Thread: Git and RSA

    #1
  1. Put a potato on it!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2008
    Location
    Maryland
    Posts
    304
    Rep Power
    971

    Git and RSA


    After a recent attack my company has been working with our host to secure our servers more. Their suggestion is to have an individual user for each site directory on the server so that if one user gets compromised they can't attack the other sites on the server. The issue we ran into was using Git, either we had to login as the site user and fetch new branches to the site directory as that user or login as ourselves and sudo our git commands and then change ownership afterward.

    Our sys architect created new site users for each directory and then set up RSA keys on the server we're fetching from, and put our users public keys in so that they could authenticate as these users. However, because all files (including git files) are owned by siteuser:siteuser we have to use sudo to fetch and checkout the files and then chown them back after the fact. This seems clunky and I've been searching for another way to use git securely. I found gitolite and git-shell which seem okay, but then every file would be owned by the git user, I believe. I'm shaky on RSA stuff and have a basic working knowledge of git but most of this is over my head. However, when the new process of pushing code changes was told to me, I instinctually flinched because this seems kind of messy.

    Is there a better way to do what we're trying to do?
    "Those who can make you believe absurdities can make you commit atrocities."
  2. #2
  3. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    Ignore GIT for a moment and think about the problem at a higher level.

    You want all of the files belonging to a particular site to be owned by that site's user. You want to deploy updates to those files using a user that isn't the site's user. In Linux, you can't create files as another user unless you use sudo or are root. Therefore, no matter what version control system you use or how you configure that version control system, you're going to run into this problem.

    If everyone who deploys has sudo permission, then the easiest way of doing this would be to use sudo to run the deploy as the site owner.

    If you don't want to give people who deploy sudo access, you could write a small program to perform the deploy and use setuid on it to make it run as the site's owner.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  4. #3
  5. Put a potato on it!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2008
    Location
    Maryland
    Posts
    304
    Rep Power
    971
    Yeah, I was thinking a little script would make this a lot simpler and might be the route I take in the end. I myself would rather switch to the site user and then pull the updates as that seems to leave less room for error (forgetting to chown files back after sudo'ing for instance), but my coworkers think using sudo is easier.

    But I fully agree that a script is a viable solution, and in the vein of wanting to minimize user error, having vetted code doing the work for us would probably save us trouble and avoid screwing up our permissioning in that site directory. In theory.

    One thing I read up on gitolite was that it may be possible to create a separate instance of gitolite for each site, meaning we could configure it to use the site users to own all the files and then do git updates and so forth. I'll need to set this up on a testing environment and find out, but if it works, we'd be golden.

    Thanks for the advice, E-Oreo!
    "Those who can make you believe absurdities can make you commit atrocities."
  6. #4
  7. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    gitolite won't have any effect on the file permissions of clones made from its repositories.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  8. #5
  9. Put a potato on it!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2008
    Location
    Maryland
    Posts
    304
    Rep Power
    971
    No, I meant that the user gitolite used would own the files, but regular users would still be able to make pushes, as I understand it. At any rate, I'm going to get a script together as it will require less configuration and upkeep than another piece of software, so gitolite won't be used anyway.
    "Those who can make you believe absurdities can make you commit atrocities."

IMN logo majestic logo threadwatch logo seochat tools logo