On Sat, 06 Feb 2010, Sitaram Chamarty wrote: > Now I just looked up hooks.showrev, and it's supposed to be any shell > command. Clearly this means anyone who can set that gitconfig option > now has shell capability, and it's game over. But of course you need to have a hook that runs the command. And setting hooks requires shell access. Sorry for not thinking any problems with the config thing. I personally don't use the delegation and on the other hand all our gitolite administrators anyway have shell access to the server... > Regardless of how I look at it, I can't think of a cure for this short > of either: > - putting all the allowed gitconfigs in the RC file, and not in the > config (writing the RC file requires shell access, and we presume the > "root of trust" person has enough smarts to know what to allow and > what not to allow), and allowing repo admins to *refer* to them to use > whichever they want This sounds better solution for me. > - someone coming up with a list of gitconfig's that are "safe", and > specific values for those that are unsafe (like saying "if you use > showrev, you can only use this command as the value", and forcing > only those. Might get too complicated. Anyway the person setting the hook script should know what it does and which configuration keys it uses and how. -- - Teemu -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html