Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 22 Jul 2017 14:20:20 +0200
From: Stefan B=c3=bchler <stbuehler@...httpd.net>
To: oss-security@...ts.openwall.com
Cc: Pierre-Yves Chibon <pingou@...goured.fr>
Subject: pagure: private repositories accessible through ssh

Hi,

pagure [1], a git-centered forge, supports private repositories [2]:

> PRIVATE_PROJECTS
> ~~~~~~~~~~~~~~~~
>
> This configuration key allows you to host private repositories. These
> repositories are visible only to the creator of the repository and to
> the users who are given access to the repository.  No information is
> leaked about the private repository which means redis doesn't have the
> access to the repository and even fedmsg doesn't get any
> notifications.
>
> Defaults to: ``False``

But the gitolite config, which is used to configure SSH-access, allows
"@..." users to access all repositories - private or not.

I proposed the attached patch upstream in [3].

After patching you should ensure gitolite.conf gets regenerated from
scratch.

cheers,
Stefan

[1]: https://pagure.io/pagure
[2]: https://pagure.io/pagure/blob/master/f/doc/configuration.rst
[3]: https://pagure.io/pagure/pull-request/2426

>From 4af96a179912fc651e544c8ff90d9ddc9c7e6f48 Mon Sep 17 00:00:00 2001
From: Stefan B├╝hler <stbuehler@....de>
Date: Jul 17 2017 16:53:13 +0000
Subject: hide private repos in ssh too


'@...' shouldn't have access to private repos, otherwise every user sees
all private repositories.

---

diff --git a/pagure/lib/git_auth.py b/pagure/lib/git_auth.py
index 939e053..577b668 100644
--- a/pagure/lib/git_auth.py
+++ b/pagure/lib/git_auth.py
@@ -126,7 +126,7 @@ class Gitolite2Auth(GitAuthHelper):
                 repos = ''
 
             config.append('repo %s%s' % (repos, project.fullname))
-            if repos not in ['tickets/', 'requests/']:
+            if not project.private and repos not in ['tickets/', 'requests/']:
                 config.append('  R   = @all')
             if project.committer_groups:
                 config.append('  RW+ = @%s' % ' @'.join(


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ