Forbid uncommits over the network
John Arbash Meinel
john at arbash-meinel.com
Fri May 8 17:04:31 BST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lasse Kliemann wrote:
> * Message by -John Arbash Meinel- from Fri 2009-05-08:
>
>> So it would appear that I was wrong. I just checked the code, and
>> 'append_revisions_only' supersedes '--overwrite'.
>>
>> append_revisions_only is actually checked at the time of
>> 'set_last_revision_info', which is just about as low-level as you can get.
>
> This sounds good so far. However...
>
>> So with the existing bzr clients, you can't override that setting.
>> (There are ways someone with write access to that file could write a
>> specific value there, but it would have to be pretty much malicious, and
>> not accidental in any way.)
>
> Well, I am considering the case of a malicious person gaining
> access to the credentials of a committer.
>
> Do I understand correctly that we have a kind of client-side
> "security" here, i.e., a setting that should protect the server
> and is set on the server (namely 'append_revisions_only') can be
> overwritten by an appropriately programmed client?
'set_last_revision_info' validates append_revisions_only on the server
side. However 'bzr+ssh://' currently has what we call "VFS" operations
(Virtual FileSystem), which means you can effectively 'write' to any
file that are underneath .bzr/ that you have OS level write access to.
We have an environment variable BZR_NO_SMART_VFS that can be set to
disable all VFS access. However ATM there are still a fairly large
number of simple 'read' accesses that are done via VFS. I'm not sure how
many write operations remain, though I'm sure that number is dwindling.
John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkoEWA8ACgkQJdeBCYSNAANQ5gCg2I3LIdmxa80JBRWysoZvBMGP
gmwAn0FV+CjSvTXjiFh7Q9Jk39mOPzjU
=wdWl
-----END PGP SIGNATURE-----
More information about the bazaar
mailing list