[crossfire] crossfire source code control systems
Alex Schultz
alex_sch at telus.net
Thu Aug 17 19:10:43 CDT 2006
Andrew Fuchs wrote:
> I would like to bring up another issue regarding the sf.net webspace
> and Mercurial. The last time I checked (looking into running a wiki
> on it) all scripts run without a sandbox and as the same user. This
> creates a large security issue, where it may be possible for someone
> else that has access to a sf.net webspace to screw around with the
> repository.
Well, unless we can get the quota expanded significantly, we wouldn't be
able to use Mercurial on sf.net webspace anyways. Unless I'm missing
something, sf.net doesn't run all scripts on the same user on SF,
instead the security issue with wiki software on it, is that any project
admin has read-access to any of the web accounts. For wiki servers, this
often means that password hashes in the login system are publicly
accessible. For Mercurial (and most distributed SCMs) that isn't an
issue though, because Mercurial never stores any password hashes,
because all access control is handled by SSH and/or HTTP authentication.
More information about the crossfire
mailing list