On Tue, Apr 09, 2013 at 01:12:47PM -0400, Jeff King wrote:
> On Tue, Apr 09, 2013 at 07:45:53AM +0200, Magnus Therning wrote:
>> I've been trying to set up git-http-backend+lighttpd.  I've managed
>> to set up anonymous read-only access, and I then successfully
>> configured authentication for both read and write.  Then I get
>> stuck.  The man-page for git-http-backend says that the following
>> snippet can be used for Apache 2.x:
>>     <LocationMatch "^/git/.*/git-receive-pack$">
>>         AuthType Basic
>>         AuthName "Git Access"
>>         Require group committers
>>         ...
>>     </LocationMatch>
>> However, when I put in this match on location in my lighty config
>> and try to push I'm not asked for a password, instead I'm greeted
>> with
>>     % git push 
>>     error: The requested URL returned error: 403 Forbidden while accessing 
>> http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack
> Something in your config is blocking access to info/refs there. It
> should not be the block shown above, which handles only the actual POST
> of the data. The sequence of http requests made is:
>   1. GET $repo/info/refs?service=git-receive-pack
>      This makes initial contact and gets the ref information which push
>      uses to decide what it is going to push. So it is read-only, and in
>      an anonymous-read setup, does not need to be protected.
>   2. POST $repo/git-receive-pack
>      This actually pushes up the objects and updates the refs, and
>      must be protected.
> The setup listed above does work with apache; it is tested as part of
> our test suite (you can see the actual config in t/lib-httpd/apache.conf).
> So what in lighttpd is giving us the 403? Can you share your whole
> config?

I was putting together a *long* response, with my different
configurations when it suddenly hit me how to make it work.

So, this is the accesslog for a successful `git push`: tracsrv.local - [10/Apr/2013:22:24:59 +0200] "GET 
/git/foo.git/info/refs?service=git-receive-pack HTTP/1.1" 401 351 "-" 
"git/" tracsrv.local - [10/Apr/2013:22:24:59 +0200] "GET 
/git/foo.git/info/refs?service=git-receive-pack HTTP/1.1" 401 351 "-" 
"git/" tracsrv.local magnus [10/Apr/2013:22:25:04 +0200] "GET 
/git/foo.git/info/refs?service=git-receive-pack HTTP/1.1" 200 202 "-" 
"git/" tracsrv.local magnus [10/Apr/2013:22:25:09 +0200] "POST 
/git/foo.git/git-receive-pack HTTP/1.1" 200 73 "-" "git/"

That is, *both* the GET and POST queries require a valid username
(trying to push without a valid user will fail with a 403 already on
the GET query).  Maybe Apache 2.x simply behaves *very* differently
from lighttpd, but I still can't see how a rule to require a valid
user only on the POST can ever work.

>> AFAICS this means the man-page is wrong, and that I instead ought
>> to match on the "service=git-receive-pack" part.  Is that a correct
>> conclusion?
> No. It is not a bad idea to _also_ match on info/refs, but I think
> it's a little trickier (you need to reliably match the query string
> to differentiate it from a fetch, which IIRC is a little hard in
> apache, at least).

This is what triggered me to find a working config.  Matching on the
query string is actually *very* easy in lighttpd.  Here's the relevant
bit of a working configuration[1]:

    alias.url += ( "/git" => "/usr/lib/git-core/git-http-backend" )
    $HTTP["querystring"] =~ "service=git-receive-pack" {
        $HTTP["url"] =~ "^/git" {
            cgi.assign = ( "" => "" )
            setenv.add-environment = (
                "GIT_PROJECT_ROOT" => "/srv/git",
                "GIT_HTTP_EXPORT_ALL" => ""
            include "trac-git-auth.conf"
    } else $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
        cgi.assign = ( "" => "" )
        setenv.add-environment = (
            "GIT_PROJECT_ROOT" => "/srv/git",
            "GIT_HTTP_EXPORT_ALL" => ""
        include "trac-git-auth.conf"
    } else $HTTP["url"] =~ "^/git" {
        cgi.assign = ( "" => "" )
        setenv.add-environment = (
            "GIT_PROJECT_ROOT" => "/srv/git",
            "GIT_HTTP_EXPORT_ALL" => ""

> But if you drop the protections on "/git-receive-pack$", then an
> attacker can just POST whatever they want into your repository.

This setup is for a server on the internal network, but still, your
comment holds.  The reason for wanting to allow reading without
authentication is that then I can signal a CI server to pull without
having to give it credentials.


[1]: The configuration for the authentication looks like this at the
moment, but it's only for testing:

    auth.backend = "plain"
    auth.backend.plain.userfile = "/srv/git/pwds.plain"
    auth.require = (
        "/" => (
            "method" => "basic",
            "realm" => "git",
            "require" => "valid-user"
Magnus Therning                      OpenPGP: 0xAB4DFBA4 
email: mag...@therning.org   jabber: mag...@therning.org
twitter: magthe               http://therning.org/magnus

Most software today is very much like an Egyptian pyramid with
millions of bricks piled on top of each other, with no structural
integrity, but just done by brute force and thousands of slaves.
     -- Alan Kay

Attachment: pgpu4SW0yjzL8.pgp
Description: PGP signature

Reply via email to