For some, this might be ho-hum … been there done that … etc.
but thought I’d share …
Recently read a page in which a security researcher investigated thousands
of web sites for the presence of .git and security of git.
Was then reminded to check sites I admin.
https://docs.moodle.org/35/en/Git_for_Administrators
tells one how to use, but there is no advice on security.
If one uses git to install/update/maintain your moodle, check:
https://site/.git/
IF you can see the files/subdirectories in .git,
read the following:
Command line way of locking down .git.
[root@moodle]# cd /var/www/html/moodle
[root@moodle moodle]# ls -ld .git
drwxr-xr-x. 8 apache apache 4096 Jul 16 08:42 .git
Oops … .git directory accessible to anyone using browser.
Fix it:
Change ownerships … owner/group … of .git directory
[root@moodle moodle]# chown root:root .git -R
[root@moodle moodle]# ls -ld .git
drwxr-xr-x. 8 root root 4096 Jul 16 08:42 .git
Change permissions on .git directory
g=group
o=all others
r=read
x=execute
[root@moodle moodle]# chmod go-rx .git -R
Aove means change the ‘group/others’ permissions taking away (the minus) read and execute
Checking:
[root@moodle moodle]# ls -ld .git
drwx——. 8 root root 4096 Jul 16 08:42 .git
End result … only the root user and group can rwx in .git directory.
In apache config:
For 2.4:
<DirectoryMatch “^/.*/\.git/”>
Require all denied
</DirectoryMatch>