Git

Purpose

Git server for the Wiki Software development and System Administration teams.

Administration

System Administration

Todo

find an additional admin

Application Administration

Application

Administrator(s)

Git

Jan Dittberner

Gitweb

Jan Dittberner

Additional People

Mario Lipinski and Michael Tänzer have sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.250

IP Intranet

172.16.2.250

IP Internal

10.0.0.250

MAC address

00:ff:2e:b0:4b:1b (eth0)

See also

See Network

DNS

Name

Type

Content

git.cacert.org.

IN A

213.154.225.250

git.cacert.org.

IN SSHFP

1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6

git.cacert.org.

IN SSHFP

1 2 DABBE1766C7933071C4E6942A1DFC72C26D9D867D8DEE84BEDA210C8EF9EA2C5

git.cacert.org.

IN SSHFP

2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F

git.cacert.org.

IN SSHFP

2 2 00C20C26B6B9A026BBB11B5C45CBEC5D3AB44A039DC0F097CAD88374D3567D01

git.cacert.org.

IN SSHFP

3 1 60DE5788BD83ABC7F315B667F634BDA5DA8502ED

git.cacert.org.

IN SSHFP

3 2 132BD98483440124F6B8117148B02A66645477F53C18F974E4DECB32A7495644

git.cacert.org.

IN SSHFP

4 1 13D611007B43D073CF4D89784510398116623EB7

git.cacert.org.

IN SSHFP

4 2 40A61A25488FE01C056EAAFF703EF0FF9C6B01BEE00580A91B95741DFAA59751

git.intra.cacert.org.

IN A

172.16.2.250

Operating System

  • Debian GNU/Linux 9.4

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

application

443/tcp

https

ANY

application

5666/tcp

nrpe

monitor

remote monitoring service

9418/tcp

git

ANY

Git daemon port

Todo

disable insecure git-daemon port and http for git, replace these with https for read access and git+ssh for write access

Running services

Service

Usage

Start mechanism

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

Apache httpd

Webserver for gitweb

init script /etc/init.d/apache2

cron

job scheduler

init script /etc/init.d/cron

rsyslog

syslog daemon

init script /etc/init.d/syslog

Postfix

SMTP server for local mail submission

init script /etc/init.d/postfix

Nagios NRPE server

remote monitoring service queried by Monitor

init script /etc/init.d/nagios-nrpe-server

runit

service supervision for git-daemon

/etc/inittab entry

git-daemon

Daemon for native Git protocol access

runit service description in /etc/sv/git-daemon/run

Connected Systems

Outbound network connections

  • crl.cacert.org (rsync) for getting CRLs

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Emailout as SMTP relay

  • Proxyout as HTTP proxy for APT

  • Jenkins for triggering web hooks

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:2rvhdmx5MwccTmlCod/HLCbZ2GfY3uhL7aIQyO+eosU, MD5:b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab

DSA

SHA256:AMIMJra5oCa7sRtcRcvsXTq0SgOdwPCXytiDdNNWfQE, MD5:27:e5:f3:95:b8:4e:73:48:b5:f2:28:8f:32:5a:96:70

ECDSA

SHA256:EyvZhINEAST2uBFxSLAqZmRUd/U8GPl05N7LMqdJVkQ, MD5:b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c

ED25519

SHA256:QKYaJUiP4BwFbqr/cD7w/5xrAb7gBYCpG5V0Hfqll1E, MD5:38:6b:90:f7:8b:c7:b2:cf:cd:86:29:5c:e4:03:fa:35

Dedicated user roles

Group

Purpose

git-birdshack

access to Wiki BirdShack git repositories

softass

Software assessors

git-boardvoting

access to board voting git repository

git-rccrtauth

access to Roundcube certificate authentication git repository

git-infra

access to infrastructure git repositories

Todo

think about regulating git access by a proper git repository manager like gitolite or gitea

Non-distribution packages and modifications

Gitweb has been modified to use https for Gravatar lookups:

--- gitweb.cgi  2014-02-06 14:01:48.696730208 +0000
+++ /usr/share/gitweb/gitweb.cgi        2014-02-06 14:03:52.933721422 +0000
@@ -2064,7 +2064,7 @@
        my $email = lc shift;
        my $size = shift;
        $avatar_cache{$email} ||=
-               "http://www.gravatar.com/avatar/" .
+               "https://secure.gravatar.com/avatar/" .
                        Digest::MD5::md5_hex($email) . "?s=";
        return $avatar_cache{$email} . $size;
 }

Risk assessments on critical packages

The package git-daemon-run exposes the git native protocol which is prone to man in the middle attacks that could hand out modified code to users. There are alternatives (ssh, https) and git-daemon support should be disabled.

Critical Configuration items

Keys and X.509 certificates

  • Certificate for CN git.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/git.c.o.chain.crt

    • private key in file /etc/ssl/private/git.c.o.key

The /etc/ssl/public/git.c.o.chain.crt contains the CAcert.org Class 1 certificate too.

Git repositories

Apache httpd configuration

Apache httpd serves the gitweb interface via http and https. The http VirtualHost redirects all traffic to https. The following changes have been applied to the Debian package’s Apache httpd configuration:

diff -urwN -X diffignore-apache2 orig/etc/apache2/conf-available/security.conf git/etc/apache2/conf-available/security.conf
--- orig/etc/apache2/conf-available/security.conf	2015-11-28 13:59:22.000000000 +0100
+++ git/etc/apache2/conf-available/security.conf	2016-05-20 00:15:49.874994024 +0200
@@ -10,6 +10,17 @@
 #   Order Deny,Allow
 #   Deny from all
 #</Directory>
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+</Directory>
+
+<Directory /var/www/>
+	Options Indexes FollowSymLinks MultiViews
+	AllowOverride None
+	Order allow,deny
+	allow from all
+</Directory>
 
 
 # Changing the following options will not really affect the security of the
diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf git/etc/apache2/mods-available/ssl.conf
--- orig/etc/apache2/mods-available/ssl.conf	2015-10-24 10:37:19.000000000 +0200
+++ git/etc/apache2/mods-available/ssl.conf	2016-01-02 16:13:42.695785273 +0100
@@ -56,7 +56,8 @@
 	#   ciphers(1) man page from the openssl package for list of all available
 	#   options.
 	#   Enable only secure ciphers:
-	SSLCipherSuite HIGH:!aNULL
+	#SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128
+	SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP
 
 	# SSL server cipher order preference:
 	# Use server priorities for cipher algorithm choice.
@@ -65,7 +66,7 @@
 	# the CPU cost, and did not override SSLCipherSuite in a way that puts
 	# insecure ciphers first.
 	# Default: Off
-	#SSLHonorCipherOrder on
+	SSLHonorCipherOrder on
 
 	#   The protocols to enable.
 	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/000-default.conf git/etc/apache2/sites-available/000-default.conf
--- orig/etc/apache2/sites-available/000-default.conf	2015-10-24 10:37:19.000000000 +0200
+++ git/etc/apache2/sites-available/000-default.conf	2016-05-20 00:21:02.697250540 +0200
@@ -11,11 +11,19 @@
 	ServerAdmin webmaster@localhost
 	DocumentRoot /var/www/html
 
+	RewriteEngine on
+	RewriteCond %{HTTP_HOST} !^git\.cacert\.org [NC]
+	RewriteCond %{HTTP_HOST} !^$
+	RewriteRule ^/?(.*) http://git.cacert.org/$1 [L,R,NE] 
+
+	Redirect / https://git.cacert.org/gitweb
+
 	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 	# error, crit, alert, emerg.
 	# It is also possible to configure the loglevel for particular
 	# modules, e.g.
 	#LogLevel info ssl:warn
+	LogLevel warn
 
 	ErrorLog ${APACHE_LOG_DIR}/error.log
 	CustomLog ${APACHE_LOG_DIR}/access.log combined
diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/default-ssl.conf git/etc/apache2/sites-available/default-ssl.conf
--- orig/etc/apache2/sites-available/default-ssl.conf	2016-05-20 00:05:51.022493172 +0200
+++ git/etc/apache2/sites-available/default-ssl.conf	2016-05-20 00:14:50.350565644 +0200
@@ -2,13 +2,27 @@
 	<VirtualHost _default_:443>
 		ServerAdmin webmaster@localhost
 
+		Redirect /index.html /gitweb/
+
 		DocumentRoot /var/www/html
 
+		<Directory />
+			Options FollowSymLinks
+			AllowOverride None
+		</Directory>
+		<Directory /var/www/>
+			Options Indexes FollowSymLinks MultiViews
+			AllowOverride None
+			Order allow,deny
+			allow from all
+		</Directory>
+	
 		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 		# error, crit, alert, emerg.
 		# It is also possible to configure the loglevel for particular
 		# modules, e.g.
 		#LogLevel info ssl:warn
+		LogLevel warn
 
 		ErrorLog ${APACHE_LOG_DIR}/error.log
 		CustomLog ${APACHE_LOG_DIR}/access.log combined
@@ -29,8 +43,8 @@
 		#   /usr/share/doc/apache2/README.Debian.gz for more info.
 		#   If both key and certificate are stored in the same file, only the
 		#   SSLCertificateFile directive is needed.
-		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
-		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+		SSLCertificateFile    /etc/ssl/public/git.c.o.chain.crt
+		SSLCertificateKeyFile /etc/ssl/private/git.c.o.key
 
 		#   Server Certificate Chain:
 		#   Point SSLCertificateChainFile at a file containing the
@@ -130,6 +144,12 @@
 		# MSIE 7 and newer should be able to use keepalive
 		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 
+		# HSTS
+		Header always set Strict-Transport-Security "max-age=31536000"
+		Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-dacEZQWGxky95ybZadcNI26RDghVLeVdbdRC/Q3spJQ='; img-src 'self'; style-src 'self';"
+		Header always set X-Frame-Options "DENY"
+		Header always set X-XSS-Protection "1; mode=block"
+		Header always set X-Content-Type-Options "nosniff"
 	</VirtualHost>
 </IfModule>
 

Gitweb configuration

Gitweb is configured in /etc/gitweb.conf which has the following changes to the version contained in the distribution package:

--- orig/etc/gitweb.conf	2016-03-19 14:22:50.000000000 +0100
+++ git/etc/gitweb.conf	2014-02-17 02:25:18.281157394 +0100
@@ -1,5 +1,8 @@
 # path to git projects (<project>.git)
-$projectroot = "/var/lib/git";
+$projectroot = "/var/cache/git";
+
+# only show repos that are also served via git-daemon
+$export_ok = "git-daemon-export-ok";
 
 # directory to use for temp files
 $git_temp = "/tmp";
@@ -13,6 +16,9 @@
 # file with project list; by default, simply scan the projectroot dir.
 #$projects_list = $projectroot;
 
+# Enable categories
+$projects_list_group_categories = 1;
+
 # stylesheet to use
 #@stylesheets = ("static/gitweb.css");
 
@@ -28,3 +34,17 @@
 # git-diff-tree(1) options to use for generated patches
 #@diff_opts = ("-M");
 @diff_opts = ();
+
+# auto generate fetch URLs
+@git_base_url_list = (
+	"git://git.cacert.org",
+	"ssh://git.cacert.org/var/cache/git");
+
+# Prevent XSS attacks
+$prevent_xss = 1;
+
+# enable gravatar support
+$feature{'avatar'}{'default'} = ['gravatar'];
+
+# enable syntax highlighting
+$feature{'highlight'}{'default'} = [1];

git-daemon configuration

The git-daemon is started by runit. The configuration is stored in /etc/sv/git-daemon/run and has the following changes to the version contained in the distribution package git-daemon-run:

--- orig/etc/sv/git-daemon/run	2016-03-19 14:22:50.000000000 +0100
+++ git/etc/sv/git-daemon/run	2014-02-06 01:46:55.424870926 +0100
@@ -3,4 +3,4 @@
 echo 'git-daemon starting.'
 exec chpst -ugitdaemon \
   "$(git --exec-path)"/git-daemon --verbose --reuseaddr \
-    --base-path=/var/lib /var/lib/git
+    --base-path=/var/cache/git /var/cache/git

The runit service handling is triggered through /etc/inittab.

Tasks

Changes

Planned

Todo

enable IPv6

System Future

  • No plans

Additional documentation

Adding a git repository

The git repositories are stored in /var/cache/git/. To create a new repository use:

cd /var/cache/git/
git init --bare --shared=group <reponame.git>
chgrp -R <groupname> <reponame.git>

The gitweb index is built from all repositories that contain a file git-daemon-export-ok. You should also put a description in the repository’s description file and set the repository owner via:

cd <reponame.git>
git config gitweb.owner "Owner information"

References

Apache httpd documentation

http://httpd.apache.org/docs/2.4/