Re: git-http-backend: anonymous read, authenticated write

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Apr 11, 2013 at 3:56 AM, Jeff King <peff@xxxxxxxx> wrote:
> On Thu, Apr 11, 2013 at 01:19:19AM +0200, Magnus Therning wrote:
>
>> Nope.  I'm pretty sure this had *nothing* to do with my config.  This
>> is the original config, which doesn't work:
>>
>> $HTTP["url"] =~ "^/git" {
>>     cgi.assign = ( "" => "" )
>>     setenv.add-environment = (
>>         "GIT_PROJECT_ROOT" => "/srv/git",
>>         "GIT_HTTP_EXPORT_ALL" => ""
>>     )
>>     $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
>>         include "trac-git-auth.conf"
>>     }
>> }
>
> Ah, I think I see what it is.
>
> Did you turn on http.receivepack in the git config to enable pushing?

Nope, of course I didn't :)  Instead I did what the man-page tells me
will allow full export of a git repo *without* having to fiddle around
with the repo's config:

1. set GIT_HTTP_EXPORT_ALL in the environment
2. turn on authentication for *one* location that requires it for
pushing: ^/git/.*/git-receive-pack$

[...]
> If there is no authentication happening for the initial service-request,
> then the default http.receivepack kicks in, which is to turn pushing
> off (because there is no authenticated user).

Yes, but that only becomes clear when looking at the traffic.  In
fact, the whole design of services is not clearly mentioned in the
man-page.  I was *very* surprised to see the query strings when I
started looking at the access logs.

> The documentation should probably make the use of http.receivepack more
> clear in this situation.

I think that'd be good.  The fact that it wasn't until several mails
into the thread that anyone thought of the http.receivepack setting
also suggests that its use is a bit un-intuitive (even though it
probably makes perfect sense and is a good solution).

> So _if_ you fixed it by setting http.receivepack (which I think is the
> simplest thing under Apache, since matching the query string there is
> hard), then you would need a version of git with that fix on the
> client side to actually have git prompt for the password correctly.

Ah, so *that* is the fix that has been mentioned (I haven't bothered
reading it myself), or are there in fact two fixes that have been
referred to in the thread?

> But your fix under lighttpd is much better, as it asks for the
> credentials up front (which means the client does not go to any work
> creating a packfile just to find out that it does not have access).

Yes, I think it also helps with my particular scenario where new repos
will be added from time to time.  This way there is no second step,
after `git init`, that must be remembered.

Thank you very much for taking the time to help me out with this!
I'll also take a look at the patches you sent, as a dumb simpler user
I might have something to add, who knows?

/M

--
Magnus Therning                      OpenPGP: 0xAB4DFBA4
email: magnus@xxxxxxxxxxxx   jabber: magnus@xxxxxxxxxxxx
twitter: magthe               http://therning.org/magnus
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]