Reported by Sindre Myren, Apr 14, 2009
I could clone, commit and push a private git project from a unauthorizes user. Steps to reproduce: 1) Add a user test. 2) Generat an ssh key, and add it to user test. 3) Create a private project with another user owning it. 4) clone private project from the computer where you created the ssh key-pair for test. 5) Do some changes and commit. 6) git push! But this was perhaps a known issue? I Updated indefero last time yesterday.
Comment 1 by Loïc d'Anterroches, Apr 16, 2009
Sorry, I was not here yesterday, so I was not able to provide you with a fast answer. In short, this is normal, this is because you where both users at the same time. In long, let me try to explain you what happened. You most likely had both SSH keys loaded in your key ring. The result is that you are user x or y when doing the ssh connection only based on the ssh key you have loaded. In fact, you "are" the first ssh key which will match. In that case, you still had your previous ssh key, so you where considered the "privileged" user. Try unloading all your ssh keys then loading only the one of the test user. You should be ejected.
Comment 2 by Sindre Myren, Apr 16, 2009
Ok. I will try this in the forthcoming weekend, and report whether you are right or wrong. Thanks.
Comment 3 by Sindre Myren, Apr 18, 2009
Ok. I have now tested this, And I think you are wrong. I am still able to push and pull using a user that is not in the member list of a particular project. Exact steps to reproduce, given the project 'test-private' is already initialized, is private, and has one owner, 'priv_user' and no members. A) On my indefero server: 1)First I cleared the file ~/.ssh/authorized_users for the git user. 2) Then I logged in to the linux user 'priv_user' with a rsa key-pair in ~/.ssh. I added the ~/.ssh/id_rsa.pub key to the indefero user 'priv_user'. As expected, this user are allowed to do git push/pull operations on 'test'. B) On my laptop: 1) I logged in to the linux user 'unpriv_user'. I added the ~/.ssh/id_rsa.pub key to the indefero user 'unpriv_user'. This user to is also allowed to do git push/pull operations on 'test'.
Comment 4 by Sindre Myren, Apr 18, 2009
Error in last message: please read 'test' as 'test-private'
Comment 5 by Sindre Myren, Apr 19, 2009
(Invalid - Self inflicted) Ok.. This one seems to be my fault as well.. When I first set up Indefero I got a bug when trying to use git commands to use git push/pull/clone operations aginst my server: Need SSH_ORIGINAL_COMMAND in environment. fatal: The remote end hung up unexpectedly To fix it, I run a Forced cmd of my own in /etc/ssh/sshd_conf. Before I filed this bug, I removed the Forced Command, but forgot to restart sshd. Sadly for me, by restarting sshd withoud the forced command, I am no longer able to do push and pull operations at all.. See Issue 198
Comment 6 by Loïc d'Anterroches, Apr 19, 2009
Ok, so, I am closing this issue and will work on issue 198.