Junio C Hamano <gitster@xxxxxxxxx> wrote: > "Shawn O. Pearce" <spearce@xxxxxxxxxxx> writes: > > This change allows any repository owner to setup a git-daemon > > that other users on the same host can connect through to perform > > upload-pack or receive-pack. > > My reading of this is that it creates a backdoor for people who [...] > In addition to having to worry about > the in-repo data properly being protected from people outside > the group, you now need to worry about the access through that > backdoor does not extend outside of the repository. E.g. the > repository owner's $HOME that is outside the repository would be > writable that owner, but is not meant to be accessible by > project participants. If you allow others to "run as" you, the > only thing that forbids that process running as you from > accessing $HOME is an additional audit of git-daemon and the > programs it spawns. So you are partially suggesting that git-daemon isn't thought to be secure, and that anything readable by the user that git-daemon is running as is fully exposed to the public Internet. So the access control attempts relating to --base-path or the check for git-daemon-export-ok shouldn't really be trusted or relied upon. If that really is the case, perhaps git-daemon should be audited and hardened further. Last I checked, we encouraged people to run it to offer anonymous access to repositories, and the documentation suggests there are publishing access controls that actually work. If those controls cannot be trusted then we shouldn't encourage running git-daemon on untrusted networks. With regards to this patch, yes, you can export your entire $HOME and maybe expose things you shouldn't or didn't want to. But even without git installed you could do this: cp /bin/bash /tmp/be-like-mike chown $USER /tmp/be-like-mike chmod 777 /tmp/be-like-mike chmod u+s /tmp/be-like-mike wall "try out /tmp/be-like-mike today" but why would anyone do something that foolish? UNIX provides the tools to do this, because there are cases where it can be useful, but really, you have to be nuts to export all of $HOME. -- Shawn. - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
