[csw-maintainers] ideas

Ben Walton bwalton at opencsw.org
Mon Jul 11 04:30:24 CEST 2011

Excerpts from Ben Walton's message of Sun Jul 10 08:34:12 -0400 2011:
> Excerpts from Maciej Bliziński's message of Sat Jul 09 22:18:55 -0400 2011:
> > Detecting should be easy: a cron job tries to sign and verify a
> > random string. If it fails, it sends an alert.
> But we shouldn't allow signing random data.  The set of allowed inputs
> via the URL should specify the path (either the containing directory
> or fully qualified to the catalog file) using a $mirror_base setup to
> limit abuses.

I misinterpreted what you meant here.  Yes, a cron job on the private
host running as the same uid as the daemon could sign some file and
verify it.  If this fails, mail would be sent.

Ben Walton
Systems Programmer - CHASS
University of Toronto
C:416.407.5610 | W:416.978.4302

More information about the maintainers mailing list