[Fusionforge-general] Gitweb access to private repos

Sylvain Beucler - Inria sylvain.beucler at inria.fr
Mon Feb 24 11:30:03 CET 2014


Le 24/02/2014 10:40, Thorsten Glaser a écrit :
> On Mon, 24 Feb 2014, Sylvain Beucler - Inria wrote:
>
>> I suppose the point is to avoid any non-fusionforge web app to access the
>> fusionforge database? :)
> That, and to prevent “accidental” password disclosure, yes.
> The web applications that need it get it via Apache.
Sadly it's passed through custom headers to PHP, which are not passed in 
turn to gitweb.cgi :/
>> Hmmm, am I wrong, or are you actually exec'ing the whole gitweb.cgi as root?
> No, I’m running it as the (system) user the person logged in as.
> So they will be able to see any repository they have read access
> to, but none they don’t. Additionally, they cannot elevate privs
> that way.
Interesting solution. I like it.

-- 
Sylvain



More information about the Fusionforge-general mailing list