From: Sitaram Chamarty <sitaramc@gmail.com>
To: martin f krafft <madduck@madduck.net>
Cc: Sitaram Chamarty <sitaram@atc.tcs.com>,
git discussion list <git@vger.kernel.org>,
Teemu Matilainen <teemu.matilainen@iki.fi>
Subject: Re: [gitolite] repo config for delegated projects
Date: Sat, 6 Feb 2010 06:20:50 +0530 [thread overview]
Message-ID: <2e24e5b91002051650k3c7cf14ev8752d36b5616e9a4@mail.gmail.com> (raw)
In-Reply-To: <20100204040812.GC13411@lapse.rw.madduck.net>
On Thu, Feb 4, 2010 at 9:38 AM, martin f krafft <madduck@madduck.net> wrote:
> also sprach Sitaram Chamarty <sitaram@atc.tcs.com> [2010.02.04.1418 +1300]:
>> how about
>>
>> $DELEGATED_CONFIGS = "hooks.mailinglist,hooks.showrev";
>
> Excellent idea.
OK I've run into a little decision-point here.
The problem above is of making sure that a delegated admin cannot
misuse the gitconfig mechanism to do stuff he's not allowed to do, but
it's actually worse than that :(
First some background. For a long time I treated the "main" admin
(anyone who has RW/RW+ rights to gitolite.conf) to be eqvt to having
shell access. Then we started moving away from that, and that is good
because having shell access allows him to bypass the logging that
gitolite does, thus polluting the audit trail. Preventing that makes
a lot of sense in a corporate environment, and lets you allow a lot
more people to manage the gitolite access list.
Now I just looked up hooks.showrev, and it's supposed to be any shell
command. Clearly this means anyone who can set that gitconfig option
now has shell capability, and it's game over.
Regardless of how I look at it, I can't think of a cure for this short
of either:
- putting all the allowed gitconfigs in the RC file, and not in the
config (writing the RC file requires shell access, and we presume the
"root of trust" person has enough smarts to know what to allow and
what not to allow), and allowing repo admins to *refer* to them to use
whichever they want
- someone coming up with a list of gitconfig's that are "safe", and
specific values for those that are unsafe (like saying "if you use
showrev, you can only use this command as the value", and forcing
only those.
I'm leaning toward the former; easier for me ;-) Meanwhile, I'm
punting this to Teemu until the morning fog in my brain clears :)
next prev parent reply other threads:[~2010-02-06 0:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20100203035718.GA30644@lapse.rw.madduck.net>
[not found] ` <2e24e5b91002022222h5ca3ebe6k75854a9a056f0ed1@mail.gmail.com>
2010-02-03 20:22 ` [gitolite] repo config for delegated projects martin f krafft
2010-02-03 22:47 ` Teemu Matilainen
2010-02-04 1:18 ` Sitaram Chamarty
2010-02-04 4:08 ` martin f krafft
2010-02-06 0:50 ` Sitaram Chamarty [this message]
2010-02-06 4:22 ` martin f krafft
2010-02-06 6:45 ` Sitaram Chamarty
2010-02-06 18:21 ` Teemu Matilainen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2e24e5b91002051650k3c7cf14ev8752d36b5616e9a4@mail.gmail.com \
--to=sitaramc@gmail.com \
--cc=git@vger.kernel.org \
--cc=madduck@madduck.net \
--cc=sitaram@atc.tcs.com \
--cc=teemu.matilainen@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).