[Secure-testing-team] Bug#727122: [gitolite3] Do not create a test-repo with @all RW
Gerfried Fuchs
rhonda at deb.at
Tue Dec 24 15:20:02 UTC 2013
severity 727122 normal
tags 727122 - security
thanks
Hi!
* Bastien ROUCARIÈS <bastien.roucaries at u-cergy.fr> [2013-10-22 15:01:59 CEST]:
> By default gitolite3 install create a test repo (see gitolite.conf)
> repo testing:
> RW+ = @all
That's right.
> This repositionnery is writtable by every one and could lead to distant dos
> (disk full).
No, it's not writable by everyone. It's writable by people whose key
have been added. In that respect the testing repository is no different
attack vector than any other repository you create for giving people
write access.
I agree that creating a testing repository might not be really useful
for the usual installations, and I guess most people have removed that
on their gitolite(3) installation, but that's not a dos attack vector
than any other "regular" repository you grant access to.
Enjoy,
Rhonda
--
Fühlst du dich mutlos, fass endlich Mut, los |
Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los |
More information about the Secure-testing-team
mailing list