[I have added Cc: MAINTAINER of devel/got, stsp@.]
Hello Jon, hello Stefan,
Jon Higgs wrote on Thu, Mar 27, 2025 at 01:27:24PM +1100:
> On Thu, 27 Mar 2025 10:55:13 +1100, Jon Higgs <j...@altos.au> wrote:
>> Is there any way to control this? Or am I holding something wrong, and
>> these warnings are an artifact of that.
[...]
> As I understand it, when /usr/local/bin/gotsh is the user's
> shell, it enforces access control according to the rules from
> gotd.conf(5).
>
> The gotsh(1) says:
>
> The anonymous user account should have a publicly known
> password, or can be set up with an empty password in which case
> the user's vipw(8) entry would look similar to this example:
>
> anonymous::1002:1002::0:0:Anonymous:/home/anonymous:/usr/local/bin/gotsh
This is precisely what these two lines in security(8) are for:
nag $pwd eq '' && !($name eq 'anoncvs' &&
$shell =~ /\/anoncvssh$/),
I.e. running anoncvs requires public, unautheticated login.
If i understand the gotsh(1) manual page correctly, the got(1)
server is designed such that it can be run in a similar mode,
which would indeed make sense to me.
Even though got(1) is not (yet?) part of the base system (for reasons
i do not know, but that's beside the point here), i think the git
repository format is important enough and the got(1) project is
important enough to merit a similar exception.
However, i believe passwordless accounts pose a significant danger
unless handled with utter care (talk about defense in depth vs.
lining up multiple slices of swiss cheese yada yada).
For that reasons, the existing exception requires a very specific
user name (anoncvs) and a very specific binary name (anoncvssh).
I think adding a similar exception for got(1) is likely a good idea,
but i believe just like for anoncvs, a convention needs to be established
for the naming of the account and binary involved, that convention
needs to be as specific as possible, thoroughly documented, and
strictly enforced.
I do not think "User anonymous" is acceptable; that's much too generic.
Similarly, "Login git" is also to generic.
I think the user name needs to include both of the elements "anon"
and "got".
I think the proper order of actions is:
1. stsp@ deciding on the recommendation
and documenting and testing it.
2. Either of us drafting a patch to security
and all three of us testing it.
3. stsp@ committing the got(1) patch(es), either of us committing
the security(8) patch.
4. stsp@ making a got(1) release and updating the port.
5. You running the updated port in production.
Thoughts?
Ingo
