[csw-maintainers] ideas

Ben Walton bwalton at opencsw.org
Mon Jul 11 04:30:24 CEST 2011


Excerpts from Ben Walton's message of Sun Jul 10 08:34:12 -0400 2011:
> Excerpts from Maciej Bliziński's message of Sat Jul 09 22:18:55 -0400 2011:
> 
> > Detecting should be easy: a cron job tries to sign and verify a
> > random string. If it fails, it sends an alert.
> 
> But we shouldn't allow signing random data.  The set of allowed inputs
> via the URL should specify the path (either the containing directory
> or fully qualified to the catalog file) using a $mirror_base setup to
> limit abuses.

I misinterpreted what you meant here.  Yes, a cron job on the private
host running as the same uid as the daemon could sign some file and
verify it.  If this fails, mail would be sent.

Thanks
-Ben
--
Ben Walton
Systems Programmer - CHASS
University of Toronto
C:416.407.5610 | W:416.978.4302



More information about the maintainers mailing list