Greg Brockman wrote:
> Hmm, ok. So if I'm not mistaken, the only outstanding issue is
> whether to provide a way to globally disable git-shell-commands. Do
> you have a particular threat model in mind?
No, it was only a vague thing. I do not even use git-shell
myself, so it was a vague worry for a scenario I am not even
involved in. So if you have thought it over and decided it is
not an issue, that is good enough for me.
What would be most comforting is an explanation like this:
"Uses not using this feature will not be impacted by patch 1,
since all it adds is:
- some memory allocation
- a call to split_cmdline, which I have audited and
seems to be safe
- an execv that does not permit . or / characters and so
can only run commands from the directory the user is
in (which would be safe because..."
Actually if I understand correctly I am not comforted at all,
because a former user at a multi-user installation that only has
git-shell access now can suddenly run arbitrary commands from
the home directory once git is upgraded.
Jonathan
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html