Conversation
Notices
-
Embed this notice
anna (navi@social.vlhl.dev)'s status on Thursday, 03-Oct-2024 00:37:30 JST anna so uh, git now complains that www-data (nginx) is trying to serve a repo in /var/git (which is owned by the user git)
how do i even fix this-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 00:37:19 JST Haelwenn /элвэн/ :triskell: @navi Add nginx to the git group, users don't have only one group. -
Embed this notice
anna (navi@social.vlhl.dev)'s status on Thursday, 03-Oct-2024 00:37:24 JST anna the repos need to stay under git:git so that ssh git@vlhl.dev works
nginx runs as www-data:www-data because it obviously shouldn't run as root
so i can't just set{u,g}id to git:git
how is git-http-backend supposed to work with this shit??? -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 00:41:23 JST Haelwenn /элвэн/ :triskell: @navi Isn't that when you want the group to have write access? -
Embed this notice
anna (navi@social.vlhl.dev)'s status on Thursday, 03-Oct-2024 00:41:27 JST anna @lanodan it doesn't work unless i init the repos with --shared, which was the part i didn't know about because none but one random guide mentioned it -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 00:44:42 JST Haelwenn /элвэн/ :triskell: @navi Did you put the appropriate GIT_PROJECT_ROOT and have GIT_HTTP_EXPORT_ALL="" for your fcgi variables?
Like in my nginx config I have this:
# git-http-backend isnt fastcgi so fcgiwrap is needed fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass unix:/var/run/fcgiwrap/sock; fastcgi_split_path_info ^(/git)(.*); include fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; fastcgi_param GIT_PROJECT_ROOT /git; fastcgi_param GIT_HTTP_EXPORT_ALL ""; -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 00:56:48 JST Haelwenn /элвэн/ :triskell: @navi Huh… that's interesting, you're sure fcgiwrap is running as www-data and not something stupid like root? -
Embed this notice
anna (navi@social.vlhl.dev)'s status on Thursday, 03-Oct-2024 00:56:53 JST anna $ groups www-data www-data : www-data git $ ls -ld /var/git/navi/enomicon.git drwxr-xr-x 7 git git 4096 Oct 2 15:43 /var/git/navi/enomicon.git/ (which, group read access shouldn’t matter since the repo is world-readable)
nginx:
location ~ /.+/(info/refs|git-upload-pack) { include fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; fastcgi_param PATH_INFO $uri; fastcgi_param GIT_HTTP_EXPORT_ALL 1; fastcgi_param GIT_PROJECT_ROOT /var/git; fastcgi_param HOME /var/git; fastcgi_pass unix:/run/fcgiwrap.socket; }on the client:
$ git clone --depth 1 https://git.vlhl.dev/navi/enomicon.git Cloning into 'enomicon'... fatal: unable to access 'https://git.vlhl.dev/navi/enomicon.git/': The requested URL returned error: 500on the server:
$ tail /var/log/nginx/error.log 2024/10/02 15:48:09 [error] 1431006#1431006: *1824 FastCGI sent in stderr: "fatal: detected dubious ownership in repository at '/var/git/navi/enomicon.git' To add an exception for this directory, call: git config --global --add safe.directory /var/git/navi/enomicon.git" while reading response header from upstream, client: 37.135.86.107, server: git.vlhl.dev, request: "GET /navi/enomicon.git/info/refs?service=git-upload-pack HTTP/2.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host: "git.vlhl.dev" -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 01:00:56 JST Haelwenn /элвэн/ :triskell: @navi I guess remaining one would be checking that the content of the git repo is owned by a single user and not different ones. In conversation permalink -
Embed this notice
anna (navi@social.vlhl.dev)'s status on Thursday, 03-Oct-2024 01:00:58 JST anna $ ps aux | grep fcgi www-data 1210 0.3 0.0 6000 1896 ? Ss Sep25 39:48 /usr/sbin/fcgiwrap -f yeap
In conversation permalink -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 01:12:14 JST Haelwenn /элвэн/ :triskell: @navi Or just patch the damn thing because I'm kind of uncomfortable with git-http-backend having write access. In conversation permalink -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 01:12:15 JST Haelwenn /элвэн/ :triskell: @navi I guess I'll run a specific fcgiwrap as urgh anongit for said mirror and hope it'll always be a mirror. In conversation permalink -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 01:12:16 JST Haelwenn /элвэн/ :triskell: @navi Dang it checked my mirror and yeah it might be doing this crap since few versions. In conversation permalink -
Embed this notice
anna (navi@social.vlhl.dev)'s status on Thursday, 03-Oct-2024 01:12:18 JST anna @lanodan it’s all git:git, i just made it
and it’s not only that repo, every repo in https://git.vlhl.dev/ doesn’t work
git is legit going if (uid != repo_uid) abort();, and i kinda don’t wanna believe that the only solution is adding every repo to /etc/gitconfig bc that would not only be stupid, but means i’d need root access to create repos
In conversation permalink Attachments
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 01:31:03 JST Haelwenn /элвэн/ :triskell: @navi Yeah but not the best thing ever, like it makes sense to check ownership due to things like hooks.
But for git-http-backend it doesn't.In conversation permalink -
Embed this notice
anna (navi@social.vlhl.dev)'s status on Thursday, 03-Oct-2024 01:31:09 JST anna @lanodan (also directory = /var/git/* doesn't work, only * does) In conversation permalink -
Embed this notice
anna (navi@social.vlhl.dev)'s status on Thursday, 03-Oct-2024 01:31:15 JST anna $ cat <<-EOF >> /etc/gitconfig [safe] directory = * EOF this makes it work again by basically saying “i don’t care about dubious ownership”
In conversation permalink -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 01:34:46 JST Haelwenn /элвэн/ :triskell: @navi Aaah, that's why it works on my main:
$ cat /var/lib/nginx/.gitconfig [safe] directory = *Well good enough.
In conversation permalink -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 03-Oct-2024 01:36:45 JST Haelwenn /элвэн/ :triskell: @navi IIRC for clones there can be issues with hardlinks, at least I've seen a git CVE pass related to git clones of different users. In conversation permalink -
Embed this notice
anna (navi@social.vlhl.dev)'s status on Thursday, 03-Oct-2024 01:36:49 JST anna @lanodan also, hooks don't run/copy over on git clone, does it really make sense to check ownership on clone? i understand actions like push/commit/etc that do run hooks, but clone specifically doesn't afaik In conversation permalink -
Embed this notice
anna (navi@social.vlhl.dev)'s status on Thursday, 03-Oct-2024 01:36:55 JST anna @lanodan the http backend should be exempt of it
but afaik git has no flag to say "safe just this once" that the backend could useIn conversation permalink
-
Embed this notice