savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-help-public] [sr #107077] bzr+ssh:// preferable to sftp://

From: Robert Collins
Subject: [Savannah-help-public] [sr #107077] bzr+ssh:// preferable to sftp://
Date: Thu, 03 Dec 2009 00:17:00 +0000
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091109 Ubuntu/9.10 (karmic) Firefox/3.5.5 
Follow-up Comment #21, sr #107077 (project administration):

On Wed, 2009-12-02 at 23:47 +0000, Sylvain Beucler wrote:
Follow-up Comment #20, sr #107077 (project administration):
> 
> "bzr does not permit configuring server side hooks in the repository
because
> of security concerns"
> 
> But every VCS I know allow this (?).
> 
> For example: do you intend, at a point, to implement centralised mail
> notification on commit? (which is the first thing people ask here)
> Currently this relies on an expansive, per-repository scanning every 5
> minutes through bzr-hookless-email, which isn't scalable.

The sysadmins *globally* install the bzr-email plugin, and then in
branch.conf enable it for that branch. Users with write access can:
 - disable it
 - enable it
 - configure it

but thats all.

For a highly secure environment like savannah, I'd be happy to provide an
even less configurable bzr-email than normal, which users cannot configure at
all beyond choosing to have commits sent or not.

> I expect bzr+ssh to eventually work as a restricted shell that 
> will also
> execute repository hooks, and these hooks should be stored in a
> root-restricted directory (like CVS/SVN/Git/Hg).
> (in which case sftp access would be closed to make sure hooks are
executed)


We don't have repository hooks (though there is a plugin that enables them).
Rather we have plugins, and some plugins look in the repository for
configuration. This separation allows sysadmins to select what code may run on
the server (install/remove plugins), and users to enable/disable the installed
plugins (where those plugins permit being enabled/disabled). Closing sftp to
ensure the bzr+ssh server is used is a good idea.

> If you never intend to allow server-side hooks at the repository (!=user)
> level, I guess I can enable bzr+ssh (provided we make sure that homedirs
will
> stay read-only), but this sounds strange.
> Currently I'd expect bzr+ssh to eventually run repository hooks.

We have equivalent functionality, but its structured to be safe for users. We
have previously discussed having in-branch arbitrary commands and decided
against it because its not secure. 'bzr info' of an AFS mounted branch
shouldn't be able to rm -rf your homedir (which is a simple example of an
attack using the style of hooks some other systems use).

-Rob

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107077>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]