Indefero

Issue 187: Security: I could clone, commit and push into a private project from an unauthorized user

Previous issue - Next issue

Reported by Sindre Myren, Apr 14, 2009

I could clone, commit and push a private git project from a 
unauthorizes user.

Steps to reproduce:
1) Add a user test.
2) Generat an ssh key, and add it to user test.
3) Create a private project with another user owning it.
4) clone private project from the computer where you created the ssh 
key-pair for test.
5) Do some changes and commit.
6) git push!

But this was perhaps a known issue?

I Updated indefero last time yesterday.

Comment 1 by Loïc d'Anterroches, Apr 16, 2009

Sorry, I was not here yesterday, so I was not able to provide you 
with a fast answer.

In short, this is normal, this is because you where both users at 
the same time. 

In long, let me try to explain you what happened. You most likely 
had both SSH keys loaded in your key ring. The result is that you 
are user x or y when doing the ssh connection only based on the ssh 
key you have loaded. In fact, you "are" the first ssh key 
which will match.

In that case, you still had your previous ssh key, so you where 
considered the "privileged" user.

Try unloading all your ssh keys then loading only the one of the 
test user. You should be ejected.
Summary: Security: I could clone, commit and push into a private project from an unauthorized user
Owner: loic

Comment 2 by Sindre Myren, Apr 16, 2009

Ok. I will try this in the forthcoming weekend, and report whether 
you are right or wrong.  Thanks.

Comment 3 by Sindre Myren, Apr 18, 2009

Ok. I have now tested this, And I think you are wrong.
I am still able to push and pull using a user that is not in the 
member list of a particular project.

Exact steps to reproduce, given the project 'test-private' is 
already initialized, is private, and has one owner, 'priv_user' and 
no members.

A) On my indefero server:
1)First I cleared the file ~/.ssh/authorized_users for the git user.
2) Then I logged in to the linux user 'priv_user' with a rsa 
key-pair in ~/.ssh. I added the ~/.ssh/id_rsa.pub key to the 
indefero user 'priv_user'.

As expected, this user are allowed to do git push/pull operations on 
'test'.

B) On my laptop:
1) I logged in to the linux user 'unpriv_user'. I added the 
~/.ssh/id_rsa.pub key to the indefero user 'unpriv_user'.

This user to is also allowed to do git push/pull operations on 
'test'.

Comment 4 by Sindre Myren, Apr 18, 2009

Error in last message: please read 'test' as 'test-private'

Comment 5 by Sindre Myren, Apr 19, 2009

(Invalid - Self inflicted)
Ok.. This one seems to be my fault as well.. When I first set up 
Indefero I got a bug when trying to use git commands to use git 
push/pull/clone operations aginst my server:

Need SSH_ORIGINAL_COMMAND in environment.
fatal: The remote end hung up unexpectedly

To fix it, I run a Forced cmd of my own in /etc/ssh/sshd_conf. 
Before I filed this bug, I removed the Forced Command, but forgot to 
restart sshd.

Sadly for me, by restarting sshd withoud the forced command, I am no 
longer able to do push and pull operations at all..
See Issue 198

Comment 6 by Loïc d'Anterroches, Apr 19, 2009

Ok, so, I am closing this issue and will work on issue 198.
Status: Fixed

Created: 4 years 2 months ago by Sindre Myren

Updated: 4 years 1 month ago

Status: Fixed

Owner: Loïc d'Anterroches

Labels:
Type:Defect
Priority:Medium