How to identify the users?

How to identify the users?

[Scott Yan]

Hello everyone:

The user info of git client (user name and email) is set by the users
themselves, so , how to avoid userA pretend to be userB?

Git server could authentication the user, but it do nothing about the
user info of commit message.

For example:
There are 20 people of my team, and everyone can push to the public
repository(git server),
If I found some backdoor code in my project, and the commit record
shows it was committed by userA, so I ask userA: why do you do this?
but he told me: no, this is not my code, I have never committed such
thing.  ----and yes, everyone could change his user info to userA very
easily .

so... what should I do to avoid such situations?
Thanks!

Re: How to identify the users?

[Scott Yan]

Thanks, Andrew.

you said:
--have the server reject commits that have the 'committer' set to
someone other then the  authenticated user

but I don't know how to do that?
Our central repository is hosted by apache, and there are some
username and passwords saved by apache to authentication valid user,
but as I know,  there are no relation between the apache username and
the git client user ino (saved in .gitconfig), so can you describe
some detail?

Regards,
Scott Yan

On Thu, Jan 31, 2013 at 1:56 PM, Andrew Ardill <andrew.ardill@gmail.com> wrote:
>
>
>
> On 31 January 2013 16:52, Scott Yan <scottyan19@gmail.com> wrote:
>>
>> The user info of git client (user name and email) is set by the users
>> themselves, so , how to avoid userA pretend to be userB?
>>
>> Git server could authentication the user, but it do nothing about the
>> user info of commit message.
>
>
> The simplest thing is to have the server reject commits that have the
> 'committer' set to someone other then the  authenticated user.
>
> Of course, there are potential workflows that this would cause problems for,
> such as if you sync directly to another user's repository and then try and
> push those to a central server.
>
> The most robust system would probably involve using signed tags to verify
> what is being pushed, however I am not aware of any set-ups that have done
> this yet.
>
> Regards,
>
> Andrew Ardill

Re: How to identify the users?

[Tomas Carnecky]

On Thu, 31 Jan 2013 13:52:32 +0800, Scott Yan <scottyan19@gmail.com> wrote:
> Hello everyone:
> 
> The user info of git client (user name and email) is set by the users
> themselves, so , how to avoid userA pretend to be userB?
> 
> Git server could authentication the user, but it do nothing about the
> user info of commit message.
> 
> For example:
> There are 20 people of my team, and everyone can push to the public
> repository(git server),
> If I found some backdoor code in my project, and the commit record
> shows it was committed by userA, so I ask userA: why do you do this?
> but he told me: no, this is not my code, I have never committed such
> thing.  ----and yes, everyone could change his user info to userA very
> easily .
> 
> so... what should I do to avoid such situations?

gitolite keeps a log of which SSH user pushed which commits. The smart-http
backend does the same if you have reflog enabled on the server (see the
ENVIRONMENT section in man git-http-backend). So unless someone can steal
userA's credentials (http password, ssh key) you'll be able to detect who it
really was.

Re: How to identify the users?

[Sitaram Chamarty]

On 01/31/2013 11:38 AM, Tomas Carnecky wrote:
> On Thu, 31 Jan 2013 13:52:32 +0800, Scott Yan <scottyan19@gmail.com> wrote:
>> Hello everyone:
>>
>> The user info of git client (user name and email) is set by the users
>> themselves, so , how to avoid userA pretend to be userB?
>>
>> Git server could authentication the user, but it do nothing about the
>> user info of commit message.
>>
>> For example:
>> There are 20 people of my team, and everyone can push to the public
>> repository(git server),
>> If I found some backdoor code in my project, and the commit record
>> shows it was committed by userA, so I ask userA: why do you do this?
>> but he told me: no, this is not my code, I have never committed such
>> thing.  ----and yes, everyone could change his user info to userA very
>> easily .
>>
>> so... what should I do to avoid such situations?
> 
> gitolite keeps a log of which SSH user pushed which commits. The smart-http
> backend does the same if you have reflog enabled on the server (see the
> ENVIRONMENT section in man git-http-backend). So unless someone can steal
> userA's credentials (http password, ssh key) you'll be able to detect who it
> really was.

See also my rant on this topic:

https://github.com/sitaramc/gitolite/blob/master/src/VREF/EMAIL-CHECK#L37

Re: How to identify the users?

[Andrew Ardill]

(resending previous response. Forgot to turn off HTML, and apprently
gmail doesn't wrap lines automatically anymore?)

On 31 January 2013 16:52, Scott Yan <scottyan19@gmail.com> wrote:
>
> The user info of git client (user name and email) is set by the users
> themselves, so , how to avoid userA pretend to be userB?
>
> Git server could authentication the user, but it do nothing about the
> user info of commit message.


The simplest thing is to have the server reject commits that have the
'committer' set to someone other then the  authenticated user.

Of course, there are potential workflows that this would cause problems
for, such as if you sync directly to another user's repository and then try
and push those to a central server.

The most robust system would probably involve using signed tags to
verify what is being pushed, however I am not aware of any set-ups that
have done this yet.

Regards,

Andrew Ardill

Re: How to identify the users?

[Scott Yan]

Thanks to all.

Tomas:
I can't find reflog setting of git-http-backend
doc(http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html),
I tried this setting:
git config core.logAllRefUpdates true

and after some test push, the output is as below:
>git log -g master
commit d34e61baa28eabf46ba5e9f6a2feb24cc683ed39
Reflog: master@{0} (Scott Yan <scottyan19@gmail.com>)
Reflog message: push
Author: Scott Yan <scottyan19@gmail.com>
Date:   Thu Jan 31 14:19:30 2013 +0800

this log shows when pushed, but still can't tell Who, because the
author info may be fake.
I don't know if I made some mistake.


Sitaram:

It seems I must host my central repo on Gitolite first...
I don't know Gitolite much, but you are right, maybe I should use
Gitolite as my git server.
I'll find more documents about gitolite these days,
can you give me some suggestion which tutorial should I read?  Thanks!
ps: my OS is windows.

Regards,
Scott Yan

On Thu, Jan 31, 2013 at 2:10 PM, Sitaram Chamarty <sitaramc@gmail.com> wrote:
> On 01/31/2013 11:38 AM, Tomas Carnecky wrote:
>> On Thu, 31 Jan 2013 13:52:32 +0800, Scott Yan <scottyan19@gmail.com> wrote:
>>> Hello everyone:
>>>
>>> The user info of git client (user name and email) is set by the users
>>> themselves, so , how to avoid userA pretend to be userB?
>>>
>>> Git server could authentication the user, but it do nothing about the
>>> user info of commit message.
>>>
>>> For example:
>>> There are 20 people of my team, and everyone can push to the public
>>> repository(git server),
>>> If I found some backdoor code in my project, and the commit record
>>> shows it was committed by userA, so I ask userA: why do you do this?
>>> but he told me: no, this is not my code, I have never committed such
>>> thing.  ----and yes, everyone could change his user info to userA very
>>> easily .
>>>
>>> so... what should I do to avoid such situations?
>>
>> gitolite keeps a log of which SSH user pushed which commits. The smart-http
>> backend does the same if you have reflog enabled on the server (see the
>> ENVIRONMENT section in man git-http-backend). So unless someone can steal
>> userA's credentials (http password, ssh key) you'll be able to detect who it
>> really was.
>
> See also my rant on this topic:
>
> https://github.com/sitaramc/gitolite/blob/master/src/VREF/EMAIL-CHECK#L37

Re: How to identify the users?

[Sitaram Chamarty]

On 01/31/2013 12:23 PM, Scott Yan wrote:

> Sitaram:
> 
> It seems I must host my central repo on Gitolite first...

There is no "must" but yes it is a decent solution and can, in
principle, do the kind of checking you want if you set it up to do that.
 Please note that I don't use that mode and, as my rant would have
indicated, I don't think it's a smart thing to do.

> I don't know Gitolite much, but you are right, maybe I should use
> Gitolite as my git server.
> I'll find more documents about gitolite these days,
> can you give me some suggestion which tutorial should I read?  Thanks!
> ps: my OS is windows.

Try
http://therightstuff.de/CommentView,guid,b969ea4d-8d2c-42af-9806-de3631f4df68.aspx

I normally don't mention blog posts (favouring instead the official
documentation) but Windows is an exception.  Hence the link.

Good luck.