Security risk in recommended Geo secondary configuration could give all users access to all repositories
In http://docs.gitlab.com/ee/gitlab-geo/configuration.html , we recommend two actions:
- Generate a
~git/.ssh/id_rsa
file for the git user on each secondary - Put the public component into the admin area in the secondary, to give that key privileged access.
Unfortunately, pull repository mirroring - at a minimum - allows ordinary users to make requests with the ssh configuration of the ~git
user. In the nightmare scenario, this would allow anyone to clone any repository on the instance.
Fortunately, since the sidekiq jobs doing the mirroring only run on the primary, and the key file is on the secondary, we're safe.
Until a secondary is promoted to a primary, at any rate. At that point, the sidekiq jobs will start running on the old secondary, and the key + config will start being picked up.
Assuming the promotion doesn't cause the GeoNodeKey
row to be removed from the database, or the old secondary's SSH config to be changed, all users then gain full read-only access to every repository.
http://docs.gitlab.com/ee/gitlab-geo/disaster-recovery.html doesn't suggest either of these things.
Noted while writing up https://gitlab.com/gitlab-org/gitlab-ee/issues/3270