Issue Summary
When Bitbucket repository is being added to Fisheye (via 'Bitbucket Server Repositories' tab), Fisheye is unable to clone and index it. It's caused by the fact that the private ssh key generated has file permissions which allow to read it by other users.
Steps to Reproduce
- Install Fisheye on Windows (using its Windows installer) and Bitbucket and connect via application link
- Access the $FISHEYE_INST directory as non-admin user (and grant permissions to this user in the process)
- Install Git
- Create a repository in Bitbucket and add it in Fisheye using 'Bitbucket repositories' tab
See Cause section for detailed replication steps
Expected Results
Repository is cloned and indexed.
Actual Results
Repository cloning fails because the private key is unprotected:
The below exception is thrown in the atlassian-fisheye-YYYY-MM-DD.log file:
2019-10-30 01:52:41,574 WARN [InitPing3 repo ] fisheye IndexingPingRequest-doRequest - Exception during Fisheye Incremental Indexing of repo (repo): com.cenqua.fisheye.config.ConfigException: Unable to clone remote repository: ssh://git@localhost:7999/abc/repo.git - [Cloning into bare repository 'clone'..., , @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@, @ WARNING: UNPROTECTED PRIVATE KEY FILE! @, @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@, Permissions for 'C:\\Atlassian\\Data\\fecru-4.6.1\\data\\auth\\repo' are too open., It is required that your private key files are NOT accessible by others., This private key will be ignored., Load key "C:\\Atlassian\\Data\\fecru-4.6.1\\data\\auth\\repo": bad permissions, git@localhost: Permission denied (publickey)., fatal: Could not read from remote repository., , Please make sure you have the correct access rights, and the repository exists.]
Cause
Tested against Fisheye 4.8.13 installed on Windows 2022 DC edition
Steps performed in testing:
- non-admin user runs installer with "Run as Admin" option
- check permissions with Admin user
- to access this folder or even view security settings as the non-admin user Windows forces user to add themselves to the permissions (admin password is needed):
- the user is now listed in folder permissions:
- issue is now replicated:
The same holds true if you install as a non-admin user without the "Run as Admin" option
Conclusion, in this scenario it is not the installer but user interaction with the folder itself that leads to this issue.
Workaround
Restrict permissions of private keys stored in the `$FISHEYE_INST\data\auth` directory.
File Explorer > (right click on a file) > Properties > Security tab > Advanced
Disable inheritance > Convert inherited permissions into explicit permissions on this object
Remove any regular users - keep 'Network Service', 'SYSTEM' and the 'Administrators' group. Example: