Ubuntu Server Guide

Gitolite configuration directions are insecure

Bug #1424294 reported by Ian Nicholson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
New
Undecided
Unassigned

Bug Description

Relevant instructions:

$cp ~/.ssh/id_rsa.pub /tmp/$(whoami).pub
Let's switch to the git user and import the administrator's key into gitolite.
$sudo su - git
$gl-setup /tmp/*.pub"

The directions should explicitly import only the public key that the user means to import. My understanding is that keys shouldn't ever be stored in /tmp, since it's world writeable.

Revision history for this message
Ian Nicholson (imnichol) wrote :

Link: https://help.ubuntu.com/14.04/serverguide/git.html#git-configuring-gitolite

Revision history for this message
Ian Nicholson (imnichol) wrote :

Also, that would import every public key in /tmp which seems pretty bad if you're trying to set up an administrator account

Revision history for this message
Peter Matulis (petermatulis) wrote :

@Ian

I'm not familiar with this software. Once gl-setup is run can the public key it refers to be removed?

Revision history for this message
Ian Nicholson (imnichol) wrote : Re: [Bug 1424294] Re: Gitolite configuration directions are insecure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/25/2015 09:03 AM, Peter Matulis wrote:
> @Ian
>
> I'm not familiar with this software. Once gl-setup is run can the
> public key it refers to be removed?
>
 I'm unfamiliar with it as well, so I couldn't say. My concern though
is that these directions seem to import *all* public keys that are
sitting in /tmp as part of the configuration process for the
administrative user.

- --
Ian Nicholson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVEuonAAoJEBwDRDHt9Q7mq9UQAJvCCw8gxOwtBrUZ9PhY3Yw/
9iztyTC28nkubFN2xMugFwu6dbuUziD9vs9YI0UvrHv151rXHWbY+njvgJPQYUPa
Fnho2E6NmRPoRl8xy038KOTNpxVN4dD3He14ibd2q8F4RyAuI27vh3yzV188PwMz
tpfKjumZ9rUb4O7jF3CFR32UmAUFq7ezj8eGs4UpKz6ARAeszVGohDhITyU+KZoO
7/EVAuTy/P5v/B2ckTjymciOXq4FPyExmnsOurU/zwH6G0aGqzJG0M2VJfza0NhN
E86q3fxN3steuloWOls3TZArh+SIIh+0SkjnmU0NEtJ7OxUKsuUWYXb5YUGlQhZp
kWCE7csXnZzhgI+khzGcd6w4ZZMMIHkFhSSsfLg+PxHmoUDzBVt9oPmr2z2bGoTK
fz6wt4tQTWTQkqg8UvAe13RCbn3eJ0Y2S1aFzUVuplIVODLP4CvS60b5z+N7R396
K5RetYmiiyXvBBrdF3KvpzWZLcC7lfPZa8w0yry1RdqXRxGC7PP3dDQEeDNiBvFt
lqSZs2ahwgQw9XataEYB/NC1WxdWVZ4b2UY6ceutYve/GacEt1B2QKWai3MLxiB1
TY3aAOFcASEnb3QgU385MpCurCB24Fl74+kYFnhvKCA5O10GJAE4XETb73bYz1r9
LzZvaHEyyc/V/ZuUOUrx
=kz+N
-----END PGP SIGNATURE-----

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.