bwalton at opencsw.org
Mon Jul 11 04:30:24 CEST 2011
Excerpts from Ben Walton's message of Sun Jul 10 08:34:12 -0400 2011:
> Excerpts from Maciej Bliziński's message of Sat Jul 09 22:18:55 -0400 2011:
> > Detecting should be easy: a cron job tries to sign and verify a
> > random string. If it fails, it sends an alert.
> But we shouldn't allow signing random data. The set of allowed inputs
> via the URL should specify the path (either the containing directory
> or fully qualified to the catalog file) using a $mirror_base setup to
> limit abuses.
I misinterpreted what you meant here. Yes, a cron job on the private
host running as the same uid as the daemon could sign some file and
verify it. If this fails, mail would be sent.
Systems Programmer - CHASS
University of Toronto
C:416.407.5610 | W:416.978.4302
More information about the maintainers