Re: git-http-backend: anonymous read, authenticated write

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jeff King <peff@peff.net>
To: Magnus Therning <magnus@therning.org>
Cc: git@vger.kernel.org
Subject: Re: git-http-backend: anonymous read, authenticated write
Date: Tue, 9 Apr 2013 13:12:47 -0400	[thread overview]
Message-ID: <20130409171247.GD21972@sigill.intra.peff.net> (raw)
In-Reply-To: <20130409054553.GA1537@mteis.lan>

On Tue, Apr 09, 2013 at 07:45:53AM +0200, Magnus Therning wrote:

> I've been trying to set up git-http-backend+lighttpd.  I've managed to
> set up anonymous read-only access, and I then successfully configured
> authentication for both read and write.  Then I get stuck.  The
> man-page for git-http-backend says that the following snippet can be
> used for Apache 2.x:
> 
>     <LocationMatch "^/git/.*/git-receive-pack$">
>         AuthType Basic
>         AuthName "Git Access"
>         Require group committers
>         ...
>     </LocationMatch>
> 
> However, when I put in this match on location in my lighty config and
> try to push I'm not asked for a password, instead I'm greeted with
> 
>     % git push 
>     error: The requested URL returned error: 403 Forbidden while accessing http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack

Something in your config is blocking access to info/refs there. It
should not be the block shown above, which handles only the actual POST
of the data. The sequence of http requests made is:

  1. GET $repo/info/refs?service=git-receive-pack

     This makes initial contact and gets the ref information which push
     uses to decide what it is going to push. So it is read-only, and in
     an anonymous-read setup, does not need to be protected.

  2. POST $repo/git-receive-pack

     This actually pushes up the objects and updates the refs, and
     must be protected.

The setup listed above does work with apache; it is tested as part of
our test suite (you can see the actual config in t/lib-httpd/apache.conf).
So what in lighttpd is giving us the 403? Can you share your whole
config?

> AFAICS this means the man-page is wrong, and that I instead ought to
> match on the "service=git-receive-pack" part.  Is that a correct
> conclusion?

No. It is not a bad idea to _also_ match on info/refs, but I think it's
a little trickier (you need to reliably match the query string to
differentiate it from a fetch, which IIRC is a little hard in apache, at
least).

But if you drop the protections on "/git-receive-pack$", then an
attacker can just POST whatever they want into your repository.

-Peff

next prev parent reply	other threads:[~2013-04-09 17:13 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-04-09  5:45 git-http-backend: anonymous read, authenticated write Magnus Therning
2013-04-09 12:24 ` Jakub Narębski
2013-04-10 20:53   ` Magnus Therning
2013-04-09 17:12 ` Jeff King [this message]
2013-04-10 20:45   ` Magnus Therning
2013-04-10 21:53     ` Jeff King
2013-04-10 21:30   ` Jakub Narębski
2013-04-10 21:47     ` Jeff King
2013-04-10 23:19       ` Magnus Therning
2013-04-11  1:56         ` Jeff King
2013-04-11  3:30           ` [PATCH 0/2] http-backend documentation examples Jeff King
2013-04-11  3:32             ` [PATCH 1/2] doc/http-backend: clarify "half-auth" repo configuration Jeff King
2013-04-11  6:57               ` Magnus Therning
2013-04-11  3:36             ` [PATCH 2/2] doc/http-backend: give some lighttpd config examples Jeff King
2013-04-11 16:47               ` Jakub Narębski
2013-04-11 17:02                 ` Jeff King
2013-04-11 18:27                   ` Jakub Narębski
2013-04-13  3:33                   ` [PATCH 3/2] doc/http-backend: match query-string in apache half-auth example Jeff King
2013-04-13  8:52                     ` Jakub Narębski
2013-04-11  6:52           ` git-http-backend: anonymous read, authenticated write Magnus Therning
2013-04-11 19:34             ` Jeff King
2013-04-12  7:22               ` Magnus Therning
2013-04-11 16:43           ` Jakub Narębski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130409171247.GD21972@sigill.intra.peff.net \
    --to=peff@peff.net \
    --cc=git@vger.kernel.org \
    --cc=magnus@therning.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).