From: Jeff King <peff@peff.net>
To: Magnus Therning <magnus@therning.org>
Cc: "Jakub Narębski" <jnareb@gmail.com>, git@vger.kernel.org
Subject: Re: git-http-backend: anonymous read, authenticated write
Date: Wed, 10 Apr 2013 21:56:13 -0400 [thread overview]
Message-ID: <20130411015613.GA8455@sigill.intra.peff.net> (raw)
In-Reply-To: <20130410231919.GA1315@mteis.lan>
On Thu, Apr 11, 2013 at 01:19:19AM +0200, Magnus Therning wrote:
> Nope. I'm pretty sure this had *nothing* to do with my config. This
> is the original config, which doesn't work:
>
> $HTTP["url"] =~ "^/git" {
> cgi.assign = ( "" => "" )
> setenv.add-environment = (
> "GIT_PROJECT_ROOT" => "/srv/git",
> "GIT_HTTP_EXPORT_ALL" => ""
> )
> $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
> include "trac-git-auth.conf"
> }
> }
Ah, I think I see what it is.
Did you turn on http.receivepack in the git config to enable pushing?
From "git help http-backend":
By default, only the upload-pack service is enabled, which serves git
fetch-pack and git ls-remote clients, which are invoked from git
fetch, git pull, and git clone. If the client is authenticated, the
receive-pack service is enabled, which serves git send-pack clients,
which is invoked from git push.
[...]
http.receivepack
This serves git send-pack clients, allowing push. It is disabled
by default for anonymous users, and enabled by default for users
authenticated by the web server. It can be disabled by setting
this item to false, or enabled for all users, including anonymous
users, by setting it to true.
If there is no authentication happening for the initial service-request,
then the default http.receivepack kicks in, which is to turn pushing
off (because there is no authenticated user).
When you do this;
> $HTTP["querystring"] =~ "service=git-receive-pack" {
> $HTTP["url"] =~ "^/git" {
> cgi.assign = ( "" => "" )
> setenv.add-environment = (
> "GIT_PROJECT_ROOT" => "/srv/git",
> "GIT_HTTP_EXPORT_ALL" => ""
> )
> include "trac-git-auth.conf"
> }
Then you are asking for authentication earlier (on the first request),
and the default behavior is to allow the push.
The documentation should probably make the use of http.receivepack more
clear in this situation.
> > However, even before the fix, it never got a 403 on the GET of
> > info/refs. It got a 401 on the later POST, but didn't prompt for
> > credentials.
>
> I know nothing about CGI, but surely the script signals the need for a
> valid user to the server somehow, couldn't the web server then decide
> to return 403 rather than 401 *if there's no configuration for
> authentication*?
I think that series is a red herring. It did not affect the server-side
at all, but was a fix for the _client_ to handle the 401 it should
receive in that situation. But your server was generating a 403, for
different reasons.
So _if_ you fixed it by setting http.receivepack (which I think is the
simplest thing under Apache, since matching the query string there is
hard), then you would need a version of git with that fix on the
client side to actually have git prompt for the password correctly.
But your fix under lighttpd is much better, as it asks for the
credentials up front (which means the client does not go to any work
creating a packfile just to find out that it does not have access).
-Peff
next prev parent reply other threads:[~2013-04-11 1:56 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-09 5:45 git-http-backend: anonymous read, authenticated write Magnus Therning
2013-04-09 12:24 ` Jakub Narębski
2013-04-10 20:53 ` Magnus Therning
2013-04-09 17:12 ` Jeff King
2013-04-10 20:45 ` Magnus Therning
2013-04-10 21:53 ` Jeff King
2013-04-10 21:30 ` Jakub Narębski
2013-04-10 21:47 ` Jeff King
2013-04-10 23:19 ` Magnus Therning
2013-04-11 1:56 ` Jeff King [this message]
2013-04-11 3:30 ` [PATCH 0/2] http-backend documentation examples Jeff King
2013-04-11 3:32 ` [PATCH 1/2] doc/http-backend: clarify "half-auth" repo configuration Jeff King
2013-04-11 6:57 ` Magnus Therning
2013-04-11 3:36 ` [PATCH 2/2] doc/http-backend: give some lighttpd config examples Jeff King
2013-04-11 16:47 ` Jakub Narębski
2013-04-11 17:02 ` Jeff King
2013-04-11 18:27 ` Jakub Narębski
2013-04-13 3:33 ` [PATCH 3/2] doc/http-backend: match query-string in apache half-auth example Jeff King
2013-04-13 8:52 ` Jakub Narębski
2013-04-11 6:52 ` git-http-backend: anonymous read, authenticated write Magnus Therning
2013-04-11 19:34 ` Jeff King
2013-04-12 7:22 ` Magnus Therning
2013-04-11 16:43 ` Jakub Narębski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130411015613.GA8455@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=jnareb@gmail.com \
--cc=magnus@therning.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).