oss-sec mailing list archives

pagure: private repositories accessible through ssh

From: Stefan Bühler <stbuehler () lighttpd net>
Date: Sat, 22 Jul 2017 14:20:20 +0200

Hi,

pagure [1], a git-centered forge, supports private repositories [2]:

PRIVATE_PROJECTS
~~~~~~~~~~~~~~~~

This configuration key allows you to host private repositories. These
repositories are visible only to the creator of the repository and to
the users who are given access to the repository.  No information is
leaked about the private repository which means redis doesn't have the
access to the repository and even fedmsg doesn't get any
notifications.

Defaults to: ``False``


But the gitolite config, which is used to configure SSH-access, allows
"@all" users to access all repositories - private or not.

I proposed the attached patch upstream in [3].

After patching you should ensure gitolite.conf gets regenerated from
scratch.

cheers,
Stefan

[1]: https://pagure.io/pagure
[2]: https://pagure.io/pagure/blob/master/f/doc/configuration.rst
[3]: https://pagure.io/pagure/pull-request/2426

Attachment: 2426-hide-private-repos-in-ssh.patch
Description:

Current thread:

pagure: private repositories accessible through ssh Stefan Bühler (Jul 22)
- Re: pagure: private repositories accessible through ssh Patrick Uiterwijk (Jul 22)