Re: HEADS UP: Importing csup into base

On Wed, Mar 01, 2006 at 04:17:08PM -0500, Kris Kennaway wrote:
> On Wed, Mar 01, 2006 at 04:19:32PM -0500, Wesley Shields wrote:
> > On Wed, Mar 01, 2006 at 03:33:41PM -0500, Lowell Gilbert wrote:
> > > Scott Long <scottl_at_samsco.org> writes:
> > > 
> > > > Maxime Henrion wrote:
> > > > > 	Hey all,
> > > > > I have released a new snapshot of csup a few minutes ago,
> > > > 
> > > > [...]
> > > > 
> > > > >   - Executes (shell commands sent by the server, even more rarely
> > > > > used),
> > > > 
> > > > Are you joking?
> > > 
> > > Are you asking whether he's joking about (1) the idea of ever
> > > implementing it, (2) the fact that he hasn't done it yet, or 
> > > (3) the idea that it's rarely used?  All of those sound 
> > > reasonable to me...
> > 
> > I'm questioning (1) myself.  This just seems like a bad idea from a
> > security perspective.  Of course, some kind of sanitization could
> > mitigate the issue.
> 
> Let's not lose sight of the fact that whoever runs the cvsup server
> already owns your machine, since they're giving you unauthenticated
> source code [1].

You are right on this point.  But on the scale of potentially bad things
I think a rogue server sending commands that the client exectues is
pretty close to a rogue server sending malicious source code.  At least
the source is easily verifiable and (in the case of the malicious source
being inserted at the master site) has a good chance of being noticed.

It's not that I'm 100% against this idea, but rather that I'd like to
see the client be cautious of the possibility of a rogue server.  Of
course, this could all be the plan and I'm just raising a non-issue.

> Kris
> 
> [1] Please don't take this as an invitation to talk about how Someone
> Should Fix This, since it's not on the table until Someone first
> writes csupd :-)

I didn't see it as an invitation as I've seen it discussed many times
before.  Either way, I'm very pleased to see a client written in C.  :)

-- WXS