From: Fraser Tweedale <frase@frase.id.au>
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] documentation: add git transport security notice
Date: Tue, 25 Jun 2013 07:57:35 +1000 [thread overview]
Message-ID: <20130624215733.GU2457@bacardi.hollandpark.frase.id.au> (raw)
In-Reply-To: <7vppvbbhoi.fsf@alter.siamese.dyndns.org>
On Mon, Jun 24, 2013 at 09:24:29AM -0700, Junio C Hamano wrote:
> Fraser Tweedale <frase@frase.id.au> writes:
>
> > The fact that the git transport has no end-to-end security is easily
> > overlooked. Add a brief security notice to the "GIT URLS" section
> > of the documentation stating that the git transport should be used
> > with caution on unsecured networks.
> >
> > Signed-off-by: Fraser Tweedale <frase@frase.id.au>
> > ---
> > Documentation/urls.txt | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/Documentation/urls.txt b/Documentation/urls.txt
> > index 3ca122f..c218af5 100644
> > --- a/Documentation/urls.txt
> > +++ b/Documentation/urls.txt
> > @@ -11,6 +11,9 @@ and ftps can be used for fetching and rsync can be used for fetching
> > and pushing, but these are inefficient and deprecated; do not use
> > them).
> >
> > +The git protocol provides no end-to-end security and should be used
> > +with caution on unsecured networks.
>
> Is this necessary?
>
> I thought we already say the git protocol does not even authenticate
> elsewhere in the document, and if not, I think it is a sensible
> thing to say here. And once it is done, I doubt it is necessary to
> bring up a narrower concept such as "end-to-end security" which
> requires a lot more than authentication.
>
Certainly in this part of the documentation there is no mention of
(lack of) authentication or security concerns. git-daemon(1) does
mention the lack of authentication in the SERVICES/receive-pack
section.
Once you are aware that the git transport is insecure it seems
obvious in hindsight, but even as a security-minded person I simply
overlooked this until recently. A brief note in the GIT URLS
section (which is included in the man pages for a number of
essential commands) would have brought this to my attention much
sooner.
Junio, do you prefer the following more generic wording? If so I
will re-roll the patch (also note s/protocol/transport/ which is
more appropriate, I think).
The git transport is insecure and should be used with caution on
unsecured networks.
> The only thing git protocol ensures is that the receiving end
> validates that what is fetched from an unknown server, and what is
> pushed by an unknown pusher, is internally consistent.
>
> If you allowed a push over the git protocol by enabling the
> receive-pack service in "git daemon" (not recommended), you may
> allow anonymous users to delete branches and to do other funky
> things unless you protect your repository with pre-receive hook, but
> that won't corrupt the repository (of course, deleting all the refs
> may make the repository an empty but not corrupt one, which is just
> as unusable as a corrupt one, so there may not be a huge practical
> difference). If you fetched from an unauthenticated server,
> possibly with MITM, over the git protocol, you may end up getting
> something you did not ask for, but the resulting history in your
> repository would still be internally consistent (the commits may be
> malicious ones, of course, but that is what signed tags are there to
> protect you against).
next prev parent reply other threads:[~2013-06-24 21:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-24 10:23 [PATCH] documentation: add git transport security notice Fraser Tweedale
2013-06-24 16:24 ` Junio C Hamano
2013-06-24 21:57 ` Fraser Tweedale [this message]
2013-06-24 22:27 ` Fredrik Gustafsson
2013-06-24 22:35 ` Junio C Hamano
2013-06-24 22:47 ` Fredrik Gustafsson
2013-06-24 22:28 ` Junio C Hamano
-- strict thread matches above, loose matches on Subject: below --
2013-06-26 5:53 Fraser Tweedale
2013-07-05 8:41 Fraser Tweedale
2013-07-07 0:50 ` Jonathan Nieder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130624215733.GU2457@bacardi.hollandpark.frase.id.au \
--to=frase@frase.id.au \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).