Re: Local git server can't serve https until repos owned by http, can't serve ssh unless repos owned by user after 2.45.1

["David C. Rankin" <drankinatty@gmail.com>]

On 6/17/24 13:47, Junio C Hamano wrote:
> "David C. Rankin" <drankinatty@gmail.com> writes:
> 
>>    Security enhancement in 2.45.1 have broken ability to serve git over
>>    https and ssh from local git server running Apache. (web server runs
>>    as http:http on Archlinux)
>>
>>    The fix of adding the following to gitconfig (system-wide and
>>    per-user in ~/.gitconfig) does not solve the problem:
>>
>> [safe]
>> 	directory = *
> 
> It is not clear what you exactly meant "per-user" above, so just to
> make sure.  Is this set in the global configuration file for the
> httpd (or whoever Apache runs as) user?
> 
> The purpose of "dubious ownershop" thing is to protect the user who
> runs Git from random repositories' with potentially malicious hooks
> and configuration files, so the user being protected (in this case,
> whoever Apache runs as) needs to declare "I trust these
> repositories" in its ~/.gitconfig file.  What individual owners of
> /srv/my-repo.git/ project has in their ~/.gitconfig file does not
> matter when deciding if Apache trusts these repositories.
> 
> 

   I apologize for being unclear. The directory on the server (valkyrie) that 
hosts the repositories has the current ownerships:

19:53 valkyrie:/srv/git> l
total 60
drwxr-xr-x 15 http  http  4096 Feb 13 02:37 .
drwxr-xr-x  6 root  root  4096 Jan  4  2017 ..
drwxr-xr-x  7 http  david 4096 Feb  1 06:54 arm.git
drwxr-xr-x  7 david david 4096 Nov 13  2023 c_datastructs.git
drwxr-xr-x  7 david david 4096 Jun 15 02:42 embedded.git
drwxr-xr-x  7 http  http  4096 Jan 26 01:34 examples.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 gtkedit.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 gtkeditphmirror.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 gtkwritemirror.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 mtrxsolv.git
drwxr-xr-x  7 http  devs  4096 Aug 13  2023 notesdlg.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 objstate.git
drwxr-xr-x  7 http  devs  4096 Nov 13  2023 pgauth.git
drwxr-xr-x  7 david david 4096 Jun 16 19:14 pico.git
drwxr-xr-x  7 http  david 4096 Aug 13  2023 vect_t.git

   Prior to this dubious ownership issue, everything was owned by david:david, 
other than notesdg.git and pgauth.git which were david:devs with other 
developers made members of the devs group.

   After 2.45.1 update, those with read-only access over https could not pull 
updates anymore. I didn't notice right away because I pull everything over ssh.

   I do have other machines where I pull https copies of repos, and that too 
broke after 2.45.1.

   I read the error from the server log and then attempted to add the 
suggested config to ~/.gitconfig, e.g.:

[safe]
	directory = /srv/git/embedded.git

   That failed. I then scoured the internet and many posts said use * for all 
instead of individual directory names, e.g.

[safe]
	directory = *

   Same error.

   I then changed ownership over everything in /srv/git to http:http and https 
started working again! But ... when I tried to push over ssh it failed, e.g.

19:14 wizard:~/dev/arm/pico> git push
Enumerating objects: 7, done.
Counting objects: 100% (7/7), done.
Delta compression using up to 4 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 1.01 KiB | 1.01 MiB/s, done.
Total 5 (delta 2), reused 0 (delta 0), pack-reused 0
remote: error: cannot lock ref 'HEAD': Unable to create 
'/srv/git/pico.git/./HEAD.lock': Permission denied
To valkyrie:/srv/git/pico.git
  ! [remote rejected] master -> master (failed to update ref)
error: failed to push some refs to 'valkyrie:/srv/git/pico.git'

   I have tried every combination of ownership, e.g. david:david, david:http, 
http:david and the bottom line is:

   - https won't work unless http owns the repository (http:dontcare), and
   - ssh won't work unless the user owns the repository (david:dontcare)

   Somehow I need a configuration that allows both ssh and https to work 
together. My apache config is setup per the scm-git.com book adapted to use my 
server auth:

## git directory for https access

SetEnv GIT_PROJECT_ROOT /srv/git
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
ScriptAlias /git /usr/lib/git-core/git-http-backend/

<Directory /usr/lib/git-core>
   Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
   AllowOverride None
   Require all granted
</Directory>

<Files "git-http-backend">
   # authentication
   AuthType Basic
   AuthName "Skyline_Restricted"
   AuthBasicProvider dbm
   AuthDBMType DB
   AuthDBMUserFile /usr/local/lib/apache2/dcraccess
   Require expr !(%{QUERY_STRING} -strmatch '*service=git-receive-pack*' || 
%{REQUEST_URI} =~ m#/git-receive-pack$#)
   Require valid-user
</Files>

   This has always worked great. It's just the side effect of the latest 
dubious ownership security changes that have killed it.

   Hopefully this is just a temporary regression in the CVE fixes? Let me know 
if you need any more information. I'm happy to provide it.


-- 
David C. Rankin, J.D.,P.E.