Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,555,382
Community Members
 
Community Events
184
Community Groups

Security Big: Branch Permission Issue.

Yogesh Kumar
Yogesh Kumar Nov 25, 2019

Hi,

I have a repository, for which I have set the master access for a specific user only. Which works fine in normal scenarios. But as I noticed, there is a workaround by which users can still commit to the master branch.

The process I followed:

1.) Let's say there is a repository with name repo-1.

2.) In Branch Permissions I have set write access to a specific user only say User1:

      master -> Write access -> User1

3.) Now there is another user Say User2. Who doesn't have access to commit to the master branch. 

Now to commit to the master branch, all he has to do is as follows:

   1.) Update the Global config File ~/.gitconfig and add User1 as user and email. No password required.

   In the repo, he can have his username as User2.  when the user will push the commit, He will be asked password as per the repo configuration. and after successful authentication. the push will be published to the master branch without any restriction.

And the most amazing part is, Even commit will be Displayed as User1.

 

 

 

 

Comment
Watch
Like Be the first to like this
599 views

1 comment

Kavi Laud
Kavi Laud
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Nov 25, 2019 • edited

Hello, Yogesh,

Thanks for taking the time to make this post.

Branch Permissions are enforced based on the Bitbucket user performing the push or merge. It's possible that software like ssh-agent or git-credential-manager is caching credentials and causing unexpected results.

If you're sure User2 is able to push to the master branch, I encourage you to reach out to Atlassian support so they may diagnose the issue and help get it resolved.

To address your other concern:

And the most amazing part is, Even commit will be Displayed as User1.

The commit authorship information that Bitbucket displays is based on the name and e-mail address that are specified at the time the commit is made.

Git doesn't require proof that the committer is who they say they are, but it is possible to sign commits and tags cryptographically. Bitbucket doesn't currently have any features leveraging this signature information, but we may build something in the future to help users verify signatures.

I hope this has been helpful, and thank you again for your post!

Kavi Laud
Senior Developer, Bitbucket Cloud

Like
Reply

Comment

Log in or Sign up to comment
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

See all events