Commit graph

436 commits

Author SHA1 Message Date
Sitaram Chamarty 246165537d new server-side program "gl-tool", subcommand "shell-add"
Previous implementations of "give shell access to some gitolite users"
feature were crap.  There was no easy/elegant way to ensure that someone
who had repo admin access would not manage to get himself shell access.

Giving someone shell access requires that you should have shell access
in the first place, so the simplest way is to enable it from the server
side only.

So now that we decided to do that, we may as well prepare for other,
future, commands by starting a server-side utility program with
sub-commands (the only current one being "shell-add")
2010-04-09 21:05:17 +05:30
Sitaram Chamarty 5deffee3cf security: gitolite admin can get shell access by using screwy pubkey name
example: keydir/sitaram@$(some-dangerous-command; echo hi).pub

(still won't get the reward; that is only if a non-admin user gets
privs!)
2010-04-09 16:48:46 +05:30
Sitaram Chamarty e6ee5cdb30 4b7d144 should have touched this also 2010-03-31 14:42:41 +05:30
Sitaram Chamarty 5aba13cd80 allow 'D' for @all repos
...so that the new semantics can be made system-default if someone wants
to do that
2010-03-31 06:45:29 +05:30
Sitaram Chamarty 967af2c993 compile/update: new "D" permission
normally, RW+ means permission to rewind or delete.

Now, if you use "D" permission anywhere in a repo config, that means
"delete" and RW+ then means only "rewind", no delete.
2010-03-30 23:28:26 +05:30
Sitaram Chamarty 33b886c512 we're getting a nice solaris workout after a long time :) 2010-03-30 19:37:22 +05:30
Sitaram Chamarty 72b63abaf2 auth, gitolite.pm: do not leak info about repo existence
All this is about a user trying to look if a repo exists or not, when he
does not have any access to that repo.  Ideally, "repo does not exist"
should be indistinguishable from "you dont have perms to that repo".

(1) if $GL_WILDREPOS is not set, you either get a permissions error, or
    a "$repo not found in compiled config" death.  Fixed.

(2) if $GL_WILDREPOS is set, you either get either a permissions error,
    or a "$repo has no matches" death.  Fixed.

(3) The following combination leaks info about repo existence:

      - actual repo doesn't exist
      - spying user don't have C perms
      - repo patt doesn't contain CREATER
      - RW+ = CREATER is specified (as is normal)

    In such case, the "convenience copy" of the ACL that parse_acl
    makes, coupled with substituting CREATER for the invoking user means
    $repos{$actual_repo} has RW+ for the spying user.  This means the
    access denied doesn't happen, and control passes to git, which
    promptly expresses it unhappiness and angst over being given a repo
    that 'does not appear to be a git repository'

    This doesn't happen if all those conditions are not met:

      - if repo exists, CREATER is set to the real creater, so RW+ =
        CREATER does not gain spying user anything
      - if spying user has C perms it just gets created, because he has
        rights.  This is also info leak but we can't prevent it; tighten
        the config (maybe by including CREATER in repo pattern) if this
        is not wanted
      - if repo patt contains CREATER it will never match someone else's
        repo anyway!
2010-03-29 21:18:39 +05:30
Sitaram Chamarty 6a44c564a2 doc/4: added "how it actually works" section
thanks to Ilari for helping fix a bug (see previous commit) and then
prompting this documentation
2010-03-28 12:30:43 +05:30
Sitaram Chamarty a45d2d9912 auth: do not implicitly assign RW access for creaters
a configuration like this:

    repo CREATER/.*
        C       =   CREATER
        RW+     =   WRITERS

was buggy; CREATER was implicitly part of WRITERS so he got RW
permissions implicitly, so the push went through
2010-03-27 22:55:58 +05:30
Sitaram Chamarty 6e17c74abf silly little PATH bug...
what this means is that until now, everyone who used easy-install
(without needing to set $GIT_PATH in the rc file) had a client-side PATH
that was perfectly valid on the server side also!
2010-03-26 21:36:28 +05:30
Sitaram Chamarty 7bfb3676b7 @all for repos is now much cleaner; a true @all...
- no need to put it at the end of the config file now, yeaaay!
  - @all for @all is meaningless and not supported.  People asking will
    be told to get a life or use git-daemon.
  - NAME/ limits for @all repos is ignored for efficiency reasons.
2010-03-26 21:36:05 +05:30
Sitaram Chamarty a3f1258a0a reduce a bit of code duplication in check_access; make it call check_ref 2010-03-23 14:59:33 +05:30
Sitaram Chamarty b3c5d14421 relent a little and document the expand command a tiny bit :) 2010-03-20 09:59:07 +05:30
Sitaram Chamarty 364a2317c2 created gitolite@googlegroups.com, updated README
enough people told me they want one because they don't watch the git ML
or it's too high traffic, so I finally made one and invited a few folks.
2010-03-19 07:18:12 +05:30
Sitaram Chamarty bad0723974 allow @all to be used as a "user" in setperms 2010-03-18 22:06:25 +05:30
Sitaram Chamarty f282b8f926 gl-setup: dash-compat
before someone runs it on the new Ubuntu :)
2010-03-18 20:48:43 +05:30
Sitaram Chamarty b537a4acd4 dash it all!
Ubuntu now defaults to /bin/sh -> /bin/dash, while my brain seems to
default to bash.

I guess it's easier to fix my brain, and my code <sigh>
2010-03-18 09:13:41 +05:30
Sitaram Chamarty bfc9c7aeb5 minor fixup; spurious error killed 2010-03-17 20:43:20 +05:30
Sitaram Chamarty e91e8c80d9 minor oopsie in post-update hook chaining 2010-03-17 20:37:41 +05:30
Sitaram Chamarty 412a691810 compile: remove the sortsub for data dumper
Data dumper was failing (returning an empty string!) on an input config
file of about 350 lines or so (output 2400 lines or so).

Removing the sort sub fixed the problem.

To recap why that sub was put in (see deleted lines in this commit for
details), what we really want is that $creater must appear *last* in the
resulting dump.

So we trick it.  "man ascii" tells you that ~ is the highest valued
ASCII character (yes, I know, not utf-8 safe etc... I'll deal with that
if and when needed or punt!).  So we just put that in front of $creater
and remove it later...

You *don't* want to do this for $readers and $writers -- then they will
once again sort *after* $creater, which would be a bad thing.  Also,
it's probably better this way, because now the order of the hash keys
will be: $readers, $writers, any actual users listed, and then $creater.

This means the effective access rights will be:

1.  if you are the creater you get CREATER's rights
2.  else if your userid is listed *explicitly* in the config, you get
    those rights
3.  else if you've been setperm'd as a writer, you get WRITERS rights
4.  else if you've been setperm'd as a reader, you get READERS rights

This is different from what used to happen till now; READERS and WRITERS
used to trump explicitly given rights.  I'd been meaning to fix that
somehow, but never got around to it, until this DDD (damn Data Dumper!)
forced my hand :)
2010-03-17 19:30:14 +05:30
Sitaram Chamarty 05431233a2 post-update hook now chains to post-update.secondary
undocumented but analogous to the documented update hook chaining
2010-03-16 19:27:29 +05:30
Sitaram Chamarty 33d6856f4b update: disallow old-style personal branches
The downside is that the repo config does need to be edited and new
style line(s) added.
2010-03-16 18:27:26 +05:30
Sitaram Chamarty 2456cc17c8 personal branches: de-emphasise old-style, document new-style
There are some disadvantages to the old-style personal branch scheme.
It only allows one specific pattern (of refname) to be used, forces that
pattern to be applicable to *all* repos in the entire config, and
requires editing the rc file (on the server) to be edited to achieve
this.

In other words, it's a very blunt instrument...

The new style depends on using lines like this within a specific repo
config:

        RW+ personal/USER/      =   @userlist

The important thing is that the "branch" name should contain `/USER/`
(including the slashes).  Access is still determined by the right hand
side of course.

This gives you the following advantages:

  - allow it only for repos that need it
  - allow different patterns to be used for different repos
  - allow *multiple* patterns; just add more than one such line
  - allow the pattern to have suffixes (eg: foo/USER/bar)
2010-03-16 18:27:26 +05:30
Sitaram Chamarty 83884aa758 compile/update hook: enable new style personal branches
The new style personal branches work by interpreting the special
sequence /USER/ (including the slashes) in a refname.  Docs should be in
the next commit...
2010-03-16 18:27:22 +05:30
Sitaram Chamarty ed5c78349e update hook now allows chaining to "update.secondary"
the changes to cp/scp are because without "-p" they dont carry perms
across to existing files.  So if you forgot to chmod +x your custom
hook and ran easy install, then after that you have to go to the server
side to fix the perms...
2010-03-14 22:48:25 +05:30
Sitaram Chamarty bf7aba7e0b changelog 2010-03-12 17:20:12 +05:30
Sitaram Chamarty 367e8f8932 minor LFCR -> CRLF fix 2010-03-12 11:08:51 +05:30
Sitaram Chamarty d660822ab5 dps: made dps section clearer and more step-by-step 2010-03-12 10:24:53 +05:30
Sitaram Chamarty 7588c8cf54 dps: gl-setup may have to create ~/.ssh and touch the authkeys file...
I've been unwilling to create the authkeys file if it does not already
exist, because it represents a significant change in accessibility for
that account.

However, in the "distro package" scenario, one wants to make it as easy
as possible for the end-user (who is actually an admin for the gitolite
being hosted on his account, let's not forget) to use.

And it seems that in some cases that might mean he does not (yet) have a
~/.ssh even...
2010-03-12 09:16:39 +05:30
Sitaram Chamarty b3945d44c9 docs and .gitattributes hadn't been updated for the change in hooks dir 2010-03-10 06:24:53 +05:30
Sitaram Chamarty 4b7d144971 easy install: suppress that misleading "fatal"
get rid of the "fatal: No HEAD commit to compare with (yet)" message
2010-03-09 22:17:17 +05:30
Sitaram Chamarty 369ff45d92 easy install seemed to out of the GIT_PATH loop
for some reason, I apparently did not test easy install with a
non-standard path!  Fixed...
2010-03-09 22:12:29 +05:30
Sitaram Chamarty 08811fa9c2 easy install: update ending message when non-std ssh port used 2010-03-07 19:33:33 +05:30
Sitaram Chamarty de0ecd0431 compile: make it easier to move repos into gitolite
when repos are copied over from elsewhere, one had to run easy install
once again to make the new (OS-copied) repo contain the proper update
hook.

We eliminate this step now, using a new, empty, "hook" as a sentinel and
having "compile" check/fix all repos' hooks.

Since you have to add the repos to conf anyway, this makes it as
seamless as possible.  The correct sequence now is

  - (server) copy the repo at the OS level
  - (admin clone) add it to conf/gitolite.conf, commit, push
2010-03-07 19:05:56 +05:30
Sitaram Chamarty be92feca6d add conf/VERSION to .gitignore
conf/VERSION is programmatically created, not manually, so you shouldn't
be checking it in, which means it looks cleaner to explicitly put it in
.gitignore
2010-03-02 05:39:19 +05:30
Sitaram Chamarty 6dbaa0d325 auth: expand etc. *may* have single-quotes around reponame 2010-03-01 20:34:25 +05:30
Sitaram Chamarty 8031f72fa8 progit article added to doc/ 2010-02-27 17:28:06 +05:30
Sitaram Chamarty 572a34740f doc/0: emphasise the importance of ssh 2010-02-27 12:46:17 +05:30
Eli Barzilay 9f805646fe minor typos 2010-02-27 12:32:28 +05:30
Eli Barzilay 4cf18d8339 make Emacs use perl mode 2010-02-27 12:31:44 +05:30
Teemu Matilainen deda3da182 auth: do not anchor the pattern given for expand
Currently the pattern of expand command is line anchored.  This is
different than in e.g. grep, and causes extra work to add '.*' prefix
and/or suffix in many use cases.

The new semantics now mean you might get more matches than you would
have gotten earlier.  However, the expand command is still totally
undocumented, so I think it is acceptable to change the functionality.
;)

This patch removes the anchoring.  So for earlier behavior the specified
pattern needs be in form of '^<pattern>$'.  The default pattern is also
changed from '.*' to '^', so there might be even a small speed
improvement. =)

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-27 12:30:39 +05:30
Sitaram Chamarty de74e8d343 Merge branch 'master' into pu (damn!)
stupid me; committed the easy install patch on master *and* pushed,
instead of on pu...

Since I dont want to rewind master, we end up with this completely
unnecessary merge.
2010-02-26 07:29:18 +05:30
Sitaram Chamarty 42cc720eaa easy install: be more specific about NOT adding repos manually 2010-02-26 07:13:19 +05:30
Sitaram Chamarty ea123bbfb4 Merge branch 'dps' into master
Conflicts:
	doc/0-INSTALL.mkd
2010-02-25 20:28:02 +05:30
Sitaram Chamarty 802f925f1d doc/CHANGELOG added 2010-02-25 20:13:51 +05:30
Teemu Matilainen d1d399f6b7 contrib: Add info of Vim syntax highlight
Grand opening of the "contrib" directory. =)

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-25 04:57:09 +02:00
Sitaram Chamarty 1de9e963f0 auth: behave better when no argument supplied to wild commands
expand gets a default '.*' argument
others die with an error message
2010-02-18 19:20:46 +05:30
Sitaram Chamarty 8054a9e6d5 Merge branch 'teemu/topic/expand_all_repos' into pu 2010-02-18 18:44:58 +05:30
Teemu Matilainen e7ac085d61 List also non-wildcard repos in expand_wild
List also all matching and accessible non-wildcard repositories
in ssh expand command.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-02-18 13:50:18 +02:00
Sitaram Chamarty 16cea9bf8c compile: move checking of reponame/repopatt/username out of expand_list
let expand_list be just that "expand a list", and leave checking to be
done outside.

otherwise, commit 690604d79 has the side effect of restricting refs to
$REPOPATT_PATT, and so for instance barfing on the perfectly valid

    RW+ refs/(?!heads/master) = alice bob

(thanks to Teemu for catching this)
2010-02-18 06:10:08 +05:30