Untrusted hgrc files, why report them?
Matt Mackall
mpm at selenic.com
Fri Feb 25 16:17:55 UTC 2011
On Fri, 2011-02-25 at 11:05 +0100, Dominik Psenner wrote:
> Hi,
>
> I would nail it down to following three cases:
>
> 1] .hg/hgrc (within repository) owned by someone else
> ==> the user in front of the keyboard should know that he's working on a
> repository owned by someone else - despite he lacks a brain :-P - and
> mercurial should use that one without any warnings
- case 1a -
Student Sandra wants Professor Plum's access rights
Sandra puts a malicious hook in her .hg/hgrc
Sandra invites Plum to run 'hg log' on her class project repo
Plum does so, and the hook gives Sandra a back door into Plum's account
Sandra copies Plum's class notes
Sandra gets an A on the final exam!
- case 1b -
...
Plum gets a warning about Sandra's .hg/hgrc, but no ill side-effects
Sandra actually has to study for the test
- case 2a -
Admin Alice sets up a shared repo on the server to be accessed by SSH or
NFS. She configures a hook to send out mail whenever anyone commits. It
works perfectly for her, but for some reason, when Bob commits, the
email never comes out. She checks all the settings - everything is
perfectly readable, and there are no complaints from hg. Alice curses
Bob's advice to use Mercurial.
- case 2b -
Bob gets a big warning about untrusted, tells Alice about it
Alice checks the internet, finds the page on our wiki about Trust
Alice helps Bob configure his client
> 3] .hgrc is somewhere else
> ==> mercurial shouldn't use that one (unless forced to do so), thus in
> case it wants to use it and the file is untrusted, mercurial should abort
> with a warning
>
> Are there further usecases I didn't cover?
Admin Alice sets up some hooks for her hgweb server. She makes sure
everything is owned by root and readable. But the hooks are mysteriously
not working at all! She checks the error logs, and discovers that 'user
www-data is not trusting a file owned by root', fixes the ownership, and
everything starts working.
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list