Date: Sat, 22 Jul 2017 14:20:20 +0200 From: Stefan Bühler <stbuehler@...httpd.net> To: oss-security@...ts.openwall.com Cc: Pierre-Yves Chibon <pingou@...goured.fr> Subject: pagure: private repositories accessible through ssh Hi, pagure , a git-centered forge, supports private repositories : > PRIVATE_PROJECTS > ~~~~~~~~~~~~~~~~ > > This configuration key allows you to host private repositories. These > repositories are visible only to the creator of the repository and to > the users who are given access to the repository. No information is > leaked about the private repository which means redis doesn't have the > access to the repository and even fedmsg doesn't get any > notifications. > > Defaults to: ``False`` But the gitolite config, which is used to configure SSH-access, allows "@..." users to access all repositories - private or not. I proposed the attached patch upstream in . After patching you should ensure gitolite.conf gets regenerated from scratch. cheers, Stefan : https://pagure.io/pagure : https://pagure.io/pagure/blob/master/f/doc/configuration.rst : https://pagure.io/pagure/pull-request/2426 View attachment "2426-hide-private-repos-in-ssh.patch" of type "text/x-patch" (879 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ