From 8ef9b0fe88470125d6ee60a3ea0bab796048e692 Mon Sep 17 00:00:00 2001 From: Matthias Lucas Jaros Date: Mon, 20 Oct 2025 12:23:03 +0200 Subject: Security hardening --- src/env | 4 ++++ src/init | 14 +++++++++----- src/run | 32 ++++++++++++++++++++++---------- src/ssh.conf | 9 ++++++++- src/sudo-git | 1 - 5 files changed, 43 insertions(+), 17 deletions(-) create mode 100644 src/env (limited to 'src') diff --git a/src/env b/src/env new file mode 100644 index 0000000..f8fcd99 --- /dev/null +++ b/src/env @@ -0,0 +1,4 @@ +set _REPO_PERMISSIONS_FILE /etc/repo-permissions +set _REPO_VALIDATION_REGEX "((?:\/[a-zA-Z0-9_-]+)+.git)" +set _GIT_VALIDATION_REGEX "^(git-(?:upload-pack|receive-pack|upload-archive)) '$_REPO_VALIDATION_REGEX'\$" +set LOG /var/log/error.txt diff --git a/src/init b/src/init index b9222f4..e292d59 100755 --- a/src/init +++ b/src/init @@ -1,14 +1,14 @@ #!/usr/bin/env fish +# load environment +source (dirname (status --current-filename))/env + # # # function definitions # # -set _REPO_PERMISSIONS_FILE /etc/repo-permissions -set _REPO_VALIDATION_REGEX "^((?:\/[a-zA-Z-]+)+.git)\$" - function createUser set -l userConfig (string split ':' $argv[1]) set -l user $userConfig[1] @@ -37,9 +37,9 @@ function setupRepo set -l repo $parsedConfig[1] # check repo name - set -l matcher (string match -r -g $_REPO_VALIDATION_REGEX $repo) + set -l matcher (string match -r -g "^$_REPO_VALIDATION_REGEX\$" $repo) if test -z $matcher[1] - echo "Invalid repo name $repo" + echo "Failed to setup repo, invalid path/name: $repo" return 1 end @@ -102,6 +102,7 @@ end # git user has read/write access to all repos, set git-shell # and no password login allowed -> no ssh login possible adduser git -u $GIT_UID -D --shell "/usr/bin/git-shell" +passwd -l git for userConfig in $users createUser "$userConfig" end @@ -112,6 +113,9 @@ for repoConfig in $repos setupRepo "$repoConfig" end +# create writable log file +touch $LOG && chmod 777 $LOG + echo "Setting up server" # generate host keys in case mkdir -p /var/ssh/etc/ssh/ && ssh-keygen -A -f /var/ssh diff --git a/src/run b/src/run index 10d69c8..5b18bc8 100755 --- a/src/run +++ b/src/run @@ -1,25 +1,37 @@ #!/usr/bin/env fish -set _REPO_PERMISSIONS_FILE /etc/repo-permissions -# unify repo regex somehow -set _GIT_VALIDATION_REGEX "^(git-(?:upload-pack|receive-pack|upload-archive)) '((?:\/[a-zA-Z-]+)+.git)'\$" +# load environment +source (dirname (status --current-filename))/env # check given git command -set -l matcher (string match -r -g $_GIT_VALIDATION_REGEX "$argv") +set -l currentUser (whoami) +set -l matcher (string match -r -g $_GIT_VALIDATION_REGEX -- "$argv") if test (count $matcher) -ne 2 # there should be two groups otherwise something is wrong + echo "$(date -Is): DENY bad_format user=$currentUser ip=$SSH_CONNECTION argv=$argv" &>$LOG exit 1 end -# echo check for permissions -set -l checkUser (whoami) +# extract variables from git command set -l gitCommand $matcher[1] set -l repo $matcher[2] + # adjust repo path to /srv/repos -set -l repoDir srv repos -set -l repoDir /(string join -n '/' $repoDir (string split '/' $repo)) -cat $_REPO_PERMISSIONS_FILE | grep -q -E "^$repoDir:$checkUser\$" -or exit 1; +set -l repoDir /(string join -n '/' srv repos (string split '/' $repo)) + +# check repo jail in /srv/repos +if not string match -r -q -- "/srv/repos/.*" "(realpath $repoDir)" + # something is for sure wrong here + echo "$(date -Is): DENY jail_escape user=$currentUser ip=$SSH_CONNECTION argv=$argv" &>$LOG + exit 2 +end + +# check for permissions +if not cat $_REPO_PERMISSIONS_FILE | grep -q -E "^$repoDir:$currentUser\$" + # something is for sure wrong here + echo "$(date -Is): DENY no_permissions user=$currentUser ip=$SSH_CONNECTION argv=$argv" &>$LOG + exit 1 +end # execute parsed git command /usr/bin/sudo -u git /usr/bin/git-shell -c "$gitCommand '$repoDir'" diff --git a/src/ssh.conf b/src/ssh.conf index 2940260..0de789c 100644 --- a/src/ssh.conf +++ b/src/ssh.conf @@ -1,6 +1,10 @@ -# Security, do not allow any access to the git repos outside of allowed users +# Security, we only want public key login for users and NOT for users root,git PermitRootLogin no PasswordAuthentication no +PubkeyAuthentication yes +AuthenticationMethods publickey +KbdInteractiveAuthentication no +ChallengeResponseAuthentication no PermitTTY no AllowAgentForwarding no @@ -15,3 +19,6 @@ LogLevel INFO # Force run script that checks for permissions and runs sudo ForceCommand /usr/local/bin/run "$SSH_ORIGINAL_COMMAND" + +# git user has access to EVERYTHING. no login should be possible +DenyUsers git diff --git a/src/sudo-git b/src/sudo-git index cd2f413..3f50291 100644 --- a/src/sudo-git +++ b/src/sudo-git @@ -1,2 +1 @@ -Defaults:pass !requiretty ALL ALL=(git) NOPASSWD: /usr/bin/git-shell -- cgit v1.3.1