[Dev] gitosis broken + server access + security practices

Aurélien gnu.tek at gmx.com
Wed Feb 15 18:22:06 GMT 2012


Nicolás Reynolds <fauno at kiwwwi.com.ar> writes:

> So gitosis is broken, spits errors when adding new users (even from the server
> itself) and I really don't know how to debug it.
>
> We were discussing on the channel if the privilege separation gitosis
> provides is useful to us, since permissions are given to everyone to
> every git repo anyway.
>
> Smv says gitosis not only does this but also *only* allows the git user
> (git at parabolagnulinux.org) access to the git repos. If we
> were going to manage push privileges using regular ssh
> methods (ssh-copy-id, authorized_keys, etc.), people could not only push
> to the repos but have shell login if available or access to the full git
> user's home, included .ssh/authorized_keys.

Should it be possible that the script which verify authorithy ask
another "securly closed" server rather than the normal
.ssh/authorized_keys?



> IMO this isn't a problem since it would allow anyone to quickly
> participate on git development simply by being involved and having
> another hacker to allow his pubkey. Or any other policies we define
> politically rather than technically.
>
> And git, being an unprivileged user, shouldn't have access to any other
> important system files. We could even chroot it for that matter. The
> point is that security shouldn't hinder participation and simplicity.
>
> What do you think?
> _______________________________________________
> Dev mailing list
> Dev at lists.parabolagnulinux.org
> http://lists.parabolagnulinux.org/mailman/listinfo/dev
<#secure method=pgpmime mode=sign>

-- 
Aurelien - Animateur P at m-Sarte
http://libreplanet.org/wiki/User:Aurelien
Free Software & Zen Minimalism Hactivist
Fight for your freedom rights! Join FSF.org
Fully Free Operating System at GNU.org


      	   	     	    (   )
			     ° °
			      ·



More information about the Dev mailing list