Re: Local git server can't serve https until repos owned by http, can't serve ssh unless repos owned by user after 2.45.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/17/24 13:47, Junio C Hamano wrote:

"David C. Rankin" <drankinatty@xxxxxxxxx> writes:


   Security enhancement in 2.45.1 have broken ability to serve git over
   https and ssh from local git server running Apache. (web server runs
   as http:http on Archlinux)

   The fix of adding the following to gitconfig (system-wide and
   per-user in ~/.gitconfig) does not solve the problem:

[safe]
	directory = *


It is not clear what you exactly meant "per-user" above, so just to
make sure.  Is this set in the global configuration file for the
httpd (or whoever Apache runs as) user?

The purpose of "dubious ownershop" thing is to protect the user who
runs Git from random repositories' with potentially malicious hooks
and configuration files, so the user being protected (in this case,
whoever Apache runs as) needs to declare "I trust these
repositories" in its ~/.gitconfig file.  What individual owners of
/srv/my-repo.git/ project has in their ~/.gitconfig file does not
matter when deciding if Apache trusts these repositories.
I apologize for being unclear. The directory on the server (valkyrie) that hosts the repositories has the current ownerships: 

19:53 valkyrie:/srv/git> l
total 60
drwxr-xr-x 15 http  http  4096 Feb 13 02:37 .
drwxr-xr-x  6 root  root  4096 Jan  4  2017 ..
drwxr-xr-x  7 http  david 4096 Feb  1 06:54 arm.git
drwxr-xr-x  7 david david 4096 Nov 13  2023 c_datastructs.git
drwxr-xr-x  7 david david 4096 Jun 15 02:42 embedded.git
drwxr-xr-x  7 http  http  4096 Jan 26 01:34 examples.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 gtkedit.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 gtkeditphmirror.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 gtkwritemirror.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 mtrxsolv.git
drwxr-xr-x  7 http  devs  4096 Aug 13  2023 notesdlg.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 objstate.git
drwxr-xr-x  7 http  devs  4096 Nov 13  2023 pgauth.git
drwxr-xr-x  7 david david 4096 Jun 16 19:14 pico.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 vect_t.git
Prior to this dubious ownership issue, everything was owned by david:david, other than notesdg.git and pgauth.git which were david:devs with other developers made members of the devs group.
After 2.45.1 update, those with read-only access over https could not pull updates anymore. I didn't notice right away because I pull everything over ssh.
I do have other machines where I pull https copies of repos, and that too broke after 2.45.1.
I read the error from the server log and then attempted to add the suggested config to ~/.gitconfig, e.g.: 

[safe]
	directory = /srv/git/embedded.git
That failed. I then scoured the internet and many posts said use * for all instead of individual directory names, e.g. 

[safe]
	directory = *

  Same error.
I then changed ownership over everything in /srv/git to http:http and https started working again! But ... when I tried to push over ssh it failed, e.g. 

19:14 wizard:~/dev/arm/pico> git push
Enumerating objects: 7, done.
Counting objects: 100% (7/7), done.
Delta compression using up to 4 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 1.01 KiB | 1.01 MiB/s, done.
Total 5 (delta 2), reused 0 (delta 0), pack-reused 0
remote: error: cannot lock ref 'HEAD': Unable to create '/srv/git/pico.git/./HEAD.lock': Permission denied 
To valkyrie:/srv/git/pico.git
 ! [remote rejected] master -> master (failed to update ref)
error: failed to push some refs to 'valkyrie:/srv/git/pico.git'
I have tried every combination of ownership, e.g. david:david, david:http, http:david and the bottom line is: 

  - https won't work unless http owns the repository (http:dontcare), and
  - ssh won't work unless the user owns the repository (david:dontcare)
Somehow I need a configuration that allows both ssh and https to work together. My apache config is setup per the scm-git.com book adapted to use my server auth: 

## git directory for https access

SetEnv GIT_PROJECT_ROOT /srv/git
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
ScriptAlias /git /usr/lib/git-core/git-http-backend/

<Directory /usr/lib/git-core>
  Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  AllowOverride None
  Require all granted
</Directory>

<Files "git-http-backend">
  # authentication
  AuthType Basic
  AuthName "Skyline_Restricted"
  AuthBasicProvider dbm
  AuthDBMType DB
  AuthDBMUserFile /usr/local/lib/apache2/dcraccess
Require expr !(%{QUERY_STRING} -strmatch '*service=git-receive-pack*' || %{REQUEST_URI} =~ m#/git-receive-pack$#) 
  Require valid-user
</Files>
This has always worked great. It's just the side effect of the latest dubious ownership security changes that have killed it.
Hopefully this is just a temporary regression in the CVE fixes? Let me know if you need any more information. I'm happy to provide it. 


--
David C. Rankin, J.D.,P.E.
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux