Gitlab 现已全面支持 git over ssh 与 git over https。通过 HTTPS 访问请配置带有 read_repository / write_repository 权限的 Personal access token。通过 SSH 端口访问请使用 22 端口或 13389 端口。如果使用CAS注册了账户但不知道密码，可以自行至设置中更改；如有其他问题，请发邮件至 service@cra.moe 寻求协助。

Commit 90f62cf3 authored Apr 23, 2014 by Eric W. Biederman Committed by David S. Miller Apr 24, 2014

net: Use netlink_ns_capable to verify the permisions of netlink messages



It is possible by passing a netlink socket to a more privileged
executable and then to fool that executable into writing to the socket
data that happens to be valid netlink message to do something that
privileged executable did not intend to do.

To keep this from happening replace bare capable and ns_capable calls
with netlink_capable, netlink_net_calls and netlink_ns_capable calls.
Which act the same as the previous calls except they verify that the
opener of the socket had the desired permissions as well.

Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent aa4cf945

crypto/crypto_user.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -466,7 +466,7 @@ static int crypto_user_rcv_msg(struct sk_buff skb, struct nlmsghdr nlh)
		type -= CRYPTO_MSG_BASE;
		link = &crypto_dispatch[type];

		if (!capable(CAP_NET_ADMIN))
		if (!netlink_capable(skb, CAP_NET_ADMIN))
		return -EPERM;

		if ((type == (CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE) &&

drivers/connector/cn_proc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -369,7 +369,7 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
		return;

		/* Can only change if privileged. */
		if (!capable(CAP_NET_ADMIN)) {
		if (!__netlink_ns_capable(nsp, &init_user_ns, CAP_NET_ADMIN)) {
		err = EPERM;
		goto out;
		}

drivers/scsi/scsi_netlink.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -77,7 +77,7 @@ scsi_nl_rcv_msg(struct sk_buff *skb)
		goto next_msg;
		}

		if (!capable(CAP_SYS_ADMIN)) {
		if (!netlink_capable(skb, CAP_SYS_ADMIN)) {
		err = -EPERM;
		goto next_msg;
		}

kernel/audit.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -643,13 +643,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
		if ((task_active_pid_ns(current) != &init_pid_ns))
		return -EPERM;

		if (!capable(CAP_AUDIT_CONTROL))
		if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
		err = -EPERM;
		break;
		case AUDIT_USER:
		case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
		case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
		if (!capable(CAP_AUDIT_WRITE))
		if (!netlink_capable(skb, CAP_AUDIT_WRITE))
		err = -EPERM;
		break;
		default: /* bad msg */

net/can/gw.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -804,7 +804,7 @@ static int cgw_create_job(struct sk_buff skb, struct nlmsghdr nlh)
		u8 limhops = 0;
		int err = 0;

		if (!capable(CAP_NET_ADMIN))
		if (!netlink_capable(skb, CAP_NET_ADMIN))
		return -EPERM;

		if (nlmsg_len(nlh) < sizeof(*r))
		@@ -893,7 +893,7 @@ static int cgw_remove_job(struct sk_buff skb, struct nlmsghdr nlh)
		u8 limhops = 0;
		int err = 0;

		if (!capable(CAP_NET_ADMIN))
		if (!netlink_capable(skb, CAP_NET_ADMIN))
		return -EPERM;

		if (nlmsg_len(nlh) < sizeof(*r))

CRA Git | Maintained and supported by SUSTech CRA and CCSE