diff options
| author | 2025-10-20 12:23:03 +0200 | |
|---|---|---|
| committer | 2025-10-20 13:29:22 +0200 | |
| commit | 8ef9b0fe88470125d6ee60a3ea0bab796048e692 (patch) | |
| tree | efe91c1f0ad0dc405d6dddbeedeb700c5e1cde6b /src | |
| parent | f701015dcce565ab9323a4057b3577f61999601f (diff) | |
Security hardening
Diffstat (limited to 'src')
| -rw-r--r-- | src/env | 4 | ||||
| -rwxr-xr-x | src/init | 14 | ||||
| -rwxr-xr-x | src/run | 32 | ||||
| -rw-r--r-- | src/ssh.conf | 9 | ||||
| -rw-r--r-- | src/sudo-git | 1 |
5 files changed, 43 insertions, 17 deletions
@@ -0,0 +1,4 @@ +set _REPO_PERMISSIONS_FILE /etc/repo-permissions +set _REPO_VALIDATION_REGEX "((?:\/[a-zA-Z0-9_-]+)+.git)" +set _GIT_VALIDATION_REGEX "^(git-(?:upload-pack|receive-pack|upload-archive)) '$_REPO_VALIDATION_REGEX'\$" +set LOG /var/log/error.txt @@ -1,14 +1,14 @@ #!/usr/bin/env fish +# load environment +source (dirname (status --current-filename))/env + # # # function definitions # # -set _REPO_PERMISSIONS_FILE /etc/repo-permissions -set _REPO_VALIDATION_REGEX "^((?:\/[a-zA-Z-]+)+.git)\$" - function createUser set -l userConfig (string split ':' $argv[1]) set -l user $userConfig[1] @@ -37,9 +37,9 @@ function setupRepo set -l repo $parsedConfig[1] # check repo name - set -l matcher (string match -r -g $_REPO_VALIDATION_REGEX $repo) + set -l matcher (string match -r -g "^$_REPO_VALIDATION_REGEX\$" $repo) if test -z $matcher[1] - echo "Invalid repo name $repo" + echo "Failed to setup repo, invalid path/name: $repo" return 1 end @@ -102,6 +102,7 @@ end # git user has read/write access to all repos, set git-shell # and no password login allowed -> no ssh login possible adduser git -u $GIT_UID -D --shell "/usr/bin/git-shell" +passwd -l git for userConfig in $users createUser "$userConfig" end @@ -112,6 +113,9 @@ for repoConfig in $repos setupRepo "$repoConfig" end +# create writable log file +touch $LOG && chmod 777 $LOG + echo "Setting up server" # generate host keys in case mkdir -p /var/ssh/etc/ssh/ && ssh-keygen -A -f /var/ssh @@ -1,25 +1,37 @@ #!/usr/bin/env fish -set _REPO_PERMISSIONS_FILE /etc/repo-permissions -# unify repo regex somehow -set _GIT_VALIDATION_REGEX "^(git-(?:upload-pack|receive-pack|upload-archive)) '((?:\/[a-zA-Z-]+)+.git)'\$" +# load environment +source (dirname (status --current-filename))/env # check given git command -set -l matcher (string match -r -g $_GIT_VALIDATION_REGEX "$argv") +set -l currentUser (whoami) +set -l matcher (string match -r -g $_GIT_VALIDATION_REGEX -- "$argv") if test (count $matcher) -ne 2 # there should be two groups otherwise something is wrong + echo "$(date -Is): DENY bad_format user=$currentUser ip=$SSH_CONNECTION argv=$argv" &>$LOG exit 1 end -# echo check for permissions -set -l checkUser (whoami) +# extract variables from git command set -l gitCommand $matcher[1] set -l repo $matcher[2] + # adjust repo path to /srv/repos -set -l repoDir srv repos -set -l repoDir /(string join -n '/' $repoDir (string split '/' $repo)) -cat $_REPO_PERMISSIONS_FILE | grep -q -E "^$repoDir:$checkUser\$" -or exit 1; +set -l repoDir /(string join -n '/' srv repos (string split '/' $repo)) + +# check repo jail in /srv/repos +if not string match -r -q -- "/srv/repos/.*" "(realpath $repoDir)" + # something is for sure wrong here + echo "$(date -Is): DENY jail_escape user=$currentUser ip=$SSH_CONNECTION argv=$argv" &>$LOG + exit 2 +end + +# check for permissions +if not cat $_REPO_PERMISSIONS_FILE | grep -q -E "^$repoDir:$currentUser\$" + # something is for sure wrong here + echo "$(date -Is): DENY no_permissions user=$currentUser ip=$SSH_CONNECTION argv=$argv" &>$LOG + exit 1 +end # execute parsed git command /usr/bin/sudo -u git /usr/bin/git-shell -c "$gitCommand '$repoDir'" diff --git a/src/ssh.conf b/src/ssh.conf index 2940260..0de789c 100644 --- a/src/ssh.conf +++ b/src/ssh.conf @@ -1,6 +1,10 @@ -# Security, do not allow any access to the git repos outside of allowed users +# Security, we only want public key login for users and NOT for users root,git PermitRootLogin no PasswordAuthentication no +PubkeyAuthentication yes +AuthenticationMethods publickey +KbdInteractiveAuthentication no +ChallengeResponseAuthentication no PermitTTY no AllowAgentForwarding no @@ -15,3 +19,6 @@ LogLevel INFO # Force run script that checks for permissions and runs sudo ForceCommand /usr/local/bin/run "$SSH_ORIGINAL_COMMAND" + +# git user has access to EVERYTHING. no login should be possible +DenyUsers git diff --git a/src/sudo-git b/src/sudo-git index cd2f413..3f50291 100644 --- a/src/sudo-git +++ b/src/sudo-git @@ -1,2 +1 @@ -Defaults:pass !requiretty ALL ALL=(git) NOPASSWD: /usr/bin/git-shell |
