Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-7240

After adding a Bitbucket repository Fisheye is unable to clone it

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Answered
    • Icon: Low Low
    • N/A
    • 4.6.0, 4.7.0, 4.8.0
    • Indexing
    • None

      Issue Summary

      When Bitbucket repository is being added to Fisheye (via 'Bitbucket Server Repositories' tab), Fisheye is unable to clone and index it. It's caused by the fact that the private ssh key generated has file permissions which allow to read it by other users.

      Steps to Reproduce

      1. Install Fisheye on Windows (using its Windows installer) and Bitbucket and connect via application link
      2. Access the $FISHEYE_INST directory as non-admin user (and grant permissions to this user in the process)
      3. Install Git
      4. Create a repository in Bitbucket and add it in Fisheye using 'Bitbucket repositories' tab

      See Cause section for detailed replication steps

      Expected Results

      Repository is cloned and indexed.

      Actual Results

      Repository cloning fails because the private key is unprotected:

      The below exception is thrown in the atlassian-fisheye-YYYY-MM-DD.log file:

      2019-10-30 01:52:41,574 WARN  [InitPing3 repo ] fisheye IndexingPingRequest-doRequest - Exception during Fisheye Incremental Indexing of repo (repo): com.cenqua.fisheye.config.ConfigException: Unable to clone remote repository: ssh://git@localhost:7999/abc/repo.git
           - [Cloning into bare repository 'clone'..., , @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@, 
      @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @, @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@, 
      Permissions for 'C:\\Atlassian\\Data\\fecru-4.6.1\\data\\auth\\repo' are too open., 
      It is required that your private key files are NOT accessible by others., 
      This private key will be ignored., 
      Load key "C:\\Atlassian\\Data\\fecru-4.6.1\\data\\auth\\repo": bad permissions, 
      git@localhost: Permission denied (publickey)., 
      fatal: Could not read from remote repository., 
      , Please make sure you have the correct access rights, and the repository exists.]
      

      Cause

      Tested against Fisheye 4.8.13 installed on Windows 2022 DC edition
      Steps performed in testing:

      • non-admin user runs installer with "Run as Admin" option
      • check permissions with Admin user
      • to access this folder or even view security settings as the non-admin user Windows forces user to add themselves to the permissions (admin password is needed):
      • the user is now listed in folder permissions:
      • issue is now replicated:

      The same holds true if you install as a non-admin user without the "Run as Admin" option

      Conclusion, in this scenario it is not the installer but user interaction with the folder itself that leads to this issue.

      Workaround

      Restrict permissions of private keys stored in the `$FISHEYE_INST\data\auth` directory.

      File Explorer > (right click on a file) > Properties > Security tab > Advanced

      Disable inheritance > Convert inherited permissions into explicit permissions on this object

      Remove any regular users - keep 'Network Service', 'SYSTEM' and the 'Administrators' group. Example:

        1. image-2023-08-17-10-45-16-238.png
          147 kB
          Nate Hansberry
        2. image-2023-08-17-11-00-15-332.png
          154 kB
          Nate Hansberry
        3. repository-private-key-permisssions.png
          33 kB
          Marek Parfianowicz
        4. screenshot-1.png
          215 kB
          Nate Hansberry
        5. screenshot-10.png
          549 kB
          Nate Hansberry
        6. screenshot-2.png
          137 kB
          Nate Hansberry
        7. screenshot-3.png
          154 kB
          Nate Hansberry
        8. screenshot-4.png
          151 kB
          Nate Hansberry
        9. screenshot-5.png
          157 kB
          Nate Hansberry
        10. screenshot-6.png
          151 kB
          Nate Hansberry
        11. screenshot-7.png
          91 kB
          Nate Hansberry
        12. screenshot-8.png
          101 kB
          Nate Hansberry
        13. screenshot-9.png
          144 kB
          Nate Hansberry
        14. windows-git-ssh-private-key-permissions.png
          47 kB
          Marek Parfianowicz
        15. without-run-as-administrator.png
          60 kB
          Marek Parfianowicz
        16. with-run-as-administrator.png
          45 kB
          Marek Parfianowicz

              nhansberry Nate Hansberry
              mparfianowicz Marek Parfianowicz
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: