Git¶
Purpose¶
Git server for the Wiki page Software development and System Administration teams.
Application Links¶
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Todo
find an additional admin
Application Administration¶
Application |
Administrator(s) |
---|---|
Git |
|
Gitweb |
Contact¶
Additional People¶
Dirk Astrath has sudo access on that machine too.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- MAC address:
00:ff:2e:b0:4b:1b
(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
---|---|---|
git.cacert.org. |
IN A |
213.154.225.250 |
git.cacert.org. |
IN SSHFP |
1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6 |
git.cacert.org. |
IN SSHFP |
1 2 DABBE1766C7933071C4E6942A1DFC72C26D9D867D8DEE84BEDA210C8EF9EA2C5 |
git.cacert.org. |
IN SSHFP |
2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F |
git.cacert.org. |
IN SSHFP |
2 2 00C20C26B6B9A026BBB11B5C45CBEC5D3AB44A039DC0F097CAD88374D3567D01 |
git.cacert.org. |
IN SSHFP |
3 1 60DE5788BD83ABC7F315B667F634BDA5DA8502ED |
git.cacert.org. |
IN SSHFP |
3 2 132BD98483440124F6B8117148B02A66645477F53C18F974E4DECB32A7495644 |
git.cacert.org. |
IN SSHFP |
4 1 13D611007B43D073CF4D89784510398116623EB7 |
git.cacert.org. |
IN SSHFP |
4 2 40A61A25488FE01C056EAAFF703EF0FF9C6B01BEE00580A91B95741DFAA59751 |
git.intra.cacert.org. |
IN A |
172.16.2.250 |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
application |
443/tcp |
https |
ANY |
application |
5666/tcp |
nrpe |
monitor |
remote monitoring service |
9418/tcp |
git |
ANY |
Git daemon port |
Todo
disable insecure git-daemon port and http for git, replace these with https for read access and git+ssh for write access
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
openssh server |
ssh daemon for remote administration |
init script |
Apache httpd |
Webserver for gitweb |
init script
|
cron |
job scheduler |
init script |
rsyslog |
syslog daemon |
init script
|
Postfix |
SMTP server for local mail submission |
init script
|
Nagios NRPE server |
remote monitoring service queried by Monitor |
init script
|
runit |
service supervision for git-daemon |
|
git-daemon |
Daemon for native Git protocol access |
runit service description in
|
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
|
See also
Dedicated user roles¶
Group |
Purpose |
---|---|
git-birdshack |
access to Wiki page BirdShack git repositories |
softass |
Software assessors |
git-boardvoting |
access to board voting git repository |
git-rccrtauth |
access to Roundcube certificate authentication git repository |
git-infra |
access to infrastructure git repositories |
Todo
think about regulating git access by a proper git repository manager like gitolite or gitea
Non-distribution packages and modifications¶
None
Risk assessments on critical packages¶
The package git-daemon-run exposes the git native protocol which is prone to man in the middle attacks that could hand out modified code to users. There are alternatives (ssh, https) and git-daemon support should be disabled.
Critical Configuration items¶
Keys and X.509 certificates¶
Certificate for CN git.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/git.cacert.org.chain.pem
private key in file /etc/ssl/private/git.cacert.org.key.pem
The /etc/ssl/public/git.c.o.chain.crt
contains the CAcert.org Class 1
certificate too.
Git repositories¶
Apache httpd configuration¶
Apache httpd serves the gitweb interface via http and https. The http VirtualHost redirects all traffic to https. The following changes have been applied to the Debian package’s Apache httpd configuration:
diff -urwN -X diffignore-apache2 orig/etc/apache2/conf-available/security.conf git/etc/apache2/conf-available/security.conf
--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100
+++ git/etc/apache2/conf-available/security.conf 2016-05-20 00:15:49.874994024 +0200
@@ -10,6 +10,17 @@
# Order Deny,Allow
# Deny from all
#</Directory>
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+</Directory>
+
+<Directory /var/www/>
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Order allow,deny
+ allow from all
+</Directory>
# Changing the following options will not really affect the security of the
diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf git/etc/apache2/mods-available/ssl.conf
--- orig/etc/apache2/mods-available/ssl.conf 2015-10-24 10:37:19.000000000 +0200
+++ git/etc/apache2/mods-available/ssl.conf 2016-01-02 16:13:42.695785273 +0100
@@ -56,7 +56,8 @@
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
- SSLCipherSuite HIGH:!aNULL
+ #SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128
+ SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP
# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice.
@@ -65,7 +66,7 @@
# the CPU cost, and did not override SSLCipherSuite in a way that puts
# insecure ciphers first.
# Default: Off
- #SSLHonorCipherOrder on
+ SSLHonorCipherOrder on
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/000-default.conf git/etc/apache2/sites-available/000-default.conf
--- orig/etc/apache2/sites-available/000-default.conf 2015-10-24 10:37:19.000000000 +0200
+++ git/etc/apache2/sites-available/000-default.conf 2016-05-20 00:21:02.697250540 +0200
@@ -11,11 +11,19 @@
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
+ RewriteEngine on
+ RewriteCond %{HTTP_HOST} !^git\.cacert\.org [NC]
+ RewriteCond %{HTTP_HOST} !^$
+ RewriteRule ^/?(.*) http://git.cacert.org/$1 [L,R,NE]
+
+ Redirect / https://git.cacert.org/gitweb
+
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
+ LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/default-ssl.conf git/etc/apache2/sites-available/default-ssl.conf
--- orig/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:05:51.022493172 +0200
+++ git/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:14:50.350565644 +0200
@@ -2,13 +2,27 @@
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
+ Redirect /index.html /gitweb/
+
DocumentRoot /var/www/html
+ <Directory />
+ Options FollowSymLinks
+ AllowOverride None
+ </Directory>
+ <Directory /var/www/>
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ </Directory>
+
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
+ LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
@@ -29,8 +43,8 @@
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+ SSLCertificateFile /etc/ssl/public/git.c.o.chain.crt
+ SSLCertificateKeyFile /etc/ssl/private/git.c.o.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
@@ -130,6 +144,12 @@
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+ # HSTS
+ Header always set Strict-Transport-Security "max-age=31536000"
+ Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-dacEZQWGxky95ybZadcNI26RDghVLeVdbdRC/Q3spJQ='; img-src 'self'; style-src 'self';"
+ Header always set X-Frame-Options "DENY"
+ Header always set X-XSS-Protection "1; mode=block"
+ Header always set X-Content-Type-Options "nosniff"
</VirtualHost>
</IfModule>
Gitweb configuration¶
Gitweb is configured in /etc/gitweb.conf
which has the following
changes to the version contained in the distribution package:
--- orig/etc/gitweb.conf 2016-03-19 14:22:50.000000000 +0100
+++ git/etc/gitweb.conf 2014-02-17 02:25:18.281157394 +0100
@@ -1,5 +1,8 @@
# path to git projects (<project>.git)
-$projectroot = "/var/lib/git";
+$projectroot = "/var/cache/git";
+
+# only show repos that are also served via git-daemon
+$export_ok = "git-daemon-export-ok";
# directory to use for temp files
$git_temp = "/tmp";
@@ -13,6 +16,9 @@
# file with project list; by default, simply scan the projectroot dir.
#$projects_list = $projectroot;
+# Enable categories
+$projects_list_group_categories = 1;
+
# stylesheet to use
#@stylesheets = ("static/gitweb.css");
@@ -28,3 +34,17 @@
# git-diff-tree(1) options to use for generated patches
#@diff_opts = ("-M");
@diff_opts = ();
+
+# auto generate fetch URLs
+@git_base_url_list = (
+ "git://git.cacert.org",
+ "ssh://git.cacert.org/var/cache/git");
+
+# Prevent XSS attacks
+$prevent_xss = 1;
+
+# enable gravatar support
+$feature{'avatar'}{'default'} = ['gravatar'];
+
+# enable syntax highlighting
+$feature{'highlight'}{'default'} = [1];
git-daemon configuration¶
The git-daemon is started by runit. The configuration is stored in
/etc/sv/git-daemon/run
and has the following changes to the version
contained in the distribution package git-daemon-run:
--- orig/etc/sv/git-daemon/run 2016-03-19 14:22:50.000000000 +0100
+++ git/etc/sv/git-daemon/run 2014-02-06 01:46:55.424870926 +0100
@@ -3,4 +3,4 @@
echo 'git-daemon starting.'
exec chpst -ugitdaemon \
"$(git --exec-path)"/git-daemon --verbose --reuseaddr \
- --base-path=/var/lib /var/lib/git
+ --base-path=/var/cache/git /var/cache/git
The runit service handling is triggered through /etc/inittab
.
Tasks¶
Changes¶
Planned¶
Todo
enable IPv6
System Future¶
No plans
Additional documentation¶
Adding a git repository¶
The git repositories are stored in /var/cache/git/
. To create a new
repository use:
cd /var/cache/git/
git init --bare --shared=group <reponame.git>
chgrp -R <groupname> <reponame.git>
The gitweb index is built from all repositories that contain a file
git-daemon-export-ok
. You should also put a description in the
repository’s description
file and set the repository owner via:
cd <reponame.git>
git config gitweb.owner "Owner information"
See also
References¶
- Apache httpd documentation