From 86166f7adc60f191b145818eda56d095aca7ed7f Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Thu, 4 Feb 2010 15:16:47 +0530 Subject: [PATCH 1/3] $shell_allowed needs to be passed to specal_cmds brought on by realising that you lost $shell_allowed when refactoring (previous commit) but perl hadn't caught it because -- damn -- you didn't have "use strict" in gitolite.pm --- src/gitolite.pm | 18 +++++++++++------- src/gl-auth-command | 2 +- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/src/gitolite.pm b/src/gitolite.pm index a8127e9..a6dba92 100644 --- a/src/gitolite.pm +++ b/src/gitolite.pm @@ -1,3 +1,4 @@ +use strict; # this file is commonly used using "require". It is not required to use "use" # (because it doesn't live in a different package) @@ -17,16 +18,19 @@ # common definitions # ---------------------------------------------------------------------------- -$ABRT = "\n\t\t***** ABORTING *****\n "; -$WARN = "\n\t\t***** WARNING *****\n "; +our $ABRT = "\n\t\t***** ABORTING *****\n "; +our $WARN = "\n\t\t***** WARNING *****\n "; # commands we're expecting -$R_COMMANDS=qr/^(git[ -]upload-pack|git[ -]upload-archive)$/; -$W_COMMANDS=qr/^git[ -]receive-pack$/; +our $R_COMMANDS=qr/^(git[ -]upload-pack|git[ -]upload-archive)$/; +our $W_COMMANDS=qr/^git[ -]receive-pack$/; # note that REPONAME_PATT allows "/", while USERNAME_PATT allows "@" -$REPONAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._/+-]*$); # very simple pattern -$USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@+-]*$); # very simple pattern +our $REPONAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._/+-]*$); # very simple pattern +our $USERNAME_PATT=qr(^\@?[0-9a-zA-Z][0-9a-zA-Z._\@+-]*$); # very simple pattern + +our $REPO_UMASK; +our %repos; # ---------------------------------------------------------------------------- # convenience subs @@ -163,7 +167,7 @@ sub report_basic sub special_cmd { - my ($GL_ADMINDIR, $GL_CONF_COMPILED, $RSYNC_BASE, $HTPASSWD_FILE) = @_; + my ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE) = @_; my $cmd = $ENV{SSH_ORIGINAL_COMMAND}; my $user = $ENV{GL_USER}; diff --git a/src/gl-auth-command b/src/gl-auth-command index 8aa2f65..48c67be 100755 --- a/src/gl-auth-command +++ b/src/gl-auth-command @@ -114,7 +114,7 @@ unless ($ENV{SSH_ORIGINAL_COMMAND}) { my ($verb, $repo) = ($ENV{SSH_ORIGINAL_COMMAND} =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:\.git)?'/); unless ( $verb and ( $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) { # ok, it's not a normal git command; call the special command helper - &special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $RSYNC_BASE, $HTPASSWD_FILE); + &special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE); exit; } From 55a71f00e1fcf055638fac612197ca5c36456db9 Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Thu, 4 Feb 2010 22:55:11 +0530 Subject: [PATCH 2/3] compile: die on authkeys write failure --- src/gl-compile-conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/gl-compile-conf b/src/gl-compile-conf index bb05d1e..eb8f8d7 100755 --- a/src/gl-compile-conf +++ b/src/gl-compile-conf @@ -502,5 +502,6 @@ close $newkeys_fh or die "$ABRT close newkeys failed: $!\n"; # all done; overwrite the file (use cat to avoid perm changes) system("cat $ENV{HOME}/.ssh/authorized_keys > $ENV{HOME}/.ssh/old_authkeys"); -system("cat $ENV{HOME}/.ssh/new_authkeys > $ENV{HOME}/.ssh/authorized_keys"); +system("cat $ENV{HOME}/.ssh/new_authkeys > $ENV{HOME}/.ssh/authorized_keys") + and die "couldn't write authkeys file\n"; system("rm $ENV{HOME}/.ssh/new_authkeys"); From 85cc31c77134d78d3ff3ca2fd2229d0e5b791530 Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Fri, 5 Feb 2010 06:49:07 +0530 Subject: [PATCH 3/3] install/pm: turn hooks from copies to symlinks --- src/gitolite.pm | 14 +++++++++++++- src/gl-install | 6 ++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/src/gitolite.pm b/src/gitolite.pm index a6dba92..9f2193f 100644 --- a/src/gitolite.pm +++ b/src/gitolite.pm @@ -78,6 +78,18 @@ sub check_ref { die "$perm $ref $repo $ENV{GL_USER} DENIED by fallthru\n"; } +# ln -sf :-) +sub ln_sf +{ + my($srcdir, $glob, $dstdir) = @_; + for my $hook ( glob("$srcdir/$glob") ) { + $hook =~ s/$srcdir\///; + unlink "$dstdir/$hook"; + symlink "$srcdir/$hook", "$dstdir/$hook" or die "could not symlink $hook\n"; + } +} + + # ---------------------------------------------------------------------------- # where is the rc file hiding? # ---------------------------------------------------------------------------- @@ -124,7 +136,7 @@ sub new_repo wrap_chdir("$repo.git"); system("git --bare init >&2"); # propagate our own, plus any local admin-defined, hooks - system("cp $hooks_dir/* hooks/"); + ln_sf($hooks_dir, "*", "hooks"); chmod 0755, "hooks/update"; } diff --git a/src/gl-install b/src/gl-install index 9494fc6..9159ed5 100755 --- a/src/gl-install +++ b/src/gl-install @@ -71,14 +71,16 @@ chdir("$repo_base_abs") or die "chdir $repo_base_abs failed: $!\n"; for my $repo (`find . -type d -name "*.git"`) { chomp ($repo); # propagate our own, plus any local admin-defined, hooks - system("cp $GL_ADMINDIR/src/hooks/* $repo/hooks/"); + ln_sf("$GL_ADMINDIR/src/hooks", "*", "$repo/hooks"); chmod 0755, "$repo/hooks/update"; } # oh and one of those repos is a bit more special and has an extra hook :) if ( -d "gitolite-admin.git/hooks" ) { print "copying post-update hook to gitolite-admin repo...\n"; - system("cp $GL_ADMINDIR/src/ga-post-update-hook gitolite-admin.git/hooks/post-update"); + unlink "gitolite-admin.git/hooks/post-update"; + symlink "$GL_ADMINDIR/src/ga-post-update-hook", "gitolite-admin.git/hooks/post-update" + or die "could not symlink post-update hook\n"; chmod 0755, "gitolite-admin.git/hooks/post-update"; }