[Fusionforge-general] Concurrent WebDAV+SSH

Christian Bayle gforge at free.fr
Sat Mar 8 22:30:14 CET 2014


Hi Sylvain

>> or more precisely not "Running everything as a single user" as far
>> as I understand
> Unless there's a way to do that with good isolation, yes.
> Note that SF is doing WebDAV as a single user (but not SSH).
>
Maybe simply because webdav is thought to work as a single user
where ssh is not.
>> but I could mention that gitolite is used by several big organisation
>>
>> http://gitolite.com/gitolite/who.html
>>
>> And had a serious security audit
>>
>> https://groups.google.com/forum/#!topic/gitolite/jcUkIFKxbQ8
> It's like the concrete pumped into Venice's foundations: it's pretty
> solid itself, but it doesn't prevent the whole city to slowly sink :)
>
> What about Apache running all write requests as a single user?  The
> webapps that modify the repos?  Git?  Each and every hook that you
> install?  All these are far from being perfectly secure and audited.
>
> Gitolite as an impressive user list, but it doesn't mention additional
> isolation.  Did Fedora develop complex selinux rules?  Did kernel.org
> restrict hooks?  Is KDE enabling WebDAV as well?
>
> Last, the audit was done more than 2 years ago, by somebody at oracle,
> and amounts to a 20-30 lines mail.  It's from a kernel contributor
> justifying the choice after-the-fact.  And again it's just auditing
> Gitolite separately, not the complete chain.
> I had lost the habit of frowning upon hearing "security audit". Thanks
> for the reminder ;)
>
> Thanks for the interesting links though.
>
I agree, it's quite complex to garanti isolation between repo with a
single user,
but in another way, if you run as a single user, this user is rather
isolated
and unprivileged on the sytem point of view.
There is some kind of logic to run git+ssh and webdav as a single user,

though I rather agree that system provide probably better isolation
between users/groups, more logic with shell access.

I rather think we should give the choice, with some safe contraints like
no shell access with gitolite+webdav

One annoying part of gitolite, is actually that the user of a repo
hasn't access to hooks. 

>>>>> Maybe time to think to some multi vm setup, using, e.g. containers, as
>>>>> it would allow some better system isolation,
>>>>> and no problem to use mpm-itk in one host and something else in another.
>>> Aren't you confusing system isolation and project isolation?
>>> Plus FF is modular enough for multi-vm setups already.
>> no, I just mention this because at the begining, in sourceforge
>> code, one can
>> see that some security issues where solved by having separate server
>> for shell access
>> and also one for cvs if I remember well.
> OK, so that's a different topic.
>
>
>> I never tested a multivm setup, not even sure it would work.
> I don't follow you :/
>
> For instance Gna! is currently split in 5 VMs, Savannah is similar.
> Alioth was on 2 servers until recently AFAIK.
> What do you mean, more precisely, by multivm setup?
>
I was thinking about currently packaged version,  it's easy to separate
db, but if you want
separate, cvs, svn, git, home, I think it's not working 'out of the box'
with debian or centos packages

Christian



More information about the Fusionforge-general mailing list