Issue 1515: create checklist of potential security issues trying to give darcs-only access to a repo - Darcs bug tracker

Title	create checklist of potential security issues trying to give darcs-only access to a repo
Priority	feature	Status	given-up
Milestone		Resolved in
Superseder		Nosy List	darcs-devel, dmitry.kurochkin, kowey, thorkilnaur, twb
Assigned To		Topics	Documentation

Created on 2009-08-09.00:02:04 by kowey, last changed 2022-04-12.15:01:48 by bfrk.

Messages
msg8047 (view)	Author: kowey	Date: 2009-08-09.00:01:55
Trent from msg8043: > I'm happy with WONTFIXing this (and the other) gaping security holes > if we document VERY explicitly that you cannot give darcs push access > to a user without also giving them a full shell. > > I'm not sure where this caveat should be tacked on; certainly darcs > help should mention it, but in which command? > > I'd also very much like a detailed list of known exposures on a wiki > page, so that anyone who thinks "pshaw, I can lock down darcs apply!" > will have a checklist of things to address.
msg8253 (view)	Author: kowey	Date: 2009-08-18.15:03:08
so far... * malicious posthooks * malicious setpref actions (NB: this is easy to work around as setpref is dumb)
msg10657 (view)	Author: kowey	Date: 2010-04-03.16:23:48
Just bumping this explicitly so to remind folks it's there :-) [I don't do this for all bugs in maintenance mode, but occasionally, it seems useful to do this]

History
Date	User	Action	Args
2009-08-09 00:02:04	kowey	create
2009-08-18 15:03:11	kowey	set	status: unread -> has-patch nosy: kowey, simon, twb, thorkilnaur, dmitry.kurochkin messages: + msg8253
2009-08-25 18:14:20	admin	set	nosy: + darcs-devel, - simon
2009-08-27 14:27:00	admin	set	nosy: kowey, darcs-devel, twb, thorkilnaur, dmitry.kurochkin
2010-04-03 16:23:49	kowey	set	messages: + msg10657
2022-04-12 15:01:48	bfrk	set	status: has-patch -> given-up