On Thu, Jan 14, 2010 at 09:06:45PM +0000, Robin H. Johnson wrote: > As a reasonable middle ground between the functionality and complete > removal, can we find a way just to only execute the potentially > dangerous hooks under known safe conditions or when explicitly requested > by the user. An alternative to ripping it out that was discussed is to check that getuid() matches the owner of the hook. That might be a nice improvement in security for the push hooks, as well. But it does come at the cost of some inconvenience. How do you set up hooks in a shared central repo that every user should trigger? You need some way to say "these hooks really _are_ trusted, run them anyway", but that mechanism cannot be in the configuration of the repo itself for obvious reasons. I suppose if the owner is root? But that leaves no way for non-root users to set up shared access. Also, there is a similar issue with config. Right now, if I can convince you to run "git log" in a repo whose config I own, I can make you run arbitrary commands via textconv (and ditto for "git diff" and external diff). > Places where the hooks are safe: > - the hooks are known trusted AND not writable by the user/group. > (e.g. "chown -R root:root hooks/"). This can work, but has drawbacks. See above. > - Systems where the users/groups do not have full shell access, just > access to run Git itself. Eg gitosis, regular git+ssh:// w/ a > restricted shell. Yes, this would work, too, but how do you configure the "it's OK to run random hooks" flag? Environment? -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html