Protect Your git Repository’s .htpasswd

Update 2: WebFaction fixed their installer. You still need to fix this yourself if the repository was created before Jan 13, 2011. (Details here.)

Update: Git repositories created with WebFaction’s git installer are insecure, even when they’re password protected. Some Apache installations are configured out-of-the-box to protect .htpasswd files. That is not the case with WebFaction.

If you’re running a .git repository on WebFaction that was created by following their documentation, then you must:

  1. Remove the file’s default world-readable permissions, by running chmod o-r .htpasswd
  2. OR: Prevent the file from being downloaded, by adding the following to .htaccess:
<files ~ "^\.ht">
 Order allow,deny
 Deny from all

Of course, the same applies to any .htpasswd file.

  1. [...] This post was mentioned on Twitter by Zuissi, Natan Yellin. Natan Yellin said: New blog post: Protect Your git Repository's .htpasswd http://bit.ly/dTPKML [...]

  2. Actually, right bundled Apache does. Debian Apache package provide such a default access rule.

  3. [...] – and Redmine and git are easy installs anyways. You should be aware that there used to be a security vulnerability in WebFaction’s git installer. The problem has been fixed, but all repositories created before January 13 need to fix the issue [...]