[Unison-hackers] Multi-user, single UID ideas for Unison
Greg Troxel
gdt at lexort.com
Thu Dec 14 12:55:17 EST 2023
Tõivo Leedjärv <toivol at gmail.com> writes:
> On Thu, 14 Dec 2023 at 18:22, Greg Troxel <gdt at lexort.com> wrote:
>>
>> Tõivo Leedjärv <toivol at gmail.com> writes:
>>
>> > nikp, do I understand correctly that all you need is basically this?
>> >
>> > - force the replica root to be the (or within the) specified directory;
>> > - not allow symlinks outside the replica root.
>> >
>> > Is this going to benefit other users? Not sure...
>>
>> I don't see why the first point is needed as whatever is wrapping
>> unison can specify roots. The idea of letting unison read config files
>> while caring about security (beyond the protections afforded by unix
>> norms) doesn't really make sense to me.
>
> I was thinking let's not view this as a security feature as such
> (that's what the OS is for).
>
>> Ignoring symlinks outside the root makes sense to me. Actually, I'd
>> epxect syncing the symlnks and not following them to be what happens
>> anyway.
>
> Yes, that's what happens by default. But then there's the 'follow' preference.
So this seems to me to come down to:
If you want to let people run unison, or run it on their behalf, in a
situation where you want to restrict what happens more than regular
Unix permissions, then you need to specify command-line preferences
and arrange that unison not find a config file that will set other
ones.
More information about the Unison-hackers
mailing list