avoiding anonymous commits from root/shared accounts

avoiding anonymous commits from root/shared accounts

[Nick]

Hi,

I have a question about what is probably an unusual use-case, where git is being
used from the root account, or an account shared by various committers.


I'm setting up a shared git repository, currently accessed via plain ssh to the
server in question. The code has been inherited, and is migrated from CVS.

The code is a sysadmin tool designed to set up a new server and keep its
configuration synchronised to one of several templates thereafter. Typically, it
is checked out in /root on a freshly installed server, and "make all" is run as
root to configure the services, set up user accounts, etc.

>From then on you pull updates from the repository, run "make all", and the
machine is reconfigured, services restarted, etc. as necessary.

The problem is maintenance of this code.  In the past, fixes might be made on
any server, then pushed back into the repository to be replicated everywhere.
There are several users, each of whom might commit changes to this tool.  When
it was in CVS, a common account was used to allow commits from anyone and
anywhere - and as a result nothing can be attributed to anyone.



I want to avoid these anonymous commits from now on.  The trouble is, I'm not
sure the best way to, as there is no guarantee any accounts but root will exist,
and if they do, some of these are shared accounts various people can log in as.
(This may or may not be advisable, but for now that's the way it works)

I also don't want to make it easy for the maintainers to do the right thing,
they will already be re-adjusting to git.  For that reason, just mandating that
everyone sets $GIT_AUTHOR_NAME etc. manually on log-in isn't very satisfactory.

The best idea I've come across seems to be some sort of wrapper for git, which
if no $GIT_USER_* is defined, can use $SUDO_USER and/or `who am i` to identify
the original log-in account, and sets $GIT_AUTHOR_NAME etc. - else if it can't
do this, it refuses to commit.  Or perhaps it would be a script which spawns a
shell with the right environment to invoke git commands from, after successfully
determining the identity.


But before I investigate this avenue any further, I wonder is there any prior
art addressing this sort of situation, using git?

Thanks

Nick

Re: avoiding anonymous commits from root/shared accounts

[Alex Vandiver]

At Mon May 10 13:05:17 -0400 2010, Nick wrote:
> [snip]
> The best idea I've come across seems to be some sort of wrapper for git, which
> if no $GIT_USER_* is defined, can use $SUDO_USER and/or `who am i` to identify
> the original log-in account, and sets $GIT_AUTHOR_NAME etc. - else if it can't
> do this, it refuses to commit.  Or perhaps it would be a script which spawns a
> shell with the right environment to invoke git commands from, after successfully
> determining the identity.

At work, we have a number of repositories which we store server
configurations in, most of which are only writable as root.  We use
the script below to ensure that git mostly doesn't lie about the
authors of commits.  This won't solve your problem of people logging
in under shared credentials -- and it also _does_ allow commits as
'root' if you logged in directly as root -- but it's perhaps a partial
solution for you.

 - Alex

-------------------->8--------------------
#!/usr/bin/perl

use strict;
use warnings;
use constant EMAIL_DOMAIN => "example.com";

setenv( get_user($$) );
exec("/usr/bin/git", @ARGV);

sub setenv {
    my $user = shift;

    # If they're _really_ _really_ root, just bail now
    return if $user eq "root";

    # Ditto if we can't find the user (?!)
    my @getpw = getpwnam($user);
    return unless @getpw;

    my $name;
    my $email;

    # See if we can pull from the user's config
    my $gitconfig = "$getpw[7]/.gitconfig";
    if (-r $gitconfig) {
        $name  = `/usr/bin/git config --file $gitconfig user.name`;
        chomp $name;
        $email = `/usr/bin/git config --file $gitconfig user.email`;
        chomp $email;
    }

    # Fall back to getent
    $name  ||= $getpw[6] || $user;
    $email ||= $user . '@' . EMAIL_DOMAIN;

    $ENV{GIT_AUTHOR_NAME} = $name;
    $ENV{GIT_AUTHOR_EMAIL} = $email;
}

sub get_user {
    my $pid = shift;

    # See if the PID is bogus
    return "root" unless $pid and kill 0, $pid;

    # Pull out the env from it
    my %env = getenv($pid);

    # Simplest case -- check USER first
    if ($env{USER} and $env{USER} ne "root") {
        return $env{USER};
    }

    # Or we're running under sudo
    if ($env{SUDO_USER} and $env{SUDO_USER} ne "root") {
        return $env{SUDO_USER};
    }

    # They did something like `sudo su -`
    return get_user(parent_pid($pid));
}

sub getenv {
    my $pid = shift;
    my $env = do {local @ARGV = ("/proc/$pid/environ"); local $/; <>};
    my @lines = split /\0/, $env;
    return () unless grep {/=/} @lines;
    my %env = map {split /=/, $_, 2} @lines;
    return %env;
}

sub parent_pid {
    my $pid = shift;
    my $stat = do {local @ARGV = ("/proc/$pid/stat"); local $/; <>};
    my (undef, undef, undef, $ppid) = split ' ', $stat;
    return $ppid;
}
-- 
Networking -- only one letter away from not working