[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Monotone-devel] db kill_rev_locally

From: Daniel Carrera
Subject: Re: [Monotone-devel] db kill_rev_locally
Date: Sun, 12 Oct 2008 00:01:16 +0200
User-agent: Thunderbird (Macintosh/20080914)

Daniel Carosone wrote:
This isn't really a security issue, though, because it only affects
the database that it's run on.
Yes it is, because it easily allows a DOS attack from a malicious developer or someone with a developer's credentials and there is no way to identify the attacker.

No. It doesn't require (monotone) credentials (ie, key).  It is
applicable only to those who have write access (at the OS level) to
the developer's database.

So it can only happen if the developer has SSH access. Tell me if I'm wrong, but if you want developers to tunnel through SSH they can then execute Monotone commands including "db execute". Right?

A malicious developer can only hurt himself, he can't publish
something with his key that will kill revs from other users'
databases.  An attacker with write access to the developer's local db
storage can do whatever he likes to that storage, regardless of code
we might write in a mtn executable.

I understand where you are coming from. An attacker with arbitrary shell access could just run "rm". But there are ways to mitigate that risk. You could give them a custom shell that only allows running one command: mtn. You can also make and ~/.monotonerc belong to root an run mtn with the set-UID bit like the mount command.

The problem of malicious insiders is well established and there are a number of known solutions to mitigate the risk. But these solutions fall apart if a program that insiders are supposed to run is insecure.

You could deny SSH access to developers, but that has other security implications that some projects may find unacceptable.

Allow me to make a recommendation that I think everyone will find acceptable: Create a mechanism to disable certain commands through a config file. Disable "kill_rev_locally" and "execute" by default. This removes no functionality for users who want to run these commands locally. But an admin on a server can look to protect this file just as he protects the database file. Monotone already depends on ~/.monotone being secure for other purposes, so this does not generally impose an additional requirement on the admin.

Developers who want to run these commands locally, can do so easily. Admins who want to secure their server, can do so easily. Everyone's happy.

Kind regards,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]