From toivol at gmail.com Thu Dec 14 12:10:32 2023 From: toivol at gmail.com (=?UTF-8?B?VMO1aXZvIExlZWRqw6Rydg==?=) Date: Thu, 14 Dec 2023 18:10:32 +0100 Subject: [Unison-hackers] Multi-user, single UID ideas for Unison In-Reply-To: <11b31a1a-44a6-4f4e-80f3-962ba337aead@e.email> References: <11b31a1a-44a6-4f4e-80f3-962ba337aead@e.email> Message-ID: On Mon, 30 Oct 2023 at 23:45, nikp123 wrote: > > But I am not asking for any *particular* solution, I'm asking if the > solution proposed here sounds sane or even practical. Yes, I do > understand it's niche for almost all of you, but I'd like for Unison's > syncing prowess to be useful outside of the server > administrator/poweruser sphere. This was just one way of achieving that > (albeit impractical for most people). I don't think the solution needs to be as complicated as the discussion here suggested. In fact, I think the solution you yourself proposed is not only meaningful, it should actually be rather simple to implement. Instead of looking at this as some security feature, I see this feature as more akin to don't-cross-filesystems option found in many programs. This is similar, but here it's more like a pseudo-chroot. There is actually prior art to what I think is pretty much exactly this feature: https://urldefense.com/v3/__https://borgbackup.readthedocs.io/en/stable/usage/serve.html__;!!IBzWLUs!VbcJHERi4ERNGFWyYfykdKXDDhDv7eyhmm8z9fUQ0jawa1oMmeySX84KOq4Mym5OVWqCSxCZtIfrTOoZxLU7whC58tQ$ nikp, do I understand correctly that all you need is basically this? - force the replica root to be the (or within the) specified directory; - not allow symlinks outside the replica root. Is this going to benefit other users? Not sure... From gdt at lexort.com Thu Dec 14 12:22:40 2023 From: gdt at lexort.com (Greg Troxel) Date: Thu, 14 Dec 2023 12:22:40 -0500 Subject: [Unison-hackers] Multi-user, single UID ideas for Unison In-Reply-To: (=?utf-8?Q?=22T=C3=B5ivo_Leedj=C3=A4rv=22's?= message of "Thu, 14 Dec 2023 18:10:32 +0100") References: <11b31a1a-44a6-4f4e-80f3-962ba337aead@e.email> Message-ID: T?ivo Leedj?rv writes: > Instead of looking at this as some security feature, I see this > feature as more akin to don't-cross-filesystems option found in many > programs. This is similar, but here it's more like a pseudo-chroot. > There is actually prior art to what I think is pretty much exactly > this feature: https://urldefense.com/v3/__https://borgbackup.readthedocs.io/en/stable/usage/serve.html__;!!IBzWLUs!VbcJHERi4ERNGFWyYfykdKXDDhDv7eyhmm8z9fUQ0jawa1oMmeySX84KOq4Mym5OVWqCSxCZtIfrTOoZxLU7whC58tQ$ > > nikp, do I understand correctly that all you need is basically this? > > - force the replica root to be the (or within the) specified directory; > - not allow symlinks outside the replica root. > > Is this going to benefit other users? Not sure... I don't see why the first point is needed as whatever is wrapping unison can specify roots. The idea of letting unison read config files while caring about security (beyond the protections afforded by unix norms) doesn't really make sense to me. Ignoring symlinks outside the root makes sense to me. Actually, I'd epxect syncing the symlnks and not following them to be what happens anyway. From toivol at gmail.com Thu Dec 14 12:48:27 2023 From: toivol at gmail.com (=?UTF-8?B?VMO1aXZvIExlZWRqw6Rydg==?=) Date: Thu, 14 Dec 2023 18:48:27 +0100 Subject: [Unison-hackers] Multi-user, single UID ideas for Unison In-Reply-To: References: <11b31a1a-44a6-4f4e-80f3-962ba337aead@e.email> Message-ID: On Thu, 14 Dec 2023 at 18:22, Greg Troxel wrote: > > T?ivo Leedj?rv writes: > > > nikp, do I understand correctly that all you need is basically this? > > > > - force the replica root to be the (or within the) specified directory; > > - not allow symlinks outside the replica root. > > > > Is this going to benefit other users? Not sure... > > I don't see why the first point is needed as whatever is wrapping > unison can specify roots. The idea of letting unison read config files > while caring about security (beyond the protections afforded by unix > norms) doesn't really make sense to me. I was thinking let's not view this as a security feature as such (that's what the OS is for). > Ignoring symlinks outside the root makes sense to me. Actually, I'd > epxect syncing the symlnks and not following them to be what happens > anyway. Yes, that's what happens by default. But then there's the 'follow' preference. From gdt at lexort.com Thu Dec 14 12:55:17 2023 From: gdt at lexort.com (Greg Troxel) Date: Thu, 14 Dec 2023 12:55:17 -0500 Subject: [Unison-hackers] Multi-user, single UID ideas for Unison In-Reply-To: (=?utf-8?Q?=22T=C3=B5ivo_Leedj=C3=A4rv=22's?= message of "Thu, 14 Dec 2023 18:48:27 +0100") References: <11b31a1a-44a6-4f4e-80f3-962ba337aead@e.email> Message-ID: T?ivo Leedj?rv writes: > On Thu, 14 Dec 2023 at 18:22, Greg Troxel wrote: >> >> T?ivo Leedj?rv writes: >> >> > nikp, do I understand correctly that all you need is basically this? >> > >> > - force the replica root to be the (or within the) specified directory; >> > - not allow symlinks outside the replica root. >> > >> > Is this going to benefit other users? Not sure... >> >> I don't see why the first point is needed as whatever is wrapping >> unison can specify roots. The idea of letting unison read config files >> while caring about security (beyond the protections afforded by unix >> norms) doesn't really make sense to me. > > I was thinking let's not view this as a security feature as such > (that's what the OS is for). > >> Ignoring symlinks outside the root makes sense to me. Actually, I'd >> epxect syncing the symlnks and not following them to be what happens >> anyway. > > Yes, that's what happens by default. But then there's the 'follow' preference. So this seems to me to come down to: If you want to let people run unison, or run it on their behalf, in a situation where you want to restrict what happens more than regular Unix permissions, then you need to specify command-line preferences and arrange that unison not find a config file that will set other ones.