commit emails from a central server with bzr 2.6

Vincent Ladeuil vila+bzr at canonical.com
Thu Jun 6 07:04:34 UTC 2013 

>>>>> Glenn Morris <rgm at gnu.org> writes:

    > I got it working. There was a hard-coded --no-plugins being passed
    > to bzr in the script that acts as the login shell for Savannah
    > users.

Wow, good catch, that would have been tricky to diagnose remotely ;)

    > You may remember being prescient about this:

    > http://lists.gnu.org/archive/html/savannah-hackers-public/2010-03/msg00050.html

    > :)

:-)

    > Could you reassure me that removing --no-plugins is fine from a
    > security point of view?

Well, strictly speaking ? No. Removing --no-plugins means you're opening
a way for an intruder to change bzr behavior by installing a nasty
plugin. But once an intruder is in the place, nothing stops him to
modify bzr itself or for that matter, even glibc in which case you have
other problems.

But --no-plugins is a big hammer as it disables even bzr own core
plugins which, depending on your usage, may remove some key features
(mostly launchpad access though so you may not care).

In any case, --no-plugins was meant to help diagnose issues with
plugins, not to improve security.

    > I don't really understand why Sylvain Beucler was so keen on it
    > back in 2010 [1]. I understand that users should not be able to
    > install arbitrary plugins. AFAIK, there is no way a Savannah user
    > can do this. They have no access to their home directories. In any
    > case, the login shell runs bzr with $ENV{'HOME'} = '/var/lib/bzr',
    > and users certainly do not have write access to that.

Right, that's what matter as far as I understand savannah policy.

    > To be doubly sure, I'll add
    > $ENV{'BZR_PLUGIN_PATH'} = '-user:+core:-site'

Yup, that's the way to allow only core plugins, disabling others.

    > to the environment that the login shell sets up.

Hold on, if you do that, you have to install bzr-email as a 'core'
plugin then, i.e. under bzrlib/plugins.

Ha, sorry, re-reading the thread, I see you did that indeed:

    > 1. apt-get install bzr-email

    > This installs the plugin in
    > /usr/lib/python2.6/dist-packages/bzrlib/plugins.

    > `bzr plugins' lists it.

So all is well :)

Make sure this is well documented to avoid issues if/when bzr itself is
upgraded (AFAIU debian upgrade policies, it should, but better safe than
sorry).

        Vincent

More information about the bazaar mailing list