Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 22 Jul 2017 14:20:20 +0200
From: Stefan B=c3=bchler <>
Cc: Pierre-Yves Chibon <>
Subject: pagure: private repositories accessible through ssh


pagure [1], a git-centered forge, supports private repositories [2]:

> ~~~~~~~~~~~~~~~~
> This configuration key allows you to host private repositories. These
> repositories are visible only to the creator of the repository and to
> the users who are given access to the repository.  No information is
> leaked about the private repository which means redis doesn't have the
> access to the repository and even fedmsg doesn't get any
> notifications.
> Defaults to: ``False``

But the gitolite config, which is used to configure SSH-access, allows
"@..." users to access all repositories - private or not.

I proposed the attached patch upstream in [3].

After patching you should ensure gitolite.conf gets regenerated from



>From 4af96a179912fc651e544c8ff90d9ddc9c7e6f48 Mon Sep 17 00:00:00 2001
From: Stefan B├╝hler <>
Date: Jul 17 2017 16:53:13 +0000
Subject: hide private repos in ssh too

'@...' shouldn't have access to private repos, otherwise every user sees
all private repositories.


diff --git a/pagure/lib/ b/pagure/lib/
index 939e053..577b668 100644
--- a/pagure/lib/
+++ b/pagure/lib/
@@ -126,7 +126,7 @@ class Gitolite2Auth(GitAuthHelper):
                 repos = ''
             config.append('repo %s%s' % (repos, project.fullname))
-            if repos not in ['tickets/', 'requests/']:
+            if not project.private and repos not in ['tickets/', 'requests/']:
                 config.append('  R   = @all')
             if project.committer_groups:
                 config.append('  RW+ = @%s' % ' @'.join(

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ