Local git server can't serve https until repos owned by http, can't serve ssh unless repos owned by user after 2.45.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

All,
Security enhancement in 2.45.1 have broken ability to serve git over https and ssh from local git server running Apache. (web server runs as http:http on Archlinux)
The fix of adding the following to gitconfig (system-wide and per-user in ~/.gitconfig) does not solve the problem: 

[safe]
	directory = *

(* or the actual /srv/git/reponame.git makes no difference)
On Archlinux, all repos are served from /srv/git. This has worked well for both https and ssh allowing repos under /srv/git to be owned by the user with public-private ssh key. (they are members of group owning /srv/git with write privileges) 

  After 2.45.1,

  - git will not allow https unless the repositories are OWNED by http.
  - git will not allow ssh   unless the repositories are OWNED by user.

  A catch-22.
I've tried every possible file repository ownership of http:user and user:http with permissions of 0775, but no luck, it is either one or the other. I've even tried making users members of the http group, but ssh still refuses push unless the repository is OWNED by user. 

  The errors run the gamut from https attmepts:

$ git pull
fatal: unable to access 'https://www.mydomain.com/git/examples.git/': The requested URL returned error: 500 

to ssh attempts:

$ git push
Enumerating objects: 7, done.
Counting objects: 100% (7/7), done.
Delta compression using up to 4 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 1.01 KiB | 1.01 MiB/s, done.
Total 5 (delta 2), reused 0 (delta 0), pack-reused 0
remote: error: cannot lock ref 'HEAD': Unable to create '/srv/git/pico.git/./HEAD.lock': Permission denied 
To valkyrie:/srv/git/pico.git
 ! [remote rejected] master -> master (failed to update ref)
error: failed to push some refs to 'valkyrie:/srv/git/pico.git'
This was discussed on the arch-general mailing list under the thread "git server changes - how to allow https AND ssh now that /srv/git/xxx.git must be owned by http?" at https://lists.archlinux.org/archives/list/arch-general@xxxxxxxxxxxxxxxxxxx/thread/3GCCU6QZNGRY45WMQAQEVF572AIHN646/
There was a suggestion to try a bind mount for the repositories, but that seems like it may introduce other issues, but if that is the correct approach I'm happy to try it.
What is the correct local-server way to now serve repositories over https AND ssh from Apache without running into this either-or ownership problem? 

(gitweb continues to work fine)

--
David C. Rankin, J.D.,P.E.
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux