From ebf6300d01eee439d5d4708503d08b4159232aee Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Tue, 25 Aug 2009 09:08:11 +0530 Subject: [PATCH 1/3] all: some "our"s changed to "my" --- gl-auth-command | 6 +++--- gl-compile-conf | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/gl-auth-command b/gl-auth-command index e1be7d7..c05f53c 100755 --- a/gl-auth-command +++ b/gl-auth-command @@ -43,9 +43,9 @@ die "couldnt do perms file" unless (my $ret = do $GL_CONF_COMPILED); # definitions specific to this program # ---------------------------------------------------------------------------- -our $R_COMMANDS=qr/git[ -]upload-pack/; -our $W_COMMANDS=qr/git[ -]receive-pack/; -our $REPONAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._/-]*$); # very simple pattern +my $R_COMMANDS=qr/git[ -]upload-pack/; +my $W_COMMANDS=qr/git[ -]receive-pack/; +my $REPONAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._/-]*$); # very simple pattern # ---------------------------------------------------------------------------- # start... diff --git a/gl-compile-conf b/gl-compile-conf index da3163a..b668228 100755 --- a/gl-compile-conf +++ b/gl-compile-conf @@ -59,12 +59,12 @@ unless (my $ret = do $glrc) # ---------------------------------------------------------------------------- # command and options for authorized_keys -our $AUTH_COMMAND="$GL_ADMINDIR/gl-auth-command"; -our $AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty"; -our $USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._-]*$); # very simple pattern +my $AUTH_COMMAND="$GL_ADMINDIR/gl-auth-command"; +my $AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty"; +my $USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._-]*$); # very simple pattern -our %groups = (); -our %repos = (); +my %groups = (); +my %repos = (); # set a restrictive umask, just in case umask(0077); From 0b0d95a1ff88b0613996ca15745098e85453c6bd Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Tue, 25 Aug 2009 09:21:07 +0530 Subject: [PATCH 2/3] auth: tighten up 2 regexes; one minor code clarity fix --- gl-auth-command | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/gl-auth-command b/gl-auth-command index c05f53c..8d02d3d 100755 --- a/gl-auth-command +++ b/gl-auth-command @@ -43,8 +43,8 @@ die "couldnt do perms file" unless (my $ret = do $GL_CONF_COMPILED); # definitions specific to this program # ---------------------------------------------------------------------------- -my $R_COMMANDS=qr/git[ -]upload-pack/; -my $W_COMMANDS=qr/git[ -]receive-pack/; +my $R_COMMANDS=qr/^git[ -]upload-pack$/; +my $W_COMMANDS=qr/^git[ -]receive-pack$/; my $REPONAME_PATT=qr(^[0-9a-zA-Z][0-9a-zA-Z._/-]*$); # very simple pattern # ---------------------------------------------------------------------------- @@ -87,8 +87,9 @@ die "I don't like the look of $repo, sorry!" # first level permissions check # ---------------------------------------------------------------------------- -# now, knowing the user and repo (which is repo path), we try perms -my $perm = 'W'; $perm = 'R' if $verb =~ $R_COMMANDS; +# we know the user and repo; we just need to know what perm he's trying +my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W'); + die "access denied" unless $repos{$repo}{$perm}{$user}; # ---------------------------------------------------------------------------- From 66bf4a20f9f171895ab7c12c6b2fec04e9e9371c Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Tue, 25 Aug 2009 09:57:19 +0530 Subject: [PATCH 3/3] all: lexical file handles instead of bare --- gl-auth-command | 9 ++++++--- gl-compile-conf | 44 +++++++++++++++++++++++--------------------- update-hook.pl | 14 ++++++-------- 3 files changed, 35 insertions(+), 32 deletions(-) diff --git a/gl-auth-command b/gl-auth-command index 8d02d3d..eb809ee 100755 --- a/gl-auth-command +++ b/gl-auth-command @@ -99,9 +99,12 @@ die "access denied" unless $repos{$repo}{$perm}{$user}; # ( but first save the reponame; we can save some time later in the hook ) $ENV{GL_REPO}=$repo; -open(LOG, ">>", "$GL_ADMINDIR/log"); -print LOG "\n", scalar(localtime), " $ENV{SSH_ORIGINAL_COMMAND} $user\n"; -close(LOG); +# if log failure isn't important enough to block access, get rid of all the +# error checking +open my $log_fh, ">>", "$GL_ADMINDIR/log" + or die "open log failed: $!"; +print $log_fh "\n", scalar(localtime), " $ENV{SSH_ORIGINAL_COMMAND} $user\n"; +close $log_fh or die "close log failed: $!"; $repo = "'$REPO_BASE/$repo.git'"; exec("git", "shell", "-c", "$verb $repo"); diff --git a/gl-compile-conf b/gl-compile-conf index b668228..6568c0f 100755 --- a/gl-compile-conf +++ b/gl-compile-conf @@ -105,13 +105,13 @@ sub expand_userlist # "compile" GL conf # ---------------------------------------------------------------------------- -open(INF, "<", $GL_CONF) - or die "open GL conf failed: $!"; +open my $conf_fh, "<", $GL_CONF + or die "open conf failed: $!"; # the syntax is fairly simple, so we parse it inline my @repos; -while () +while (<$conf_fh>) { # normalise whitespace; keeps later regexes very simple s/=/ = /; @@ -170,10 +170,10 @@ while () } } -open(OUT, ">", $GL_CONF_COMPILED) - or die "open GL conf compiled failed: $!"; -print OUT Data::Dumper->Dump([\%repos], [qw(*repos)]); -close(OUT); +open my $compiled_fh, ">", $GL_CONF_COMPILED + or die "open compiled-conf failed: $!"; +print $compiled_fh Data::Dumper->Dump([\%repos], [qw(*repos)]); +close $compiled_fh or die "close compiled-conf failed: $!"; # ---------------------------------------------------------------------------- # any new repos created? @@ -201,26 +201,28 @@ for my $repo (keys %repos) # "compile" ssh authorized_keys # ---------------------------------------------------------------------------- -open(INF, "<", $ENV{HOME} . "/.ssh/authorized_keys") or die "open old authkeys failed: $!"; -open(OUT, ">", $ENV{HOME} . "/.ssh/new_authkeys") or die "open new authkeys failed: $!"; +open my $authkeys_fh, "<", $ENV{HOME} . "/.ssh/authorized_keys" + or die "open authkeys failed: $!"; +open my $newkeys_fh, ">", $ENV{HOME} . "/.ssh/new_authkeys" + or die "open newkeys failed: $!"; # save existing authkeys minus the GL-added stuff -while () +while (<$authkeys_fh>) { - print OUT unless (/^# gitosis-lite start/../^# gitosis-lite end/); + print $newkeys_fh unless (/^# gitosis-lite start/../^# gitosis-lite end/); } # add our "start" line, each key on its own line (prefixed by command and # options, in the standard ssh authorized_keys format), then the "end" line. -print OUT "# gitosis-lite start\n"; +print $newkeys_fh "# gitosis-lite start\n"; my_chdir($GL_KEYDIR); for my $pubkey (glob("*.pub")) { my $user = $pubkey; $user =~ s/\.pub$//; - print OUT "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS "; - print OUT `cat $pubkey`; + print $newkeys_fh "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS "; + print $newkeys_fh `cat $pubkey`; } -print OUT "# gitosis-lite end\n"; -close(OUT); +print $newkeys_fh "# gitosis-lite end\n"; +close $newkeys_fh or die "close newkeys failed: $!"; # check what changes are being made; just a comfort factor # system("vim -d ~/.ssh/authorized_keys ~/.ssh/new_authkeys"); @@ -238,10 +240,10 @@ if (-d ".git") # and if there are any if (system("git diff --cached --quiet") ) { - open(COMMIT, "|-", "git commit -F -") - or die "pipe commit failed: $!"; - print COMMIT "keydir changed\n\n"; - print COMMIT `git diff --cached --name-status`; - close(COMMIT) or die "close commit failed: $!"; + open my $commit_ph, "|-", "git commit -F -" + or die "open commit failed: $!"; + print $commit_ph "keydir changed\n\n"; + print $commit_ph `git diff --cached --name-status`; + close $commit_ph or die "close commit failed: $!"; } } diff --git a/update-hook.pl b/update-hook.pl index 8c6d917..babd005 100755 --- a/update-hook.pl +++ b/update-hook.pl @@ -41,12 +41,6 @@ unless (my $ret = do $glrc) die "couldnt do perms file" unless (my $ret = do $GL_CONF_COMPILED); -# ---------------------------------------------------------------------------- -# definitions specific to this program -# ---------------------------------------------------------------------------- - -open(LOG, ">>", "$GL_ADMINDIR/log"); - # ---------------------------------------------------------------------------- # start... # ---------------------------------------------------------------------------- @@ -78,8 +72,12 @@ for my $refex (@$allowed_refs) { if ($ref =~ /$refex/) { - print LOG "$perm: $ENV{GL_USER} $ENV{GL_REPO} $ref $oldsha $newsha\n"; - close (LOG); + # if log failure isn't important enough to block pushes, get rid of + # all the error checking + open my $log_fh, ">>", "$GL_ADMINDIR/log" + or die "open log failed: $!"; + print $log_fh "$perm: $ENV{GL_USER} $ENV{GL_REPO} $ref $oldsha $newsha\n"; + close $log_fh or die "close log failed: $!"; exit 0; } }