diff options
| -rw-r--r-- | docs/configdiff/git/git-apache-config.diff | 121 | ||||
| -rw-r--r-- | docs/configdiff/git/git-daemon-run.diff | 8 | ||||
| -rw-r--r-- | docs/configdiff/git/gitweb.conf.diff | 40 | ||||
| -rw-r--r-- | docs/systems.rst | 1 | ||||
| -rw-r--r-- | docs/systems/git.rst | 368 |
5 files changed, 538 insertions, 0 deletions
diff --git a/docs/configdiff/git/git-apache-config.diff b/docs/configdiff/git/git-apache-config.diff new file mode 100644 index 0000000..ad2c182 --- /dev/null +++ b/docs/configdiff/git/git-apache-config.diff @@ -0,0 +1,121 @@ +diff -urwN -X diffignore-apache2 orig/etc/apache2/conf-available/security.conf git/etc/apache2/conf-available/security.conf +--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100 ++++ git/etc/apache2/conf-available/security.conf 2016-05-20 00:15:49.874994024 +0200 +@@ -10,6 +10,17 @@ + # Order Deny,Allow + # Deny from all + #</Directory> ++<Directory /> ++ Options FollowSymLinks ++ AllowOverride None ++</Directory> ++ ++<Directory /var/www/> ++ Options Indexes FollowSymLinks MultiViews ++ AllowOverride None ++ Order allow,deny ++ allow from all ++</Directory> + + + # Changing the following options will not really affect the security of the +diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf git/etc/apache2/mods-available/ssl.conf +--- orig/etc/apache2/mods-available/ssl.conf 2015-10-24 10:37:19.000000000 +0200 ++++ git/etc/apache2/mods-available/ssl.conf 2016-01-02 16:13:42.695785273 +0100 +@@ -56,7 +56,8 @@ + # ciphers(1) man page from the openssl package for list of all available + # options. + # Enable only secure ciphers: +- SSLCipherSuite HIGH:!aNULL ++ #SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128 ++ SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP + + # SSL server cipher order preference: + # Use server priorities for cipher algorithm choice. +@@ -65,7 +66,7 @@ + # the CPU cost, and did not override SSLCipherSuite in a way that puts + # insecure ciphers first. + # Default: Off +- #SSLHonorCipherOrder on ++ SSLHonorCipherOrder on + + # The protocols to enable. + # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 +diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/000-default.conf git/etc/apache2/sites-available/000-default.conf +--- orig/etc/apache2/sites-available/000-default.conf 2015-10-24 10:37:19.000000000 +0200 ++++ git/etc/apache2/sites-available/000-default.conf 2016-05-20 00:21:02.697250540 +0200 +@@ -11,11 +11,19 @@ + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + ++ RewriteEngine on ++ RewriteCond %{HTTP_HOST} !^git\.cacert\.org [NC] ++ RewriteCond %{HTTP_HOST} !^$ ++ RewriteRule ^/?(.*) http://git.cacert.org/$1 [L,R,NE] ++ ++ Redirect / https://git.cacert.org/gitweb ++ + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn ++ LogLevel warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined +diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/default-ssl.conf git/etc/apache2/sites-available/default-ssl.conf +--- orig/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:05:51.022493172 +0200 ++++ git/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:14:50.350565644 +0200 +@@ -2,13 +2,27 @@ + <VirtualHost _default_:443> + ServerAdmin webmaster@localhost + ++ Redirect /index.html /gitweb/ ++ + DocumentRoot /var/www/html + ++ <Directory /> ++ Options FollowSymLinks ++ AllowOverride None ++ </Directory> ++ <Directory /var/www/> ++ Options Indexes FollowSymLinks MultiViews ++ AllowOverride None ++ Order allow,deny ++ allow from all ++ </Directory> ++ + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn ++ LogLevel warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined +@@ -29,8 +43,8 @@ + # /usr/share/doc/apache2/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. +- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem +- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key ++ SSLCertificateFile /etc/ssl/public/git.c.o.chain.crt ++ SSLCertificateKeyFile /etc/ssl/private/git.c.o.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the +@@ -130,6 +144,12 @@ + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + ++ # HSTS ++ Header always set Strict-Transport-Security "max-age=31536000" ++ Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-dacEZQWGxky95ybZadcNI26RDghVLeVdbdRC/Q3spJQ='; img-src 'self'; style-src 'self';" ++ Header always set X-Frame-Options "DENY" ++ Header always set X-XSS-Protection "1; mode=block" ++ Header always set X-Content-Type-Options "nosniff" + </VirtualHost> + </IfModule> + diff --git a/docs/configdiff/git/git-daemon-run.diff b/docs/configdiff/git/git-daemon-run.diff new file mode 100644 index 0000000..abcca5a --- /dev/null +++ b/docs/configdiff/git/git-daemon-run.diff @@ -0,0 +1,8 @@ +--- orig/etc/sv/git-daemon/run 2016-03-19 14:22:50.000000000 +0100 ++++ git/etc/sv/git-daemon/run 2014-02-06 01:46:55.424870926 +0100 +@@ -3,4 +3,4 @@ + echo 'git-daemon starting.' + exec chpst -ugitdaemon \ + "$(git --exec-path)"/git-daemon --verbose --reuseaddr \ +- --base-path=/var/lib /var/lib/git ++ --base-path=/var/cache/git /var/cache/git diff --git a/docs/configdiff/git/gitweb.conf.diff b/docs/configdiff/git/gitweb.conf.diff new file mode 100644 index 0000000..0e8e957 --- /dev/null +++ b/docs/configdiff/git/gitweb.conf.diff @@ -0,0 +1,40 @@ +--- orig/etc/gitweb.conf 2016-03-19 14:22:50.000000000 +0100 ++++ git/etc/gitweb.conf 2014-02-17 02:25:18.281157394 +0100 +@@ -1,5 +1,8 @@ + # path to git projects (<project>.git) +-$projectroot = "/var/lib/git"; ++$projectroot = "/var/cache/git"; ++ ++# only show repos that are also served via git-daemon ++$export_ok = "git-daemon-export-ok"; + + # directory to use for temp files + $git_temp = "/tmp"; +@@ -13,6 +16,9 @@ + # file with project list; by default, simply scan the projectroot dir. + #$projects_list = $projectroot; + ++# Enable categories ++$projects_list_group_categories = 1; ++ + # stylesheet to use + #@stylesheets = ("static/gitweb.css"); + +@@ -28,3 +34,17 @@ + # git-diff-tree(1) options to use for generated patches + #@diff_opts = ("-M"); + @diff_opts = (); ++ ++# auto generate fetch URLs ++@git_base_url_list = ( ++ "git://git.cacert.org", ++ "ssh://git.cacert.org/var/cache/git"); ++ ++# Prevent XSS attacks ++$prevent_xss = 1; ++ ++# enable gravatar support ++$feature{'avatar'}{'default'} = ['gravatar']; ++ ++# enable syntax highlighting ++$feature{'highlight'}{'default'} = [1]; diff --git a/docs/systems.rst b/docs/systems.rst index f5963ad..e9e9e16 100644 --- a/docs/systems.rst +++ b/docs/systems.rst @@ -17,6 +17,7 @@ administrator team. systems/cats systems/email systems/emailout + systems/git systems/monitor systems/webmail diff --git a/docs/systems/git.rst b/docs/systems/git.rst new file mode 100644 index 0000000..79ba57b --- /dev/null +++ b/docs/systems/git.rst @@ -0,0 +1,368 @@ +.. index:: + single: Systems; Git + +=== +Git +=== + +Purpose +======= + +`Git`_ server for the :wiki:`Software` development and :wiki:`System +Administration <SystemAdministration/Team>` teams. + +.. _Git: https://www.git-scm.com/ + +Application Links +----------------- + +Gitweb + http://git.cacert.org/gitweb/ + +Administration +============== + +System Administration +--------------------- + +* Primary: :ref:`people_jandd` +* Secondary: None + +.. todo:: find an additional admin + +Application Administration +-------------------------- + ++-------------+---------------------+ +| Application | Administrator(s) | ++=============+=====================+ +| Git | :ref:`people_jandd` | ++-------------+---------------------+ +| Gitweb | :ref:`people_jandd` | ++-------------+---------------------+ + +Contact +------- + +* git-admin@cacert.org + +Additional People +----------------- + +:ref:`people_mario`, :ref:`people_benbe` and :ref:`people_neo` have +:program:`sudo` access on that machine too. + +Basics +====== + +Physical Location +----------------- + +This system is located in an :term:`LXC` container on physical machine +:doc:`infra02`. + +Logical Location +---------------- + +:IP Internet: :ip:v4:`213.154.225.250` +:IP Intranet: :ip:v4:`172.16.2.250` +:IP Internal: :ip:v4:`10.0.0.250` +:MAC address: :mac:`00:ff:2e:b0:4b:1b` (eth0) + +.. seealso:: + + See :doc:`../network` + +DNS +--- + +.. index:: + single: DNS records; <machine> + +===================== ======== ============================================ +Name Type Content +===================== ======== ============================================ +git.cacert.org. IN A 213.154.225.250 +git.cacert.org. IN SSHFP 1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6 +git.cacert.org. IN SSHFP 2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F +git.intra.cacert.org. IN A 172.16.2.250 +===================== ======== ============================================ + +.. seealso:: + + See :wiki:`SystemAdministration/Procedures/DNSChanges` + +Operating System +---------------- + +.. index:: + single: Debian GNU/Linux; Jessie + single: Debian GNU/Linux; 8.4 + +* Debian GNU/Linux 8.4 + +Applicable Documentation +------------------------ + +This is it :-) + +Services +======== + +Listening services +------------------ + ++----------+---------+---------+-----------------------------+ +| Port | Service | Origin | Purpose | ++==========+=========+=========+=============================+ +| 22/tcp | ssh | ANY | admin console access | ++----------+---------+---------+-----------------------------+ +| 25/tcp | smtp | local | mail delivery to local MTA | ++----------+---------+---------+-----------------------------+ +| 80/tcp | http | ANY | application | ++----------+---------+---------+-----------------------------+ +| 443/tcp | https | ANY | application | ++----------+---------+---------+-----------------------------+ +| 5666/tcp | nrpe | monitor | remote monitoring service | ++----------+---------+---------+-----------------------------+ +| 9418/tcp | git | ANY | Git daemon port | ++----------+---------+---------+-----------------------------+ + +.. todo:: disable insecure git-daemon port and http for git, replace these with + https for read access and git+ssh for write access + +Running services +---------------- + +.. index:: + single: Apache httpd + single: Postfix + single: cron + single: nrpe + single: openssh + single: rsyslog + single: git-daemon + ++--------------------+---------------------+----------------------------------------+ +| Service | Usage | Start mechanism | ++====================+=====================+========================================+ +| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` | +| | remote | | +| | administration | | ++--------------------+---------------------+----------------------------------------+ +| Apache httpd | Webserver for | init script | +| | gitweb | :file:`/etc/init.d/apache2` | +| | | | ++--------------------+---------------------+----------------------------------------+ +| cron | job scheduler | init script :file:`/etc/init.d/cron` | ++--------------------+---------------------+----------------------------------------+ +| rsyslog | syslog daemon | init script | +| | | :file:`/etc/init.d/syslog` | ++--------------------+---------------------+----------------------------------------+ +| Postfix | SMTP server for | init script | +| | local mail | :file:`/etc/init.d/postfix` | +| | submission | | ++--------------------+---------------------+----------------------------------------+ +| Nagios NRPE server | remote monitoring | init script | +| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` | +| | :doc:`monitor` | | ++--------------------+---------------------+----------------------------------------+ +| runit | service supervision | :file:`/etc/inittab` entry | +| | for git-daemon | | ++--------------------+---------------------+----------------------------------------+ +| git-daemon | Daemon for native | runit service description in | +| | Git protocol | :file:`/etc/sv/git-daemon/run` | +| | access | | ++--------------------+---------------------+----------------------------------------+ + +Connected Systems +----------------- + +* :doc:`monitor` +* :doc:`jenkins` for git repository access + +Outbound network connections +---------------------------- + +* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3 +* :doc:`emailout` as SMTP relay +* ftp.nl.debian.org as Debian mirror +* security.debian.org for Debian security updates +* crl.cacert.org (rsync) for getting CRLs +* :doc:`jenkins` for triggering web hooks + +Security +======== + +.. sshkeys:: + :RSA: b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab + :DSA: 27:e5:f3:95:b8:4e:73:48:b5:f2:28:8f:32:5a:96:70 + :ECDSA: b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c + +.. todo:: setup ED25519 host key + +Dedicated user roles +-------------------- + ++-----------------+----------------------------------------------------+ +| Group | Purpose | ++=================+====================================================+ +| git-birdshack | access to :wiki:`BirdShack` git repositories | ++-----------------+----------------------------------------------------+ +| softass | Software assessors | ++-----------------+----------------------------------------------------+ +| git-boardvoting | access to board voting git repository | ++-----------------+----------------------------------------------------+ +| git-rccrtauth | access to Roundcube certificate authentication git | +| | repository | ++-----------------+----------------------------------------------------+ +| git-infra | access to infrastructure git repositories | ++-----------------+----------------------------------------------------+ + +.. todo:: think about regulating git access by a proper git repository manager + like gitolite + +Non-distribution packages and modifications +------------------------------------------- + +Gitweb has been modified to use https for `Gravatar`_ lookups: + +.. code-block:: diff + + --- gitweb.cgi 2014-02-06 14:01:48.696730208 +0000 + +++ /usr/share/gitweb/gitweb.cgi 2014-02-06 14:03:52.933721422 +0000 + @@ -2064,7 +2064,7 @@ + my $email = lc shift; + my $size = shift; + $avatar_cache{$email} ||= + - "http://www.gravatar.com/avatar/" . + + "https://secure.gravatar.com/avatar/" . + Digest::MD5::md5_hex($email) . "?s="; + return $avatar_cache{$email} . $size; + } + +.. _Gravatar: http://www.gravatar.com/ + + +Risk assessments on critical packages +------------------------------------- + +The package git-daemon-run exposes the git native protocol which is prone to +man in the middle attacks that could hand out modified code to users. There are +alternatives (ssh, https) and git-daemon support should be disabled. + +Critical Configuration items +============================ + +Keys and X.509 certificates +--------------------------- + +.. sslcert:: git.cacert.org + :altnames: DNS:git.cacert.org + :certfile: /etc/ssl/public/git.c.o.chain.crt + :keyfile: /etc/ssl/private/git.c.o.key + :serial: 11E84D + :expiration: Mar 31 20:07:57 18 GMT + :sha1fp: B8:F9:FF:4E:F3:F6:45:A9:44:7D:8A:1E:F5:D7:28:24:74:ED:48:46 + :issuer: CA Cert Signing Authority + +The :file:`/etc/ssl/public/git.c.o.chain.crt` contains the CAcert.org Class 1 +certificate too. + +.. seealso:: + + * :wiki:`SystemAdministration/CertificateList` + +.. index:: Git repositories + +Git repositories +---------------- + +.. index:: + pair: Apache httpd; configuration + +Apache httpd configuration +-------------------------- + +Apache httpd serves the gitweb interface via http and https. The http +VirtualHost redirects all traffic to https. The following changes have been +applied to the Debian package's Apache httpd configuration: + +.. literalinclude:: ../configdiff/git/git-apache-config.diff + :language: diff + +.. index:: + pair: Gitweb; configuration + +Gitweb configuration +-------------------- + +Gitweb is configured in :file:`/etc/gitweb.conf` which has the following +changes to the version contained in the distribution package: + +.. literalinclude:: ../configdiff/git/gitweb.conf.diff + :language: diff + +.. index:: + pair: runit; configuration + pair: git-daemon; configuration + +git-daemon configuration +------------------------ + +The git-daemon is started by runit. The configuration is stored in +:file:`/etc/sv/git-daemon/run` and has the following changes to the version +contained in the distribution package git-daemon-run: + +.. literalinclude:: ../configdiff/git/git-daemon-run.diff + :language: diff + +Tasks +===== + +Planned +------- + +.. todo:: enable IPv6 + +Changes +======= + +System Future +------------- + +* No plans + +Additional documentation +======================== + +Adding a git repository +----------------------- + +The git repositories are stored in :file:`/var/cache/git/`. To create a new +repository use: + +.. code-block:: shell + + cd /var/cache/git/ + git init --bare --shared=group <reponame.git> + chgrp -R <groupname> <reponame.git> + +The gitweb index is built from all repositories that contain a file +:file:`git-daemon-export-ok`. You should also put a description in the +repository's :file:`description` file and set the repository owner via: + +.. code-block:: shell + + cd <reponame.git> + git config gitweb.owner "Owner information" + +.. seealso:: + + * :wiki:`PostfixConfiguration` + +References +---------- + +Apache httpd documentation + http://httpd.apache.org/docs/2.4/ |