* [refpolicy] A few tweaks for the gitolite policy
@ 2012-02-15 16:01 Konstantin Ryabitsev
2012-02-21 19:23 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Konstantin Ryabitsev @ 2012-02-15 16:01 UTC (permalink / raw)
To: refpolicy
Hi, all:
ADCs are "Admin-defined commands" that come bundled with gitolite.
Though they are normally not packaged, they are part of the gitolite
distribution and are almost always installed by admins:
http://sitaramc.github.com/gitolite/shipped_ADCs.html
It would be welcome if the default gitosis policy allowed them to work.
It already partially supports ADCs by permitting:
exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
>From my recent experience, it also requires the following:
* managing files in /tmp, as a couple of these ADCs use here-docs
(bash writes those out into /tmp/sh-thd-{timestamp} and then
reads them back in)
* ability to execute /usr/bin/gl-* (gitosis_exec_t) -- notably the
"fork" ADC relies on that.
I don't submit a patch, because I wanted to leave it up to the
maintainer's discretion whether to add support for the default ADCs.
Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montr?al, Qu?bec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120215/f9281c46/attachment.bin
^ permalink raw reply [flat|nested] 2+ messages in thread* [refpolicy] A few tweaks for the gitolite policy
2012-02-15 16:01 [refpolicy] A few tweaks for the gitolite policy Konstantin Ryabitsev
@ 2012-02-21 19:23 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2012-02-21 19:23 UTC (permalink / raw)
To: refpolicy
On 2/15/2012 11:01 AM, Konstantin Ryabitsev wrote:
> ADCs are "Admin-defined commands" that come bundled with gitolite.
> Though they are normally not packaged, they are part of the gitolite
> distribution and are almost always installed by admins:
>
> http://sitaramc.github.com/gitolite/shipped_ADCs.html
>
> It would be welcome if the default gitosis policy allowed them to work.
> It already partially supports ADCs by permitting:
> exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
This is something we want to avoid if possible. Executing files that can also be written by the same domain is a good opening for arbitrary code execution. It sounds like the files should be labeled something else, eg. gitosis_exec_t or gitosis_adc_t.
> From my recent experience, it also requires the following:
>
> * managing files in /tmp, as a couple of these ADCs use here-docs
> (bash writes those out into /tmp/sh-thd-{timestamp} and then
> reads them back in)
> * ability to execute /usr/bin/gl-* (gitosis_exec_t) -- notably the
> "fork" ADC relies on that.
I'd have to see the changes, but that seems reasonable..
> I don't submit a patch, because I wanted to leave it up to the
> maintainer's discretion whether to add support for the default ADCs.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-02-21 19:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-15 16:01 [refpolicy] A few tweaks for the gitolite policy Konstantin Ryabitsev
2012-02-21 19:23 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.