From: "Shawn O. Pearce" <spearce@spearce.org>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org
Subject: Re: git-daemon is insecure?
Date: Sun, 27 Jan 2008 22:20:40 -0500 [thread overview]
Message-ID: <20080128032040.GB24004@spearce.org> (raw)
In-Reply-To: <7vk5luwt6q.fsf@gitster.siamese.dyndns.org>
Junio C Hamano <gitster@pobox.com> wrote:
> "Shawn O. Pearce" <spearce@spearce.org> writes:
>
> > With regards to this patch, yes, you can export your entire $HOME
> > and maybe expose things you shouldn't or didn't want to.
>
> That was not what I meant. git-daemon running as nobody.project
> will allow read access to project group's files, and the
> whitelisting and --base-path are ways to limit it to files that
> are in the repository. But the process still has the power to
> read files outside that can be read nobody user or project
> group, the only thing needed is for git-daemon and whatever it
> spawn to have bugs.
>
> But the point is that "power to read files outside" is still
> limited to nobody.project, even if there are such bugs to allow
> it escape the whitelist/base-path jail. It won't extend to
> anybody's $HOME.
>
> If you run git-daemon as spearce.spearce, you cannot rely on
> that built-in limitation.
Sure. Which is why I was planning on running git-daemon as
gitadmin.gitadmin, with all central repos owned by gitadmin,
and basically nothing else at all.
I can just as easily start lighthttpd on $HOME. Or Apache.
Both are insane.
--
Shawn.
next prev parent reply other threads:[~2008-01-28 3:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-27 10:39 [RFC] Secure central repositories by UNIX socket authentication Shawn O. Pearce
2008-01-27 14:04 ` Johannes Schindelin
2008-01-27 17:32 ` Shawn O. Pearce
2008-01-27 18:51 ` Johannes Schindelin
2008-01-28 0:54 ` Shawn O. Pearce
2008-01-28 8:14 ` Dmitry Potapov
2008-01-27 22:56 ` Junio C Hamano
2008-01-28 0:16 ` git-daemon is insecure? (was: [RFC] Secure central repositories) Shawn O. Pearce
2008-01-28 3:00 ` git-daemon is insecure? Junio C Hamano
2008-01-28 3:20 ` Shawn O. Pearce [this message]
2008-01-28 0:47 ` [RFC] Secure central repositories by UNIX socket authentication Shawn O. Pearce
2008-01-28 7:25 ` Junio C Hamano
2008-01-28 7:51 ` Shawn O. Pearce
2008-01-28 14:23 ` Asheesh Laroia
2008-01-29 3:11 ` Shawn O. Pearce
2008-01-28 7:56 ` Shawn O. Pearce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080128032040.GB24004@spearce.org \
--to=spearce@spearce.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.