#3294 Issue closed: DRLM_MANAGED=yes may source third party code from a remote host¶
Labels: discuss / RFC, fixed / solved / done
jsmeix opened issue at 2024-07-23 10:03:¶
@didacog
For background information see
https://github.com/rear/rear/issues/3260
and its generic "parent"-issue
https://github.com/rear/rear/issues/3259
For this specific issue here see
https://github.com/rear/rear/issues/3285
and therein in particular for DRLM see
https://github.com/rear/rear/issues/3285#issuecomment-2244575251
The function drlm_import_runtime_config
in lib/drlm-functions.sh
may source third party code via
source $DRLM_CFG
where the DRLM_CFG file content
could be even downloaded from a remote host.
@didacog @rear/contributors
it should be verified before the ReaR 3.0 release
if third party code could be sourced here
or if all is reasonably safe.
didacog commented at 2024-07-23 10:33:¶
Hello @jsmeix
This sources the rear config provided from DRLM over the network from the DRLM client configs.
Is completely safe to keep that source.
jsmeix commented at 2024-07-23 10:57:¶
Hello @didacog
do I understand it correctly that what is sourced here
is basically same as a local etc/rear/local.conf file
(and other usual ReaR config files)
but with DRLM those configs are stored on a DRLM server
which is basically the whole idea behind DRLM
to have various ReaR configs of various clients
stored and managed centrally on a DRLM server?
didacog commented at 2024-07-23 11:10:¶
@jsmeix, correct! you nailed it! ;)
jsmeix commented at 2024-07-23 11:11:¶
@didacog
thank you for your prompt replies!
It helped me a lot.
jsmeix commented at 2024-07-23 11:24:¶
Via
https://github.com/rear/rear/commit/1bce22e721ae1901ad56b119229ea7c5450abe83
I added in lib/drlm-functions.sh a comment
that explains how DRLM sources ReaR config files
to make it clear that all is OK with doing
source $DRLM_CFG
jsmeix commented at 2024-07-25 07:41:¶
I removed the "critical/security/legal" label from this issue
because it is no longer "critical/security/legal", cf.
https://github.com/rear/rear/issues/3294#issuecomment-2244903207
[Export of Github issue for rear/rear.]