"Shawn O. Pearce" <spearce@xxxxxxxxxxx> writes: > With regards to this patch, yes, you can export your entire $HOME > and maybe expose things you shouldn't or didn't want to. That was not what I meant. git-daemon running as nobody.project will allow read access to project group's files, and the whitelisting and --base-path are ways to limit it to files that are in the repository. But the process still has the power to read files outside that can be read nobody user or project group, the only thing needed is for git-daemon and whatever it spawn to have bugs. But the point is that "power to read files outside" is still limited to nobody.project, even if there are such bugs to allow it escape the whitelist/base-path jail. It won't extend to anybody's $HOME. If you run git-daemon as spearce.spearce, you cannot rely on that built-in limitation. - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
