darcs

Issue 1515 create checklist of potential security issues trying to give darcs-only access to a repo

Title create checklist of potential security issues trying to give darcs-only access to a repo
Priority feature Status has-patch
Milestone Resolved in
Superseder Nosy List darcs-devel, dmitry.kurochkin, kowey, thorkilnaur, twb
Assigned To
Topics Documentation

Created on 2009-08-09.00:02:04 by kowey, last changed 2010-04-03.16:23:49 by kowey.

Messages
msg8047 (view) Author: kowey Date: 2009-08-09.00:01:55
Trent from msg8043:
> I'm happy with WONTFIXing this (and the other) gaping security holes
> if we document VERY explicitly that you cannot give darcs push access
> to a user without also giving them a full shell.
> 
> I'm not sure where this caveat should be tacked on; certainly darcs
> help should mention it, but in which command?
> 
> I'd also very much like a detailed list of known exposures on a wiki
> page, so that anyone who thinks "pshaw, I can lock down darcs apply!"
> will have a checklist of things to address.
msg8253 (view) Author: kowey Date: 2009-08-18.15:03:08
so far...
* malicious posthooks
* malicious setpref actions (NB: this is easy to work around as setpref is dumb)
msg10657 (view) Author: kowey Date: 2010-04-03.16:23:48
Just bumping this explicitly so to remind folks it's there :-)

[I don't do this for all bugs in maintenance mode, but occasionally, it
seems useful to do this]
History
Date User Action Args
2009-08-09 00:02:04koweycreate
2009-08-18 15:03:11koweysetstatus: unread -> has-patch
nosy: kowey, simon, twb, thorkilnaur, dmitry.kurochkin
messages: + msg8253
2009-08-25 18:14:20adminsetnosy: + darcs-devel, - simon
2009-08-27 14:27:00adminsetnosy: kowey, darcs-devel, twb, thorkilnaur, dmitry.kurochkin
2010-04-03 16:23:49koweysetmessages: + msg10657