Issue: Apps leaking usernames

Howdy?

Thanks for creating YunoHost. I’ve been testing it for the past few weeks. It’s really easy to set up and require very little configurations so far!

Trying out Gitea a few days ago, I’ve noticed that certain apps (not limited to Gitea, it’s only an example) would “leak” the YunoHost usernames.

Steps to reproduce issue:

  1. Install Gitea as a public app to example.com/git
  2. Use incogito browser, visit example.com/git/explore/users
  3. On the page, YunoHost username is listed

My question - Would this be a security concern? What can I do to make this more secure, while keeping Gitea (or other apps) public? Is there a plan to create app-level aliases? Thanks for your time!

1 Like

We could add a warning or a question to manage this.

Any plan to de-couple app usernames and YunoHost usernames?

Actually any app that Ldap support and don’t have fail2ban enabled, its a big risk then username leak. But I agree if the attacker know the user name its lot more easier to have a successful attack.

Well, it’s a feature ? The motivation behind the SSO is that you don’t want to have to log in 5+ apps each day with a different username / password (or even with the same username / password)

To me what you describe is an “issue”(?) related to Gitea, which requires somehow to “leak” usernames to work. One way of another, if repos are public, then by definition people can browse repo … and know who created them ? Otherwise it’s not public ? :confused:

It could be an optionnal option in the gitea package. App packager can do that, they don’t for now but they could.

Doing this should be not so hard, but increase the different kind of setup, so it could be more complex to understand issues reported by users if they don’t have the same setup…

Correct me if I’m wrong, but for git apps like Gitea, Gogs, almost all users would want to run them as public apps. Otherwise, git push / pull would be blocked.

If it’s possible to use Git-Credential with YunoHost to access private Gitea, then there’s no need to run public Gitea app, and no worries about leaking usernames.

@ClothesFree
The better solution is to implement Fail2ban for the apps which have Ldap implementation.

Gitea supports fail2ban so its better to implement it with email notification enable for fail2ban. Keep regular check on fail2ban emails for an IP doing continuous attack in regular intervals.