diff options
| author |  Joey Hess <joeyh@joeyh.name> | 2017-05-09 17:04:39 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2017-05-09 17:04:39 -0400 |
| commit | 98038d7371951fc31f2e9bf737cc7e2b35f90e49 (patch) | |
| tree | 576535e3625fdbbd7d7abcea2c0ebddf0032ce89 | |
| parent | 036c90d79289ef3c14c28d69c9d8ab94fca1e841 (diff) | |
comment
| -rw-r--r-- | doc/forum/Malicious_autoenabled_remotes/comment_1_c82464f40eb1442aadd0f1e89b72f41e._comment | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/doc/forum/Malicious_autoenabled_remotes/comment_1_c82464f40eb1442aadd0f1e89b72f41e._comment b/doc/forum/Malicious_autoenabled_remotes/comment_1_c82464f40eb1442aadd0f1e89b72f41e._comment new file mode 100644 index 000000000..0a1d230ed --- /dev/null +++ b/doc/forum/Malicious_autoenabled_remotes/comment_1_c82464f40eb1442aadd0f1e89b72f41e._comment @@ -0,0 +1,42 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2017-05-09T20:45:17Z" + content=""" +`git-annex init` will try to auto-enable special remotes that have +been configured with autoenable=true. + +So if someone can push to the repository on trustedserver, they can +set up such a special remote and cause your later clones of it to enable +the special remote. Sync will then push content to their special remote. +They could also check in additional annexed file to the git repository, +and put their contents on their special remote, and sync would then +download the contents from there. + +Of course, someone who can do this has to have write access to the +git repository on trustedserver, and if they can write to the git repository, +they can also send annexed file to there, unless you've prevented that +somehow. + +I had not really considered the autoenable=true as a potential security +problem, so it's good to think about it that way. I don't know if we have a +real security problem here though. It seems to rely on the attacker +having write access to the trustedserver so far. + +I suppose the attacker could instead convince you to pull from a clone that +they control, and after you've pulled once, clones made from your +repository (or trustedserver after you push to there) will then autoenable +their special remote unexpectedly. Perhaps the goal then is to get git +annex sync to unexpectedly send file contents there, so they can collect +all your annexed files. Pulling from their repository once thus turns into +sending them all your annexed files going forward. + +So I am starting to see this as a security problem.. + +Note that pulling from someone untrusted can also change other settings in +the git-annex branch (since it's automatically merged), which can probably +screw up the repository fairly well in other ways, like setting numcopies +to 0 and messing with preferred content expressions such that git-annex +wants to drop all files, or copy files to repositories where you don't want +them to go, etc. +"""]] |