[darcs-users] suggestion: each push should identify its targe t r epo internally

[BARBOUR Timothy]

Oops - forgot to CC the list on the message below.

-----Original Message-----
From: BARBOUR Timothy 
Sent: Tuesday, August 19, 2003 9:48 AM
To: 'David Roundy'
Subject: RE: [darcs-users] suggestion: each push should identify its
targe t repo internally


> -----Original Message-----
> From: David Roundy [mailto:droundy at abridgegame.org]
[...]
> > It seems highly desirable to limit the security 
> consequences by running
> > the test as a low-privileged user (similar to nobody).  If 
> I understand
> > correctly, darcs check will use the patches in the repository to
> > re-create the current tree, then presumably run the test on 
> it. Perhaps
> > it could be modified to re-create the current tree, then 
> chown -R that to
> > the low-privileged user (darcs_test ?) and run the test as that
> > user. That probably does not eliminate the security risk, but should
> > reduce it a lot.
> 
> Hmmmm.  That does sound like a good idea.  The biggest 
> problem being that
> I've never done anything like this before.  I'm not sure how to switch
> users, though, when darcs is not run as root.  I guess it 
> must be doable,
> I'm just not sure how to do it...

sudo(8) can do this, and can be configured (via /etc/sudoers) to allow
particular users to execute certain commands as a given user without
requiring the use of password. I am not sure how to do it programmatically
though, or how to do it on MS-Windows (but security does not seem very
important to Windows users anyway).

> > For the truly paranoid, it might be desirable to be able to 
> specify that
> > the test will be run inside a chroot or even a virtual 
> machine (such as
> > user-mode linux).
> 
> Running inside a chroot would generally be tough, since the 
> test usually
> will require dev tools, so the chroot wouldn't be very empty.

I was thinking that setting up the chroot or virtual machine would be
entirely the responsibility of the user, and darcs would provide just the
minimum amount of support (e.g. hooks) to make use of it. Because of the
need for dev tools, a virtual machine is probably a better idea than a
chroot. I agree most people would find the complexity excessive, however for
a repository on a sufficiently large project, the complexity might be
justified. It is surprising what some Debian people do with tools like
debootstrap, rootstrap and umlrun (e.g. create expendable virtual machines
on demand).

I think darcs would just need to do two things. First, make a copy of the
project tree, readable by the low-privileged user (this seems to need chown,
so darcs might need the corresponding capability (as in the capabilities
approach to security) or might use sudo). If the configuration of this
action is fixed (at least not stored in the repo), then it need not present
an especial security risk, and can run as the current darcs user). Second,
run an arbitrary command (configured in the repo, like the present
arrangement) as the low-privileged user. The particular user to use should
probably not be configured in the repo, although sudo will restrict the
choice anyway. If the developers wish, the command can be a script that e.g.
sets up a virtual machine, and runs the test in it.

Tim


IMPORTANT NOTICE:
This e-mail and any attachment to it is intended only to be read or used by
the named addressee.  It is confidential and may contain legally privileged
information.  No confidentiality or privilege is waived or lost by any
mistaken transmission to you.  If you receive this e-mail in error, please
immediately delete it from your system and notify the sender.  You must not
disclose, copy or use any part of this e-mail if you are not the intended
recipient.  The RTA is not responsible for any unauthorised alterations to
this e-mail or attachment to it.