Date: Sat, 22 Jul 2017 14:20:20 +0200 From: Stefan B=c3=bchler <stbuehler@...httpd.net> To: oss-security@...ts.openwall.com Cc: Pierre-Yves Chibon <pingou@...goured.fr> Subject: pagure: private repositories accessible through ssh Hi, pagure , a git-centered forge, supports private repositories : > PRIVATE_PROJECTS > ~~~~~~~~~~~~~~~~ > > This configuration key allows you to host private repositories. These > repositories are visible only to the creator of the repository and to > the users who are given access to the repository. No information is > leaked about the private repository which means redis doesn't have the > access to the repository and even fedmsg doesn't get any > notifications. > > Defaults to: ``False`` But the gitolite config, which is used to configure SSH-access, allows "@..." users to access all repositories - private or not. I proposed the attached patch upstream in . After patching you should ensure gitolite.conf gets regenerated from scratch. cheers, Stefan : https://pagure.io/pagure : https://pagure.io/pagure/blob/master/f/doc/configuration.rst : https://pagure.io/pagure/pull-request/2426 >From 4af96a179912fc651e544c8ff90d9ddc9c7e6f48 Mon Sep 17 00:00:00 2001 From: Stefan Bühler <stbuehler@....de> Date: Jul 17 2017 16:53:13 +0000 Subject: hide private repos in ssh too '@...' shouldn't have access to private repos, otherwise every user sees all private repositories. --- diff --git a/pagure/lib/git_auth.py b/pagure/lib/git_auth.py index 939e053..577b668 100644 --- a/pagure/lib/git_auth.py +++ b/pagure/lib/git_auth.py @@ -126,7 +126,7 @@ class Gitolite2Auth(GitAuthHelper): repos = '' config.append('repo %s%s' % (repos, project.fullname)) - if repos not in ['tickets/', 'requests/']: + if not project.private and repos not in ['tickets/', 'requests/']: config.append(' R = @all') if project.committer_groups: config.append(' RW+ = @%s' % ' @'.join(
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ