|
| From: | Daniel Carrera |
| Subject: | Re: [Monotone-devel] db kill_rev_locally |
| Date: | Sat, 11 Oct 2008 23:20:50 +0200 |
| User-agent: | Thunderbird 2.0.0.17 (Macintosh/20080914) |
Nathaniel Smith wrote:
No, it simply wipes out the revision and its certs, as if they never existed. (Except that as you note, it does leave some of the associated data behind in the database, but there's no way to get at this data except by poking around in the db by hand.) This isn't really a security issue, though, because it only affects the database that it's run on.
Yes it is, because it easily allows a DOS attack from a malicious developer or someone with a developer's credentials and there is no way to identify the attacker. Second, the fact that you can recover from a disaster does not mean that the attack did not succeed. There are three aspects to security against an attack:
1) Prevention. 2) Detection. 3) Recovery.Against this particular attack, Monotone only has recovery. Monotone has a great recovery system, but something in the way of prevention or detection would be a worthy improvement. For example:
1) Prevention: Remove or somehow restrict the "db kill_rev_locally" command and the "db execute" command.
2) Detection: Record who runs "db kill_rev_locally" (recording "db execute" is kind of pointless).
Daniel.
| [Prev in Thread] | Current Thread | [Next in Thread] |