Re: is gitosis secure? - Stephen R. van den Berg

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Stephen R. van den Berg" <srb@cuci.nl>
To: Tommi Virtanen <tv@eagain.net>
Cc: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>,
	Florian Weimer <fw@deneb.enyo.de>,
	git@vger.kernel.org
Subject: Re: is gitosis secure?
Date: Thu, 5 Feb 2009 08:52:43 +0100	[thread overview]
Message-ID: <20090205075243.GA29080@cuci.nl> (raw)
In-Reply-To: <20090204182650.GC1970@eagain.net>

Tommi Virtanen wrote:
>On Wed, Feb 04, 2009 at 01:12:04PM +0100, Stephen R. van den Berg wrote:
>> I installed gitosis a year ago.
>> Then I tried to audit the code.
>> I couldn't, the whole thing is too much spaghetti code.

>Huh. It's about 1000 lines of python, with about 2000 lines of unit
>tests. It has 3 top-level operations: init, serve, run_hook. That
>still counts as "tiny" in my mind. I'm sorry if following the code was
>too hard. I guess there's no accounting for taste.

It would help if there were a 10 to 60 line synopsis of what it does
in the critical cases.  I mean, I don't care about features, but I care
about the critical parts that interact with the shell and ssh.  In order
to audit that I need a concise 60 line max piece of code or text where
I can get all the info from.  1000 lines for that is too much.

>> Auditing gitosis turned out to be too painful to be worth the trouble,
>> so I reverted to a manually maintained git-shell solution which is so
>> simple that I can actually audit it, and therefore is provably secure
>> (which gitosis is not).

>This word, "provably", tends to mean something else than what you use
>it for. Definitely a simple audit doesn't prove anything. Most
>real-world software is complex enough to be practically unprovable for
>anything.

What I meant by "provably secure" in this context is that in addition
to basic security holes already/still present in the OS, /bin/sh and ssh,
my scripts do not introduce extra security holes.

As a matter of fact, I replaced gitosis by two shell scripts of 31 and
50 lines each (including empty lines).  I.e. the pieces of code needing
auditing are exactly 81 lines total.

I'm not saying that gitosis has security holes, it's just that it's rather
difficult to assure that it doesn't, given the size.
-- 
Sincerely,
           Stephen R. van den Berg.
Auto repair rates: basic labor $40/hour; if you wait, $60; if you watch, $80;
if you ask questions, $100; if you help, $120; if you laugh, $140.

next prev parent reply	other threads:[~2009-02-05  7:54 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-12-09  8:56 is gitosis secure? Thomas Koch
2008-12-09  9:04 ` Sam Vilain
2009-01-18 11:48   ` Florian Weimer
2009-01-18 12:50     ` Boyd Stephen Smith Jr.
2009-01-18 13:25       ` Florian Weimer
2009-01-18 14:19         ` Boyd Stephen Smith Jr.
2009-02-03 21:31       ` Tommi Virtanen
2009-02-04 12:12         ` Stephen R. van den Berg
2009-02-04 18:26           ` Tommi Virtanen
2009-02-05  7:52             ` Stephen R. van den Berg [this message]
2009-02-05  8:04               ` Tommi Virtanen
2008-12-09  9:07 ` R. Tyler Ballance
2009-02-03 21:41   ` Tommi Virtanen
2008-12-09  9:38 ` Sverre Rabbelier
2008-12-13 16:23   ` Nix
2008-12-13 18:07     ` Sverre Rabbelier
2008-12-14  2:26     ` Sitaram Chamarty
2008-12-14  5:40       ` david
2008-12-14  9:42         ` martin
2008-12-14 11:25           ` david
2008-12-14 10:51             ` Jakub Narebski
2008-12-15  0:54               ` david
2008-12-14 11:02             ` martin
2008-12-15  1:00               ` david
2008-12-15  7:17                 ` Mike Hommey
2008-12-15  8:25                   ` david
2008-12-15  8:35                     ` Mike Hommey
2008-12-15 21:28                   ` Tait
2008-12-14 11:42             ` Sitaram Chamarty
2008-12-15  1:20               ` david
2008-12-14 10:40         ` Jakub Narebski
2008-12-15  0:50           ` david
2008-12-15  7:20         ` Rogan Dawes
2008-12-15  8:37           ` david
2008-12-15  7:52             ` Rogan Dawes
2008-12-14 10:47       ` Jakub Narebski
2008-12-15  0:14         ` Nix
2008-12-15  1:29           ` david
2008-12-15  5:24           ` Asheesh Laroia
2008-12-15  6:32             ` david
2008-12-09 19:18 ` Garry Dolley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090205075243.GA29080@cuci.nl \
    --to=srb@cuci.nl \
    --cc=bss@iguanasuicide.net \
    --cc=fw@deneb.enyo.de \
    --cc=git@vger.kernel.org \
    --cc=tv@eagain.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).