oss-sec mailing list archives
pagure: private repositories accessible through ssh
From: Stefan Bühler <stbuehler () lighttpd net>
Date: Sat, 22 Jul 2017 14:20:20 +0200
Hi, pagure [1], a git-centered forge, supports private repositories [2]:
PRIVATE_PROJECTS ~~~~~~~~~~~~~~~~ This configuration key allows you to host private repositories. These repositories are visible only to the creator of the repository and to the users who are given access to the repository. No information is leaked about the private repository which means redis doesn't have the access to the repository and even fedmsg doesn't get any notifications. Defaults to: ``False``
But the gitolite config, which is used to configure SSH-access, allows "@all" users to access all repositories - private or not. I proposed the attached patch upstream in [3]. After patching you should ensure gitolite.conf gets regenerated from scratch. cheers, Stefan [1]: https://pagure.io/pagure [2]: https://pagure.io/pagure/blob/master/f/doc/configuration.rst [3]: https://pagure.io/pagure/pull-request/2426
Attachment:
2426-hide-private-repos-in-ssh.patch
Description:
Current thread:
- pagure: private repositories accessible through ssh Stefan Bühler (Jul 22)
- Re: pagure: private repositories accessible through ssh Patrick Uiterwijk (Jul 22)