Re: git-daemon whitelist issue

[Andreas Ericsson <ae@op5.se>]

Jose Luis Rivas Contreras wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> [Please CC me, I'm not subscribed]
> 
> Hi, I know this will be a dummy question but I cannot find how to solve
> this trying in several ways but none of them work. The issue is that
> when I try to clone I get:
> 
> May 24 09:25:39 jooga git-daemon: [14724]
> '/home/repo/git/xscreensaver.git': not in whitelist
> 
> My git-daemon conf is this:
> 8< -----
> service git
> {
>         disable         = no
>         type            = UNLISTED
>         socket_type     = stream
>         protocol        = tcp
>         user            = nobody
>         wait            = no
>         server          = /usr/bin/git-daemon
>         server_args     = --inetd --export-all
> }
> 8< -----
> 
> I've tried with `--inetd --export-all /home/repo/git', `--inetd
> - --export-all --base-path=/home/repo/git /home/repo/git', with
> interpolated to with a symlink but nothing works, I'm trying with:
> 

Specifying a symlinked path won't work. git-daemon (being of the
one-shot-fork school of programs) simply does a chdir() to the
requested directory and then getcwd(), which will never consider
symlinks. This is a security feature, since directory recursion
attacks will never ever work.

> git clone git://repo.ghostbar.ath.cx/home/repo/git/xscreensaver.git noseless
> 

When you specify base-path, you tell git-daemon to prepend the
base-path to the directory the user requests.

Start git-daemon like this:

git-daemon --base-path=/home/repo/git --export-all

then do

git clone git://repo.ghostbar.ath.cx/xscreensaver.git

and it should work, assuming /home/repo/git/xscreensaver.git
has no symlinks in it.

-- 
Andreas Ericsson                   andreas.ericsson@op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231