Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 22 Jul 2017 14:20:20 +0200
From: Stefan B├╝hler <stbuehler@...httpd.net>
To: oss-security@...ts.openwall.com
Cc: Pierre-Yves Chibon <pingou@...goured.fr>
Subject: pagure: private repositories accessible through ssh

Hi,

pagure [1], a git-centered forge, supports private repositories [2]:

> PRIVATE_PROJECTS
> ~~~~~~~~~~~~~~~~
>
> This configuration key allows you to host private repositories. These
> repositories are visible only to the creator of the repository and to
> the users who are given access to the repository.  No information is
> leaked about the private repository which means redis doesn't have the
> access to the repository and even fedmsg doesn't get any
> notifications.
>
> Defaults to: ``False``

But the gitolite config, which is used to configure SSH-access, allows
"@..." users to access all repositories - private or not.

I proposed the attached patch upstream in [3].

After patching you should ensure gitolite.conf gets regenerated from
scratch.

cheers,
Stefan

[1]: https://pagure.io/pagure
[2]: https://pagure.io/pagure/blob/master/f/doc/configuration.rst
[3]: https://pagure.io/pagure/pull-request/2426

View attachment "2426-hide-private-repos-in-ssh.patch" of type "text/x-patch" (879 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ