoning.

I'm happy with WONTFIXing this (and the other) gaping security holes
if we document VERY explicitly that you cannot give darcs push access
to a user without also giving them a full shell.

I'm not sure where this caveat should be tacked on; certainly darcs
help should mention it, but in which command?

I'd also very much like a detailed list of known exposures on a wiki
page, so that anyone who thinks "pshaw, I can lock down darcs apply!"
will have a checklist of things to address.