Gitlab 现已全面支持 git over ssh 与 git over https。通过 HTTPS 访问请配置带有 read_repository / write_repository 权限的 Personal access token。通过 SSH 端口访问请使用 22 端口或 13389 端口。如果使用CAS注册了账户但不知道密码，可以自行至设置中更改；如有其他问题，请发邮件至 service@cra.moe 寻求协助。

Commit e0e3cea4 authored Aug 21, 2012 by Eric Dumazet Committed by David S. Miller Aug 21, 2012

af_netlink: force credentials passing [CVE-2012-3520]



Pablo Neira Ayuso discovered that avahi and
potentially NetworkManager accept spoofed Netlink messages because of a
kernel bug.  The kernel passes all-zero SCM_CREDENTIALS ancillary data
to the receiver if the sender did not provide such data, instead of not
including any such data at all or including the correct data from the
peer (as it is the case with AF_UNIX).

This bug was introduced in commit 16e57262
(af_unix: dont send SCM_CREDENTIALS by default)

This patch forces passing credentials for netlink, as
before the regression.

Another fix would be to not add SCM_CREDENTIALS in
netlink messages if not provided by the sender, but it
might break some programs.

With help from Florian Weimer & Petr Matousek

This issue is designated as CVE-2012-3520

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent a9915a1b

include/net/scm.h

+3 −1

Original line number	Original line	Diff line number	Diff line
	@@ -70,9 +70,11 @@ static __inline__ void scm_destroy(struct scm_cookie *scm)
	}		}

	static __inline__ int scm_send(struct socket sock, struct msghdr msg,		static __inline__ int scm_send(struct socket sock, struct msghdr msg,
	struct scm_cookie *scm)		struct scm_cookie *scm, bool forcecreds)
	{		{
	memset(scm, 0, sizeof(*scm));		memset(scm, 0, sizeof(*scm));
			if (forcecreds)
			scm_set_cred(scm, task_tgid(current), current_cred());
	unix_get_peersec_dgram(sock, scm);		unix_get_peersec_dgram(sock, scm);
	if (msg->msg_controllen <= 0)		if (msg->msg_controllen <= 0)
	return 0;		return 0;

net/netlink/af_netlink.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -1362,7 +1362,7 @@ static int netlink_sendmsg(struct kiocb kiocb, struct socket sock,
	if (NULL == siocb->scm)		if (NULL == siocb->scm)
	siocb->scm = &scm;		siocb->scm = &scm;

	err = scm_send(sock, msg, siocb->scm);		err = scm_send(sock, msg, siocb->scm, true);
	if (err < 0)		if (err < 0)
	return err;		return err;

net/unix/af_unix.c

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -1450,7 +1450,7 @@ static int unix_dgram_sendmsg(struct kiocb kiocb, struct socket sock,
	if (NULL == siocb->scm)		if (NULL == siocb->scm)
	siocb->scm = &tmp_scm;		siocb->scm = &tmp_scm;
	wait_for_unix_gc();		wait_for_unix_gc();
	err = scm_send(sock, msg, siocb->scm);		err = scm_send(sock, msg, siocb->scm, false);
	if (err < 0)		if (err < 0)
	return err;		return err;

	@@ -1619,7 +1619,7 @@ static int unix_stream_sendmsg(struct kiocb kiocb, struct socket sock,
	if (NULL == siocb->scm)		if (NULL == siocb->scm)
	siocb->scm = &tmp_scm;		siocb->scm = &tmp_scm;
	wait_for_unix_gc();		wait_for_unix_gc();
	err = scm_send(sock, msg, siocb->scm);		err = scm_send(sock, msg, siocb->scm, false);
	if (err < 0)		if (err < 0)
	return err;		return err;

CRA Git | Maintained and supported by SUSTech CRA and CCSE