Bug 207206

Summary: Add new user/group to UID and GUID for new gogs port
Product: Ports & Packages Reporter: Matthias Fechner <mfechner>
Component: Individual Port(s)Assignee: Kurt Jaeger <pi>
Status: Closed FIXED    
Severity: Affects Only Me CC: douglas, pi
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Bug Depends on:    
Bug Blocks: 205283    
Attachments:
Description Flags
Diff to add new gogs user and group required for gogs port none

Description Matthias Fechner freebsd_committer freebsd_triage 2016-02-15 09:43:40 UTC
Created attachment 167017 [details]
Diff to add new gogs user and group required for gogs port

Currently a new port is in preparation to get the tool gogs into the ports (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205283).

The port would require its own user/group to get cleanly and securely installed.

Could you please apply the diff attached?

Thanks a lot.
Comment 1 Douglas Thrift 2016-02-15 22:57:07 UTC
I'm curious why the git user that is already listed in UIDs and GIDs and used for the gitosis and gitolite ports is not sufficient for this?
Comment 2 Matthias Fechner freebsd_committer freebsd_triage 2016-02-16 08:08:55 UTC
I would like to have another user:
1. the /usr/local/etc/gogs.ini does hold configuration including smtp authentication information. It should be ensured that this username/password should only be readable by the gogs user and not by other users
2. the repositories used by gitolite and gogs (i use both products, sometimes also on the same computer) have there repository protected with permission 700. In theory the user can only execute the shell that is defined in .ssh/authorized_keys, but if there is a bug anywhere the consequence would be, that the user can access a repository it should not have access to.
3. Gogs is using a webinterface to access the repository and special features (like github). I never checked in detail if the code is secure or not. But using a seperate user would ensure that other git repositories (using gitshell, gitolite) cannot be accessed if a bug/security problem is in the gogs software (gogs starts an own webserver 3000 running with user gogs).

I hope this 3 simple examples explain why it is good to have an own user in place and do not reuse the existing git user.
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-02-16 11:04:29 UTC
A commit references this bug:

Author: pi
Date: Tue Feb 16 11:04:11 UTC 2016
New revision: 408986
URL: https://svnweb.freebsd.org/changeset/ports/408986

Log:
  devel/gogs (new port, not yet in the tree): reserve UIDs and GIDs

  PR:		207206
  Submitted by:	Matthias Fechner <idefix@fechner.net>

Changes:
  head/GIDs
  head/UIDs
Comment 4 Kurt Jaeger freebsd_committer freebsd_triage 2016-02-16 11:05:03 UTC
Added to UIDs and GIDs.