Like Odysseus coming home to find his home beset by suitors to his wife, I recently discovered that my Gitea instance had 364 users. I was only expecting the one. My own.
Turns out a Gitea instance is open to everyone by default and you don’t even need approval by the admin to start an account. Heck, they aren’t even informed AFAICT. Lots of spam accounts had set up shop in my absence. (I didn’t investigate much what they were doing there before nuking them so I don’t know what they gain by it).
Fortunately there are ways to fix it that don’t involve tediously clicking on each user in turn and choosing purge.
First, we need to close the door. Gitea can be configured using either a config file or environment variables. I run Gitea dockerized, so environment variables make the most sense to me. Well, environment variables in an environment variable file:
gitea:
image: gitea/gitea:latest
container_name: gitea
...
env_file: .client_env
...
restart: always
And then the env_file (here named .client_env) contains environment variables (one setting on each line) for the gitea container, including
USER_UID=1234
USER_GID=5678
...
GITEA__service__DISABLE_REGISTRATION=true
...The setting is documented in the Gitea cheat sheet. Note that if you want to set the option using environment variables, sections turn into these underscore underscore prefixes (e.g. database settings are GITEA__database__SETTING)
Stop the container (docker-compose down) and bring it up again (docker-compose up -d) and the Register link in the top right corner should go away.
Now for the sordid business of cleaning out the pig sty. Gitea’s web user interface does not have any options for mass purging of users so we’ll take to the command line. Note that purging differs from deletion in that any and all repos the user may have created are removed when purging.
First, though, check the web user interface to see what user id’s your valid users have. Go to Site Administration (accessed from the profile drop down menu in the upper right hand menu when you’re logged in as admin) and then in Identity & Access (left hand side menu) click User Accounts.
Your admin user is likely user id 1. Any real users probably follow in short order (2, 3, 4, etc.) In all likelihood the spam users follow in sequence. Note where they begin and where they end (e.g. all ids from 8 to 452 are spam users).
In order to access the Gitea command line (in a docker container) you need access to the container and you need to run the admin command as the user running the gitea application in the container which by default is git. Using docker’s exec command I can start an interactive bash session inside the running container as the git user (fortunately, the default docker image comes with Bash as well as busybox, the default shell):
docker exec -it --user git gitea /bin/bashgitea is here the name of the running container. Change it if you’re calling it something else.
Check your list of spam users – and that the gitea admin command is available and talking to the right instance – by running:
gitea admin user listAnd if everything seems right you can just use a Bash for loop to purge all the unwanted id’s. Check the for loop first, though:
for i in $(seq 8 452); do echo $i; done
8
9
10
11
...and then the ‘for real’ command:
for i in $(seq 8 452); do gitea admin user delete --id $i --purge; doneand watch it go. The --purge option isn’t documented but seems to work just like choosing ‘purge’ in the web UI. Without the option, Gitea would complain that it couldn’t remove a user who still had repos to their name.
