ikiwiki/doc/setup/byhand/discussion.mdwn

What directory is the 'working copy'? There can be two interpretations: the current dir and the .git dir.

> It is fairly common terminology amoung all version control systems to use
> "working copy" to refer to a checkout from version control, including
> copies of all the versioned files, and whatever VCS-specific cruft that
> entails. So, a working copy is everything you get when you `git clone`
> a repository. --[[Joey]]

-------------------

The page says *"Note that this file should **not** be put in your wiki's directory with the rest of the files."* Why is that?

One possible thing is security: Is it just a precaution or would anyone with "write" access to wiki be able to replace the file?

 --[[Martian]]

> Anyone with the ability to delete/replace attachments via the web UI, or the ability
> to commit directly to the VCS, would be able to replace it. That breaks ikiwiki's
> security model, because replacing the setup file is sufficient to achieve
> arbitrary code execution as the user running the CGI and VCS hooks. --[[smcv]]

>> Thanks. After all found it here: [[security]]. Now I wonder if I always use a file from the master branch, while limiting users to staging, it might fly...
Started discussion 2010-06-09 13:55:11 +02:00			`What directory is the 'working copy'? There can be two interpretations: the current dir and the .git dir.`
response 2010-06-09 19:45:18 +02:00
			`> It is fairly common terminology amoung all version control systems to use`
			`> "working copy" to refer to a checkout from version control, including`
			`> copies of all the versioned files, and whatever VCS-specific cruft that`
			> entails. So, a working copy is everything you get when you `git clone`
			`> a repository. --[[Joey]]`
Why not putting setup file in git? 2016-06-22 09:42:21 +02:00
			`-------------------`

			`The page says "Note that this file should not* be put in your wiki's directory with the rest of the files."* Why is that?`

			`One possible thing is security: Is it just a precaution or would anyone with "write" access to wiki be able to replace the file?`

			`--[[Martian]]`
yes, not committing the setup file to the same VCS is a security thing 2016-06-22 10:05:32 +02:00
			`> Anyone with the ability to delete/replace attachments via the web UI, or the ability`
			`> to commit directly to the VCS, would be able to replace it. That breaks ikiwiki's`
			`> security model, because replacing the setup file is sufficient to achieve`
			`> arbitrary code execution as the user running the CGI and VCS hooks. --[[smcv]]`
2016-06-22 17:35:48 +02:00
			`>> Thanks. After all found it here: [[security]]. Now I wonder if I always use a file from the master branch, while limiting users to staging, it might fly...`