From a34305da10c451b33794f2db1cbcbb08bb4aa6d2 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 2 Jul 2015 16:31:18 -0400 Subject: comment --- ...ment_6_6a3911dc346d506d4350b5aec7619462._comment | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 doc/forum/security_risk_presented_by_remote.log__63__/comment_6_6a3911dc346d506d4350b5aec7619462._comment (limited to 'doc') diff --git a/doc/forum/security_risk_presented_by_remote.log__63__/comment_6_6a3911dc346d506d4350b5aec7619462._comment b/doc/forum/security_risk_presented_by_remote.log__63__/comment_6_6a3911dc346d506d4350b5aec7619462._comment new file mode 100644 index 000000000..0b331bfcc --- /dev/null +++ b/doc/forum/security_risk_presented_by_remote.log__63__/comment_6_6a3911dc346d506d4350b5aec7619462._comment @@ -0,0 +1,21 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 6""" + date="2015-07-02T20:23:48Z" + content=""" +There are two cases there s3creds= can be in the remote.log. + +If you enabled gpg encryption, it stores the S3 creds there, encrypted with +the gpg key you told it to use. So you can share the repo to users who don't +have the gpg key, and they cannot access the S3 login credentials. + +If you didn't use gpg encryption, and you manually set `embedcreds=yes` +then the s3creds= will contain the un-encrypted creds. +And like the docs for embedcreds says, you then need to be careful who +you give the git repo to, since they can then access those S3 credentials. +This is not a default configuration. + +(There was also the [[upgrades/insecure_embedded_creds]] bug in 2014. +But, git-annex will detect repos with that problem and warns very verbosely +about it.) +"""]] -- cgit v1.2.3