[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Monotone-devel] db kill_rev_locally

From: Daniel Carrera
Subject: Re: [Monotone-devel] db kill_rev_locally
Date: Sat, 11 Oct 2008 23:20:50 +0200
User-agent: Thunderbird (Macintosh/20080914)

Nathaniel Smith wrote:
No, it simply wipes out the revision and its certs, as if they never
existed.  (Except that as you note, it does leave some of the
associated data behind in the database, but there's no way to get at
this data except by poking around in the db by hand.)

This isn't really a security issue, though, because it only affects
the database that it's run on.

Yes it is, because it easily allows a DOS attack from a malicious developer or someone with a developer's credentials and there is no way to identify the attacker. Second, the fact that you can recover from a disaster does not mean that the attack did not succeed. There are three aspects to security against an attack:

1) Prevention.
2) Detection.
3) Recovery.

Against this particular attack, Monotone only has recovery. Monotone has a great recovery system, but something in the way of prevention or detection would be a worthy improvement. For example:

1) Prevention: Remove or somehow restrict the "db kill_rev_locally" command and the "db execute" command.

2) Detection: Record who runs "db kill_rev_locally" (recording "db execute" is kind of pointless).


reply via email to

[Prev in Thread] Current Thread [Next in Thread]