Re: [Monotone-devel] Re: The read-permissions file -- unexpected behavior

[Richard Levitte - VMS Whacker]

In message <address@hidden> on Thu, 5 Jan 2006 12:34:33 -0800, Jonathan Ho 
<address@hidden> said:

jonathanho15> On Thursday, January 5, 2006 4:18, Lapo Luchini wrote:
jonathanho15> > Timothy Brownawell <tbrownaw <at> gmail.com> writes:
jonathanho15> > > Is com.example.foo a branch that really exists in
jonathanho15> > > the server's database?  If not, then permission will
jonathanho15> > > be granted because there's nothing to read, and so
jonathanho15> > > nothing to deny permission for.
jonathanho15> >
jonathanho15> > Doesn't this "disclose" a tiny bit of information by
jonathanho15> > itself? (the very fact that a branch does exist or not)
jonathanho15> >
jonathanho15> I agree here. Shouldn't monotone try to authenticate the
jonathanho15> user first, and if it fails, deny the user access no
jonathanho15> matter what (s)he tried to pull from the server
jonathanho15> (considering, of course, the server's configuration)?

Oh, please, try things out before complaining!

: address@hidden:~
: ; monotone genkey address@hidden
monotone: generating key-pair 'address@hidden'
enter passphrase for key ID address@hidden: 
confirm passphrase for key ID address@hidden: 
monotone: storing key-pair 'address@hidden' in /home/levitte/.monotone/keys/
: address@hidden:~
: ; monotone --db=foo.db db init
: address@hidden:~
: ; monotone --db=foo.db pull venge.net 'net.venge.monotone*' -k address@hidden 
monotone: setting default server to venge.net
monotone: setting default branch include pattern to 'net.venge.monotone*'
monotone: setting default branch exclude pattern to ''
monotone: connecting to venge.net
monotone: first time connecting to server venge.net
monotone: I'll assume it's really them, but you might want to double-check
monotone: their key's fingerprint: 70a0f283898a18815a83df37c902e5f1492e9aa2
monotone: warning: saving public key for address@hidden to database
monotone: finding items to synchronize:
enter passphrase for key ID address@hidden: 
monotone: read from fd 6 (peer venge.net) failed, disconnecting
monotone: bytes in | bytes out | certs in | revs in | revs written
monotone:        0 |       346 |        0 |       0 |            0


I knew that address@hidden would probably not be accepted, and see?
There was a failure.

And just to check what the effect is on the server, I tried that too:

[repository.lp.se]
address@hidden:/orgs/lp/free/monotone# /usr/bin/monotone 
--pid-file=/var/run/monotone/pid --db=/orgs/lp/free/monotone/repository.db 
--rcfile=/orgs/lp/free/monotone/repository.lua 
--keydir=/orgs/lp/free/monotone/.keys serve `cat 
/orgs/lp/free/monotone/collections.dat | sed -e's|$|\*|'`
monotone: beginning service on all interfaces : 5253
monotone: accepted new client connection from 130.237.234.196 : 59043
monotone: warning: remote public key hash 
'2806be97fc2851754eea0b75ea178ab6d9a31696' is unknown
monotone: failed to process '4' packet
monotone: fd 6 (peer 130.237.234.196:59043) processing finished, disconnecting

[my laptop]
: address@hidden:~
: ; monotone --db=foo.db pull repository.lp.se 'net.venge.monotone*' -k 
address@hidden 
monotone: connecting to repository.lp.se
monotone: finding items to synchronize:
enter passphrase for key ID address@hidden: 
monotone: read from fd 6 (peer repository.lp.se) failed, disconnecting
monotone: bytes in | bytes out | certs in | revs in | revs written
monotone:        0 |       346 |        0 |       0 |            0


As you can see, monotone does authenticate before it does anything
else.

Cheers,
Richard

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte                         address@hidden
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis