autoenable security for compute special remote
Added annex.security.autoenable-compute-programs and only allow autoenabling special remotes that use compute programs on that list. The reason this is needed is a user might have some compute programs that are less safe to use than others. They might want to use an unsafe one only with one repository, where they are the only committer or other committers are trusted. They might be ok with others being used by any repository, and if so they can add them to the list. Another reason would be a user who has installed a compute program by accident. Eg, it might be included with git-annex at some point, or pulled in by some dependency. That user doesn't necessarily want that compute program to be used in an autoenabled special remote.
This commit is contained in:
parent
89bfeada87
commit
f32d2aecce
6 changed files with 36 additions and 7 deletions
|
@ -23,6 +23,7 @@ module Remote.Compute (
|
|||
) where
|
||||
|
||||
import Annex.Common
|
||||
import qualified Annex
|
||||
import Types.Remote
|
||||
import Types.ProposedAccepted
|
||||
import Types.MetaData
|
||||
|
@ -118,8 +119,23 @@ gen r u rc gc rs = case getComputeProgram' rc of
|
|||
}
|
||||
|
||||
setupInstance :: SetupStage -> Maybe UUID -> Maybe CredPair -> RemoteConfig -> RemoteGitConfig -> Annex (RemoteConfig, UUID)
|
||||
setupInstance _ mu _ c _ = do
|
||||
setupInstance ss mu _ c _ = do
|
||||
ComputeProgram program <- either giveup return $ getComputeProgram' c
|
||||
case ss of
|
||||
AutoEnable _ -> do
|
||||
l <- maybe [] words
|
||||
. annexAutoEnableComputePrograms
|
||||
<$> Annex.getGitConfig
|
||||
unless (program `elem` l) $ do
|
||||
let remotename = fromMaybe "(unknown)" (lookupName c)
|
||||
giveup $ unwords
|
||||
[ "Not auto-enabling compute special remote"
|
||||
, remotename
|
||||
, "because its compute program"
|
||||
, program
|
||||
, " is not listed in annex.security.autoenable-compute-programs"
|
||||
]
|
||||
_ -> noop
|
||||
unlessM (liftIO $ inSearchPath program) $
|
||||
giveup $ "Cannot find " ++ program ++ " in PATH"
|
||||
u <- maybe (liftIO genUUID) return mu
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
* get input files for a computation (so `git-annex get .` gets every file,
|
||||
even when input files in a directory are processed after computed files)
|
||||
|
||||
* autoinit security
|
||||
|
||||
* addcomputed should honor annex.addunlocked.
|
||||
|
||||
* Perhaps recompute should write a new version of a file as an unlocked
|
||||
|
|
|
@ -146,6 +146,7 @@ data GitConfig = GitConfig
|
|||
, annexAllowedUrlSchemes :: S.Set Scheme
|
||||
, annexAllowedIPAddresses :: String
|
||||
, annexAllowUnverifiedDownloads :: Bool
|
||||
, annexAutoEnableComputePrograms :: Maybe String
|
||||
, annexMaxExtensionLength :: Maybe Int
|
||||
, annexMaxExtensions :: Maybe Int
|
||||
, annexJobs :: Concurrency
|
||||
|
@ -261,6 +262,8 @@ extractGitConfig configsource r = GitConfig
|
|||
getmaybe (annexConfig "security.allowed-http-addresses") -- old name
|
||||
, annexAllowUnverifiedDownloads = (== Just "ACKTHPPT") $
|
||||
getmaybe (annexConfig "security.allow-unverified-downloads")
|
||||
, annexAutoEnableComputePrograms =
|
||||
getmaybe (annexConfig "security.autoenable-compute-programs")
|
||||
, annexMaxExtensionLength = getmayberead (annexConfig "maxextensionlength")
|
||||
, annexMaxExtensions = getmayberead (annexConfig "maxextensions")
|
||||
, annexJobs = fromMaybe NonConcurrent $
|
||||
|
|
|
@ -26,13 +26,12 @@ For security, the program should avoid exposing user input to the shell
|
|||
unprotected, or otherwise executing it.
|
||||
|
||||
The program is run in a temporary directory, which will be cleaned up after
|
||||
it exits. Note that it may be run in a subdirectory of its temporary
|
||||
it exits. Note that it may be run in a subdirectory of a temporary
|
||||
directory. This is done when `git-annex addcomputed` was run in a subdirectory
|
||||
of the git repository.
|
||||
|
||||
The content of any annexed file in the repository can be an input
|
||||
to the computation. The program requests an input by writing a line to
|
||||
stdout:
|
||||
The content of any file in the repository can be an input to the
|
||||
computation. The program requests an input by writing a line to stdout:
|
||||
|
||||
INPUT file.raw
|
||||
|
||||
|
|
|
@ -2201,6 +2201,13 @@ Remotes are configured using these settings in `.git/config`.
|
|||
|
||||
Per-remote configuration of annex.security.allow-unverified-downloads.
|
||||
|
||||
* `annex.security.autoenable-compute-programs`
|
||||
|
||||
This is a space separated list of compute programs eg
|
||||
"git-annex-compute-foo git-annex-compute-bar". Listing a compute
|
||||
program here allows compute special remotes that use that program to be
|
||||
autoenabled.
|
||||
|
||||
# CONFIGURATION OF ASSISTANT
|
||||
|
||||
* `annex.delayadd`
|
||||
|
|
|
@ -15,6 +15,12 @@ program to use to compute the contents of annexed files. It must start with
|
|||
"git-annex-compute-". The program needs to be installed somewhere in the
|
||||
`PATH`.
|
||||
|
||||
The `autoenable` parameter can be set to "true" like with other special
|
||||
remotes to make git-annex automatically enable this special remote when
|
||||
run in a new clone of the repository. However, for security, autoenabling
|
||||
is only done when the git config `annex.security.autoenable-compute-programs`
|
||||
includes the name of the compute program.
|
||||
|
||||
All other "field=value" parameters passed to `initremote` will be passed
|
||||
to the program when running [[git-annex-addcomputed]]. Note that when the
|
||||
program takes a dashed option, it can be provided after "--":
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue