mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

comment

Browse source
This commit is contained in:
Joey Hess 2015-07-02 16:31:18 -04:00
parent a8a1566cb7
commit d4d4fd4f8d
1 changed files with 21 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
doc/forum/security_risk_presented_by_remote.log__63__/comment_6_6a3911dc346d506d4350b5aec7619462._comment Normal file
View file

@ -0,0 +1,21 @@
[[!comment format=mdwn
username="joey"
subject="""comment 6"""
date="2015-07-02T20:23:48Z"
content="""
There are two cases there s3creds= can be in the remote.log.
If you enabled gpg encryption, it stores the S3 creds there, encrypted with
the gpg key you told it to use. So you can share the repo to users who don't
have the gpg key, and they cannot access the S3 login credentials.
If you didn't use gpg encryption, and you manually set `embedcreds=yes`
then the s3creds= will contain the un-encrypted creds.
And like the docs for embedcreds says, you then need to be careful who
you give the git repo to, since they can then access those S3 credentials.
This is not a default configuration.
(There was also the [[upgrades/insecure_embedded_creds]] bug in 2014.
But, git-annex will detect repos with that problem and warns very verbosely
about it.)
"""]]