Re: [Monotone-devel] No Security for "monotone read": Why?

[Chad Walstrom]

On Wed, Jan 04, 2006 at 10:23:29AM -0800, Logan Sackette wrote:
> Thanks for Monotone.  I just noticed that I can add keys to my mtn
> db without a password.  I was just wondering, why that is allowed
> when it seemed like just about anything else about mtn is about
> security. 

It's allowed because the security of the key is a user responsibility.
Additionally, it allows such things as a monotone server to start up
without being prompted for a password.  The same can be done with ssh
certificates, ssl certs/keys, etc.

> I guess I am just thinking of a possibly breach where by someone who
> is not suppose to have access to a db might insert their key.

That would be an interesting crack. ;-)

> Or that isn't enough to gain access without some modification to the
> permit files?

monotonerc would have to be modified to allow the key identity.

function get_netsync_read_permitted(branch, identity)
        if (identity == "address@hidden") then return true end
        if (identity == "address@hidden") then return true end
        return false
end

function get_netsync_write_permitted(identity)
        if (identity == "address@hidden") then return true end
        if (identity == "address@hidden") then return true end
        return false
end

Granted, if you know what keys are allowed and what keys do and do not
exist in the repository, you theoretically might be able to insert a
key with an expected identity where a key didn't yet exist.  Using the
key signature would be a more exact way of managing permissions and
eliminate this vector of abuse.

Rule to take away from this:  Do not give access to any identity where
a corresponding key does not exist in the repository.

-- 
Chad Walstrom <address@hidden>           http://www.wookimus.net/
           assert(expired(knowledge)); /* core dump */