* git-daemon is insecure? (was: [RFC] Secure central repositories)
2008-01-27 22:56 ` Junio C Hamano
@ 2008-01-28 0:16 ` Shawn O. Pearce
0 siblings, 0 replies; 2+ messages in thread
From: Shawn O. Pearce @ 2008-01-28 0:16 UTC (permalink / raw)
To: Junio C Hamano; +Cc: git
Junio C Hamano <gitster@pobox.com> wrote:
> "Shawn O. Pearce" <spearce@spearce.org> writes:
> > This change allows any repository owner to setup a git-daemon
> > that other users on the same host can connect through to perform
> > upload-pack or receive-pack.
>
> My reading of this is that it creates a backdoor for people who
[...]
> In addition to having to worry about
> the in-repo data properly being protected from people outside
> the group, you now need to worry about the access through that
> backdoor does not extend outside of the repository. E.g. the
> repository owner's $HOME that is outside the repository would be
> writable that owner, but is not meant to be accessible by
> project participants. If you allow others to "run as" you, the
> only thing that forbids that process running as you from
> accessing $HOME is an additional audit of git-daemon and the
> programs it spawns.
So you are partially suggesting that git-daemon isn't thought to
be secure, and that anything readable by the user that git-daemon
is running as is fully exposed to the public Internet. So the
access control attempts relating to --base-path or the check for
git-daemon-export-ok shouldn't really be trusted or relied upon.
If that really is the case, perhaps git-daemon should be audited
and hardened further. Last I checked, we encouraged people to run
it to offer anonymous access to repositories, and the documentation
suggests there are publishing access controls that actually work.
If those controls cannot be trusted then we shouldn't encourage
running git-daemon on untrusted networks.
With regards to this patch, yes, you can export your entire $HOME
and maybe expose things you shouldn't or didn't want to. But even
without git installed you could do this:
cp /bin/bash /tmp/be-like-mike
chown $USER /tmp/be-like-mike
chmod 777 /tmp/be-like-mike
chmod u+s /tmp/be-like-mike
wall "try out /tmp/be-like-mike today"
but why would anyone do something that foolish? UNIX provides the
tools to do this, because there are cases where it can be useful,
but really, you have to be nuts to export all of $HOME.
--
Shawn.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: git-daemon is insecure? (was: [RFC] Secure central repositories)
[not found] <1201481268.12DFA67D@ea27.dngr.org>
@ 2008-01-28 0:54 ` Kate Rhodes
0 siblings, 0 replies; 2+ messages in thread
From: Kate Rhodes @ 2008-01-28 0:54 UTC (permalink / raw)
To: git
> UNIX provides the
> tools to do this, because there are cases where it can be useful,
> but really, you have to be nuts to export all of $HOME.
Never ascribe to lunacy what ignorance and stupidity can easily
encompass.
When it comes to security issues you have to try and account for *all*
the idiots.
~kate = masukomi
http://weblog.masukomi.org
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-01-28 1:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1201481268.12DFA67D@ea27.dngr.org>
2008-01-28 0:54 ` git-daemon is insecure? (was: [RFC] Secure central repositories) Kate Rhodes
2008-01-27 10:39 [RFC] Secure central repositories by UNIX socket authentication Shawn O. Pearce
2008-01-27 22:56 ` Junio C Hamano
2008-01-28 0:16 ` git-daemon is insecure? (was: [RFC] Secure central repositories) Shawn O. Pearce
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).