Re: git-http-backend: anonymous read, authenticated write

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Apr 09, 2013 at 07:45:53AM +0200, Magnus Therning wrote:

> I've been trying to set up git-http-backend+lighttpd.  I've managed to
> set up anonymous read-only access, and I then successfully configured
> authentication for both read and write.  Then I get stuck.  The
> man-page for git-http-backend says that the following snippet can be
> used for Apache 2.x:
> 
>     <LocationMatch "^/git/.*/git-receive-pack$">
>         AuthType Basic
>         AuthName "Git Access"
>         Require group committers
>         ...
>     </LocationMatch>
> 
> However, when I put in this match on location in my lighty config and
> try to push I'm not asked for a password, instead I'm greeted with
> 
>     % git push 
>     error: The requested URL returned error: 403 Forbidden while accessing http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack

Something in your config is blocking access to info/refs there. It
should not be the block shown above, which handles only the actual POST
of the data. The sequence of http requests made is:

  1. GET $repo/info/refs?service=git-receive-pack

     This makes initial contact and gets the ref information which push
     uses to decide what it is going to push. So it is read-only, and in
     an anonymous-read setup, does not need to be protected.

  2. POST $repo/git-receive-pack

     This actually pushes up the objects and updates the refs, and
     must be protected.

The setup listed above does work with apache; it is tested as part of
our test suite (you can see the actual config in t/lib-httpd/apache.conf).
So what in lighttpd is giving us the 403? Can you share your whole
config?

> AFAICS this means the man-page is wrong, and that I instead ought to
> match on the "service=git-receive-pack" part.  Is that a correct
> conclusion?

No. It is not a bad idea to _also_ match on info/refs, but I think it's
a little trickier (you need to reliably match the query string to
differentiate it from a fetch, which IIRC is a little hard in apache, at
least).

But if you drop the protections on "/git-receive-pack$", then an
attacker can just POST whatever they want into your repository.

-Peff
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]