From b7a3b1615f17991e400b5fa93c7e8a8cfffd348c Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 19 Jan 2011 14:09:53 -0400 Subject: [PATCH] Trust flag day. All mrconfig files except the main ~/.mrconfig are now untrusted by default, until listed in ~/.mrtrust. --- TODO | 3 --- debian/changelog | 7 ++++++ debian/copyright | 3 +-- mr | 63 ++++++++++++++++++++++++------------------------ 4 files changed, 40 insertions(+), 36 deletions(-) diff --git a/TODO b/TODO index bc5d00b..43eae03 100644 --- a/TODO +++ b/TODO @@ -1,6 +1,3 @@ -* For compatability, ~/.mrtrust has to exist before trust checks are - enabled. Change this in a flag day. - * After the mtrust flag day, consider making something similar to -p be enabled by default. diff --git a/debian/changelog b/debian/changelog index 5d7c406..29dd877 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +mr (1.00) UNRELEASED; urgency=low + + * Trust flag day. All mrconfig files except the main ~/.mrconfig are + now untrusted by default, until listed in ~/.mrtrust. + + -- Joey Hess Wed, 19 Jan 2011 13:39:43 -0400 + mr (0.51) unstable; urgency=low * Fix display when absolute directories are configured in mrconfig. diff --git a/debian/copyright b/debian/copyright index b3bbadd..5e8c312 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,8 +1,7 @@ Format: http://dep.debian.net/deps/dep5/ -Source: native package Files: * -Copyright: (c) 2007-2010 Joey Hess +Copyright: (c) 2007-2011 Joey Hess License: GPL-2+ On Debian systems, the complete text of the GPL can be found in /usr/share/common-licenses/GPL. diff --git a/mr b/mr index 5a877fe..41a5362 100755 --- a/mr +++ b/mr @@ -400,26 +400,28 @@ the action that is performed for a given revision control system, you can override these rcs specific actions. To add a new revision control system, you can just add rcs specific actions for it. -The ~/.mrlog file contains commands that mr has remembered to run later, -due to being offline. You can delete or edit this file to remove commands, -or even to add other commands for 'mr online' to run. If the file is -present, mr assumes it is in offline mode. - =head1 UNTRUSTED MRCONFIG FILES Since mrconfig files can contain arbitrary shell commands, they can do anything. This flexibility is good, but it also allows a malicious mrconfig file to delete your whole home directory. Such a file might be contained -inside a repository that your main ~/.mrconfig checks out and chains to. To -avoid worries about evil commands in a mrconfig file, mr -has the ability to read mrconfig files in untrusted mode. Such files are -limited to running only known safe commands (like "git clone") in a -carefully checked manner. +inside a repository that your main ~/.mrconfig checks out. To +avoid worries about evil commands in a mrconfig file, mr defaults to +reading all mrconfig files other than the main ~/.mrconfig in untrusted +mode. In untrusted mode, mrconfig files are limited to running only known +safe commands (like "git clone") in a carefully checked manner. + +To configure mr to trust other mrconfig files, list them in ~/.mrtrust. +One mrconfig file should be listed per line. Either the full pathname +should be listed, or the pathname can start with "~/" to specify a file +relative to your home directory. -By default, mr trusts all mrconfig files. (This default will change in a -future release!) But if you have a ~/.mrtrust file, mr will only trust -mrconfig files that are listed within it. (One file per line.) All other -files will be treated as untrusted. +=head1 OFFLINE LOG FILE + +The ~/.mrlog file contains commands that mr has remembered to run later, +due to being offline. You can delete or edit this file to remove commands, +or even to add other commands for 'mr online' to run. If the file is +present, mr assumes it is in offline mode. =head1 EXTENSIONS @@ -433,7 +435,7 @@ mr returns nonzero if a command failed in any of the repositories. =head1 AUTHOR -Copyright 2007-2010 Joey Hess +Copyright 2007-2011 Joey Hess Licensed under the GNU GPL version 2 or higher. @@ -925,22 +927,16 @@ sub is_trusted_config { my $trustfile=$ENV{HOME}."/.mrtrust"; - if (! -e $trustfile) { - print "mr: Assuming $config is trusted.\n"; - print "mr: For better security, you are encouraged to create ~/.mrtrust\n"; - print "mr: and list all trusted mrconfig files in it.\n"; - return 1; - } - if (! %trusted) { $trusted{"$ENV{HOME}/.mrconfig"}=1; - open (TRUST, "<", $trustfile) || die "$trustfile: $!"; - while () { - chomp; - s/^~\//$ENV{HOME}\//; - $trusted{abs_path($_)}=1; + if (open (TRUST, "<", $trustfile)) { + while () { + chomp; + s/^~\//$ENV{HOME}\//; + $trusted{abs_path($_)}=1; + } + close TRUST; } - close TRUST; } return $trusted{$config}; @@ -1024,6 +1020,11 @@ sub is_trusted_checkout { return 0; } +sub trusterror { + die shift()."\n". + "(To trust this file, list it in ~/.mrtrust.)\n"; +} + my %loaded; sub loadconfig { my $f=shift; @@ -1097,7 +1098,7 @@ sub loadconfig { if (! is_trusted_repo($section) || $section eq 'ALIAS' || $section eq 'DEFAULT') { - die "mr: illegal section \"[$section]\" in untrusted $f line $line\n"; + trusterror "mr: illegal section \"[$section]\" in untrusted $f line $line"; } } $section=expandenv($section) if $trusted; @@ -1124,10 +1125,10 @@ sub loadconfig { # Untrusted files can only contain checkout # parameters. if ($parameter ne 'checkout') { - die "mr: illegal setting \"$parameter=$value\" in untrusted $f line $line\n"; + trusterror "mr: illegal setting \"$parameter=$value\" in untrusted $f line $line"; } if (! is_trusted_checkout($value)) { - die "mr: illegal checkout command \"$value\" in untrusted $f line $line\n"; + trusterror "mr: illegal checkout command \"$value\" in untrusted $f line $line"; } } -- 2.39.5