Re: is gitosis secure?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tommi Virtanen wrote:
>On Wed, Feb 04, 2009 at 01:12:04PM +0100, Stephen R. van den Berg wrote:
>> I installed gitosis a year ago.
>> Then I tried to audit the code.
>> I couldn't, the whole thing is too much spaghetti code.

>Huh. It's about 1000 lines of python, with about 2000 lines of unit
>tests. It has 3 top-level operations: init, serve, run_hook. That
>still counts as "tiny" in my mind. I'm sorry if following the code was
>too hard. I guess there's no accounting for taste.

It would help if there were a 10 to 60 line synopsis of what it does
in the critical cases.  I mean, I don't care about features, but I care
about the critical parts that interact with the shell and ssh.  In order
to audit that I need a concise 60 line max piece of code or text where
I can get all the info from.  1000 lines for that is too much.

>> Auditing gitosis turned out to be too painful to be worth the trouble,
>> so I reverted to a manually maintained git-shell solution which is so
>> simple that I can actually audit it, and therefore is provably secure
>> (which gitosis is not).

>This word, "provably", tends to mean something else than what you use
>it for. Definitely a simple audit doesn't prove anything. Most
>real-world software is complex enough to be practically unprovable for
>anything.

What I meant by "provably secure" in this context is that in addition
to basic security holes already/still present in the OS, /bin/sh and ssh,
my scripts do not introduce extra security holes.

As a matter of fact, I replaced gitosis by two shell scripts of 31 and
50 lines each (including empty lines).  I.e. the pieces of code needing
auditing are exactly 81 lines total.

I'm not saying that gitosis has security holes, it's just that it's rather
difficult to assure that it doesn't, given the size.
-- 
Sincerely,
           Stephen R. van den Berg.
Auto repair rates: basic labor $40/hour; if you wait, $60; if you watch, $80;
if you ask questions, $100; if you help, $120; if you laugh, $140.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux