From ec371adab1109b338a3de473298b41140ec5017e Mon Sep 17 00:00:00 2001
From: smcv <smcv@web>
Date: Wed, 22 Jun 2016 04:05:32 -0400
Subject: yes, not committing the setup file to the same VCS is a security
 thing

---
 doc/setup/byhand/discussion.mdwn | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'doc/setup')

diff --git a/doc/setup/byhand/discussion.mdwn b/doc/setup/byhand/discussion.mdwn
index 4d009f20d..6fc931ad3 100644
--- a/doc/setup/byhand/discussion.mdwn
+++ b/doc/setup/byhand/discussion.mdwn
@@ -13,3 +13,8 @@ The page says *"Note that this file should **not** be put in your wiki's directo
 One possible thing is security: Is it just a precaution or would anyone with "write" access to wiki be able to replace the file?
 
  --[[Martian]]
+
+> Anyone with the ability to delete/replace attachments via the web UI, or the ability
+> to commit directly to the VCS, would be able to replace it. That breaks ikiwiki's
+> security model, because replacing the setup file is sufficient to achieve
+> arbitrary code execution as the user running the CGI and VCS hooks. --[[smcv]]
-- 
cgit v1.2.3