This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: new batch of replies (D)

From: Zack Weinberg <zack at codesourcery dot com>
To: "Joseph S. Myers" <jsm28 at cam dot ac dot uk>
Cc: Tom Lord <lord at emf dot net>, <gcc at gcc dot gnu dot org>
Date: Tue, 10 Dec 2002 08:36:47 -0800
Subject: Re: new batch of replies (D)
References: <Pine.LNX.4.33.0212101117320.10715-100000@kern.srcf.societies.cam.ac.uk>

"Joseph S. Myers" <jsm28@cam.ac.uk> writes:

> On Tue, 10 Dec 2002, Tom Lord wrote:
>
>> Yes, but any compromise that can run arbitrary code with the p4d id
>> can corrupt the repository.
>
> The presumption is that the protocol used to communicate with the daemon
> is as simple as possible and the daemon is well coded and audited (better
> than cvs server).

The presumption I'm making is more fundamental: if there's only one
user ID (ignoring root) with write privileges on the repository, and
the sysadmins have tight control over what processes can legitimately
run under that user ID, that reduces the number of potential
vulnerabilities that can lead to the repository being compromised.
It's a privilege-separation argument, not a ease-of-auditing argument.

zw

References:
- Re: new batch of replies (D)
  - From: Joseph S. Myers

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]