Summary: | Add new user/group to UID and GUID for new gogs port | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Matthias Fechner <mfechner> | ||||
Component: | Individual Port(s) | Assignee: | Kurt Jaeger <pi> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | douglas, pi | ||||
Priority: | --- | ||||||
Version: | Latest | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Bug Depends on: | |||||||
Bug Blocks: | 205283 | ||||||
Attachments: |
|
Description
Matthias Fechner
2016-02-15 09:43:40 UTC
I'm curious why the git user that is already listed in UIDs and GIDs and used for the gitosis and gitolite ports is not sufficient for this? I would like to have another user: 1. the /usr/local/etc/gogs.ini does hold configuration including smtp authentication information. It should be ensured that this username/password should only be readable by the gogs user and not by other users 2. the repositories used by gitolite and gogs (i use both products, sometimes also on the same computer) have there repository protected with permission 700. In theory the user can only execute the shell that is defined in .ssh/authorized_keys, but if there is a bug anywhere the consequence would be, that the user can access a repository it should not have access to. 3. Gogs is using a webinterface to access the repository and special features (like github). I never checked in detail if the code is secure or not. But using a seperate user would ensure that other git repositories (using gitshell, gitolite) cannot be accessed if a bug/security problem is in the gogs software (gogs starts an own webserver 3000 running with user gogs). I hope this 3 simple examples explain why it is good to have an own user in place and do not reuse the existing git user. A commit references this bug: Author: pi Date: Tue Feb 16 11:04:11 UTC 2016 New revision: 408986 URL: https://svnweb.freebsd.org/changeset/ports/408986 Log: devel/gogs (new port, not yet in the tree): reserve UIDs and GIDs PR: 207206 Submitted by: Matthias Fechner <idefix@fechner.net> Changes: head/GIDs head/UIDs Added to UIDs and GIDs. |