Hi, all:
ADCs are "Admin-defined commands" that come bundled with gitolite.
Though they are normally not packaged, they are part of the gitolite
distribution and are almost always installed by admins:
http://sitaramc.github.com/gitolite/shipped_ADCs.html
It would be welcome if the default gitosis policy allowed them to work.
It already partially supports ADCs by permitting:
exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
>From my recent experience, it also requires the following:
* managing files in /tmp, as a couple of these ADCs use here-docs
(bash writes those out into /tmp/sh-thd-{timestamp} and then
reads them back in)
* ability to execute /usr/bin/gl-* (gitosis_exec_t) -- notably the
"fork" ADC relies on that.
I don't submit a patch, because I wanted to leave it up to the
maintainer's discretion whether to add support for the default ADCs.
Best,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montr?al, Qu?bec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120215/f9281c46/attachment.bin
On 2/15/2012 11:01 AM, Konstantin Ryabitsev wrote:
> ADCs are "Admin-defined commands" that come bundled with gitolite.
> Though they are normally not packaged, they are part of the gitolite
> distribution and are almost always installed by admins:
>
> http://sitaramc.github.com/gitolite/shipped_ADCs.html
>
> It would be welcome if the default gitosis policy allowed them to work.
> It already partially supports ADCs by permitting:
> exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
This is something we want to avoid if possible. Executing files that can also be written by the same domain is a good opening for arbitrary code execution. It sounds like the files should be labeled something else, eg. gitosis_exec_t or gitosis_adc_t.
> From my recent experience, it also requires the following:
>
> * managing files in /tmp, as a couple of these ADCs use here-docs
> (bash writes those out into /tmp/sh-thd-{timestamp} and then
> reads them back in)
> * ability to execute /usr/bin/gl-* (gitosis_exec_t) -- notably the
> "fork" ADC relies on that.
I'd have to see the changes, but that seems reasonable..
> I don't submit a patch, because I wanted to leave it up to the
> maintainer's discretion whether to add support for the default ADCs.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com