git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: Fraser Tweedale <frase@frase.id.au>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] documentation: add git transport security notice
Date: Tue, 25 Jun 2013 07:57:35 +1000	[thread overview]
Message-ID: <20130624215733.GU2457@bacardi.hollandpark.frase.id.au> (raw)
In-Reply-To: <7vppvbbhoi.fsf@alter.siamese.dyndns.org>

On Mon, Jun 24, 2013 at 09:24:29AM -0700, Junio C Hamano wrote:
> Fraser Tweedale <frase@frase.id.au> writes:
> 
> > The fact that the git transport has no end-to-end security is easily
> > overlooked.  Add a brief security notice to the "GIT URLS" section
> > of the documentation stating that the git transport should be used
> > with caution on unsecured networks.
> >
> > Signed-off-by: Fraser Tweedale <frase@frase.id.au>
> > ---
> >  Documentation/urls.txt | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/Documentation/urls.txt b/Documentation/urls.txt
> > index 3ca122f..c218af5 100644
> > --- a/Documentation/urls.txt
> > +++ b/Documentation/urls.txt
> > @@ -11,6 +11,9 @@ and ftps can be used for fetching and rsync can be used for fetching
> >  and pushing, but these are inefficient and deprecated; do not use
> >  them).
> >  
> > +The git protocol provides no end-to-end security and should be used
> > +with caution on unsecured networks.
> 
> Is this necessary?
> 
> I thought we already say the git protocol does not even authenticate
> elsewhere in the document, and if not, I think it is a sensible
> thing to say here.  And once it is done, I doubt it is necessary to
> bring up a narrower concept such as "end-to-end security" which
> requires a lot more than authentication.
> 
Certainly in this part of the documentation there is no mention of
(lack of) authentication or security concerns.  git-daemon(1) does
mention the lack of authentication in the SERVICES/receive-pack
section.

Once you are aware that the git transport is insecure it seems
obvious in hindsight, but even as a security-minded person I simply
overlooked this until recently.  A brief note in the GIT URLS
section (which is included in the man pages for a number of
essential commands) would have brought this to my attention much
sooner.

Junio, do you prefer the following more generic wording?  If so I
will re-roll the patch (also note s/protocol/transport/ which is
more appropriate, I think).

 The git transport is insecure and should be used with caution on
 unsecured networks.

> The only thing git protocol ensures is that the receiving end
> validates that what is fetched from an unknown server, and what is
> pushed by an unknown pusher, is internally consistent.
> 
> If you allowed a push over the git protocol by enabling the
> receive-pack service in "git daemon" (not recommended), you may
> allow anonymous users to delete branches and to do other funky
> things unless you protect your repository with pre-receive hook, but
> that won't corrupt the repository (of course, deleting all the refs
> may make the repository an empty but not corrupt one, which is just
> as unusable as a corrupt one, so there may not be a huge practical
> difference).  If you fetched from an unauthenticated server,
> possibly with MITM, over the git protocol, you may end up getting
> something you did not ask for, but the resulting history in your
> repository would still be internally consistent (the commits may be
> malicious ones, of course, but that is what signed tags are there to
> protect you against).

  reply	other threads:[~2013-06-24 21:57 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-24 10:23 [PATCH] documentation: add git transport security notice Fraser Tweedale
2013-06-24 16:24 ` Junio C Hamano
2013-06-24 21:57   ` Fraser Tweedale [this message]
2013-06-24 22:27     ` Fredrik Gustafsson
2013-06-24 22:35       ` Junio C Hamano
2013-06-24 22:47         ` Fredrik Gustafsson
2013-06-24 22:28     ` Junio C Hamano
  -- strict thread matches above, loose matches on Subject: below --
2013-06-26  5:53 Fraser Tweedale
2013-07-05  8:41 Fraser Tweedale
2013-07-07  0:50 ` Jonathan Nieder

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130624215733.GU2457@bacardi.hollandpark.frase.id.au \
    --to=frase@frase.id.au \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).