[SAC] Dealing with private vs. public git/gogs repositories

Sandro Santilli strk at keybit.net
Thu Apr 14 02:09:12 PDT 2016


The Gogs service [1] adds the possibility for any OSGeo User [2]
to create private Git repositories. At the filesystem level,
Gogs makes no distinction about the permissions of the corresponding
directory, which is all then only determined by umask in the process
running the service [3].

While this approach is fine as long as Gogs is the _only_ access
method to the repositories, we might want to allow for more access
methods, especially if some projects would like to keep using Trac
to manage tickets (rather than migrate them all to Gogs). This is
particularly interesting for read-only access, whereas write access
is (IMHO) ok to be solely driven by a single access method.

One way to allow wider read-only access would be to make all
Gogs-managed repositories group readable and put any user that
would need read-only access into that group. This would still not
give proper isolation between users (or ogranizations) when it
comes to private repositories, but it might be acceptable for OSGeo.

In particular, adding the "www-data" user to the "git" group and
making all Gogs-managed repositories owned by group "git" and
group-readable would allow any Trac instance administrator to
browse any Gogs-managed repository (including private ones).
I don't know if there are other possibility for an OSGeo User
to get the web server expose arbitrary filesystem directories,
but this Trac case is one I know for sure. Note that not all
OSGeo Users would be Trac instance administrators, but it's worth
noting the possible over-wide access.

What do you think about this setup ? Do you think it would be
acceptable to give www-data user read-only access to all Gogs
repositories ?

[1] https://wiki.osgeo.org/wiki/SAC:Gogs
[2] http://www.osgeo.org/osgeo_userid
[3] https://github.com/gogits/gogs/issues/2950

--strk; 


More information about the Sac mailing list