Commit graph

55 commits

Author SHA1 Message Date
Sitaram Chamarty 645ab77af5 compile: disallow multiple pubkeys in one file
The way pubkey files are handled by gitolite, this could be used by a
repo admin to get shell access.  It's always been there as an
undocumented emergency mechanism for an admin who lost his shell keys or
overwrote them due to not understanding ssh well enough (and it has been
so used at least once).

But not any more...

Like the @SHELL case, this reflects a shift away from treating people
with repo admin rights as eqvt to people who have shell on the server,
and systematically making the former lesser privileged than the latter.

While in most cases (including my $DAYJOB) these two may be the same
person, I am told that's not a valid assumption for others, and there've
been requests to close this potential loophole.
2010-01-17 16:31:47 +05:30
Sitaram Chamarty ecfd20e793 @SHELL is now $SHELL_USERS in the rc file (warning: backward compat breakage)
Stop conflating the privilege to push changes to the admin repo with the
privilege to get a shell on the server.

Please read doc/6 carefully before upgrading to this version.  Also
please ensure that the gitolite key is *not* your only means to get a
command line on the server
2010-01-14 19:35:46 +05:30
Teemu Matilainen 6c38e30e9a compile: support "include" definition
Support config file including using:
include "filename"

If filename is not an absolute path, it is looked from the
$GL_ADMINDIR/conf/ directory.

For security reasons include is not allowed for fragments.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-01-10 09:50:20 +05:30
Sitaram Chamarty 08ef3555a1 deprecation warning about old style PATH/ syntax
(this commit will probably get reverted after a suitable period has
elapsed and no one is likely to still be using the old syntax).

Forgetting to change it to NAME/ after is a security issue -- you end up
permitting stuff you don't want to!

This commit allows the old syntax but prints a warning
2010-01-09 20:31:07 +05:30
Sitaram Chamarty 7124faa9f3 NAME-based restrictions
Gitolite allows you to restrict changes by file/dir name.  The syntax
for this used "PATH/" as a prefix to denote such file/dir patterns.
This has now been changed to "NAME/" because PATH is potentially
confusing.

While this is technically a backward-incompatible change, the feature
itself was hitherto undocumented, and only a few people were using it,
so I guess it's not that bad...

Also added documentation now.
2010-01-09 20:30:53 +05:30
Teemu Matilainen f37fb45144 compile: support "repo @all" definitions
"repo @all" can be used to set permissions or configurations for all
already defined repos.  (A repository is defined if it has permission
rules associated, empty "repo" stanza or "@group=..." line is not enough.)

For example to allow a backup user to clone all repos:

  # All other configuration
  [...]
  repo @all
       R = backup

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-21 22:11:21 +05:30
Sitaram Chamarty 2cc19091ca compile: gitolite key as good as shell key for users in @SHELL group
done by inserting a "-s" into the authkey forced command.

(They also lose the "no-pty" restriction, for good measure!)
2009-12-19 22:47:16 +05:30
Sitaram Chamarty b7404aa772 auth/install/pu-hook: pass ADMINDIR and BINDIR via ENV
The admin repo's post-update hook needs to know where $GL_ADMINDIR is,
and we had a weird way of doing that which depended on gl-install
actually munging the hook code.

We also always assumed the binaries are in GL_ADMINDIR/src.

We now use an env var to pass both these values.  This removes the weird
dependency on gl-install that the post-update hook had, as well as make
running other programs easier due to the new $GL_BINDIR env var.
2009-12-17 14:11:55 +05:30
Teemu Matilainen 3403d40d0e Add support for repo configurations
Git repository configurations can be set/unset by declaring "config"
lines in "repo" stanzas in gitolite.conf. For example:

repo gitolite
	config hooks.mailinglist = gitolite-commits@example.tld
	config hooks.emailprefix = "[gitolite] "
	config foo.bar = ""
	config foo.baz =

The firs two set (override) the values. Double quotes must be used to
preserve preceding spaces. Third one sets an empty value and the last
removes all keys.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-09 07:12:01 +05:30
Sitaram Chamarty 38255e4096 merge "allow full email addresses as usernames"
Merge branch 'pu'
2009-12-08 15:14:29 +05:30
Sitaram Chamarty 4441ed82e4 compile: allow full email addresses as usernames
we had usurped the email style syntax to separate multiple keys
belonging to the same person, like sitaram@desktop.pub and
sitaram@laptop.pub.  If you have so many users that you need the full
email address to disambiguate some of them (or you want to do it for
just plain convenience), you couldn't.

This patch fixes that in a backward compatible way.  See
doc/3-faq-tips-etc.mkd for details.
2009-12-08 15:14:05 +05:30
Teemu Matilainen 5416e38ea8 Fix default configuration paths in documentation
Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2009-12-07 21:04:44 +05:30
Sitaram Chamarty e6da853082 auth, compile, pm: good bit of refactoring
all of this is prep for the upcoming, all-new, chrome-plated,
"wildrepos" branch :)

  - many variables go to gitolite.pm now, and are "our"d into the other
    files as needed
  - new functions parse_acl, report_basic to replace inlined code
2009-12-05 14:14:37 +05:30
Sitaram Chamarty a283b8ad49 compile: kill preceding space when killing comments
consider:

    repo = "some desc" # some comment

(and note that the regex for recognising a description expects that
dblquote to be the *last* character on the line)
2009-12-01 22:13:13 +05:30
Sitaram Chamarty e7e6085351 compile: fix description and export-ok problem
part of comment on b78a720cee:
    The only reason it's getting into master is because it looks cool!

I hate it when something that looks cool doesn't work right :(

creating a repo on gitolite-admin push is *needed* in order to get
descriptions and export-ok files to work right
2009-12-01 21:54:23 +05:30
Sitaram Chamarty e922dfb939 compile: allow PATH/foo and populate the hash correctly 2009-12-01 05:55:59 +05:30
Sitaram Chamarty 604669ca02 rebel edition -- cos when you need it, you need it bad :-)
Summary: much as I did not want to use "excludes", I guess if we don't put the
code in "master" it's OK to at least *write* (and test) the code!

See the example config file for how to use it.

See "design choices" section in the "faq, tips, etc" document for how it
works.
2009-12-01 05:55:58 +05:30
Sitaram Chamarty b78a720cee auth/compile: auto-vivify is default now, so:
the "create a new repo" code moves from compile to auth.

Only someone who has W access can create it, but he can do so even on a
"R" operation (like clone or ls-remote).

This is a pre-requisite for rebel's wildcard repos, where
autovivification is the only way you can create arbitrary repos matching
a pattern.

The only reason it's getting into master is because it looks cool!

----

OK that's a lie; the real reason is to keep the two branches as similar
as possible, though they;ve diverged quite a bit since the "only
one-line difference" days where "rebel" just meant "deny/exclude"
rules!)
2009-11-27 23:06:48 +05:30
Sitaram Chamarty c3b5e3b1af compile, pm: factor out new repo creation
...also wrap_chdir, wrap_open, $ABRT, and $WARN
2009-11-27 23:06:47 +05:30
Sitaram Chamarty d2a053ba3c compile: add owner field in the same line as the gitweb descriptions
this goes into the project list
2009-11-27 13:23:48 +05:30
Sitaram Chamarty 6e0855eb4d compile: gitweb/daemon writes are unconditional now
writing the export_ok files and the gitweb project list are now
unconditional.  They're idempotent anyway, and I doubt anyone cared
about all the fancy logic to detect and report *just* the new ones on
each compile.

This paves the way for gitweb ownership to be added later; that code was
becoming too complex otherwise...
2009-11-26 19:30:40 +05:30
Sitaram Chamarty 516c028b81 compile: (oopsies...) plug security hole in delegation feature
I was trying to determine how close gitolite can come to the ACL model
of a proprietary product called codebeamer, and one of the items was how
to make a "role" (like QA_Lead) have different "members" in different
projects.

I then realised delegation already does that!  Which is great, but as I
thought about it more, I realised...  well, we'll let the in-code
comments speak for themselves :-)

Anyway, all it needed was a 1-line fix, luckily... <phew>  And it would
have only affected people who use delegation.
2009-11-23 22:45:00 +05:30
Sitaram Chamarty cba66c6e5a compile: make compiled config be key-sorted
makes debugging access changes much easier

(doh!  why didn't I do this earlier!)
2009-11-23 18:04:18 +05:30
Sitaram Chamarty c54d3eabbc all src: (please read full commit message): allow local admin-defined hooks
You can now add your own hooks into src/hooks/ and they get propagated
along with the update hook that is present there now.  Please read the
new section in the admin document, and make sure you understand the
security implications of accidentally fiddling with the "update" script.

This also prompted a major rename spree of all the files to be
consistent, etc.  Plus people said that the .sh and .pl suffixes should
be avoided (and I was feeling the same way).  I've also been
inconsistent with that "gl-" prefix, so I cleaned that up, and the 00-
and 99- were also funny animals.

Time to get all this cleaned up before we get 1.0 :)

So these are the changes, in case you're looking at just the commit
message and not the diffstat:

    src/pta-hook.sh -> src/ga-post-update-hook
    src/conf-convert.pl -> src/gl-conf-convert
    src/00-easy-install.sh -> src/gl-easy-install
    src/99-emergency-addkey.sh -> src/gl-emergency-addkey
    src/install.pl -> src/gl-install
    src/update-hook.pl -> src/hooks/update
2009-11-13 18:37:46 +05:30
Sitaram Chamarty 448c0d37ba compile: writing description file should be conditional 2009-11-12 20:45:49 +05:30
Sitaram Chamarty e81264d100 compile: added repo descriptions
example line in config file:

gitolite = "fast, secure, access control for git in a corporate environment"
2009-11-12 14:49:39 +05:30
Sitaram Chamarty 31fd24a76c compile: death should be a little louder and clearer :) 2009-11-05 23:13:39 +05:30
Sitaram Chamarty 92d5062ad0 doc/src: major doc/help text revamp
also removed some dead code from compile (pre PTA days)
2009-10-31 00:21:37 +05:30
Sitaram Chamarty 26b4992162 compile: (gh issue 2) apparently pubkeys don't always end in a newline
I've never encountered this but it's an easy fix
2009-10-30 10:39:05 +05:30
Sitaram Chamarty 2f6ed42fcd install and compile: learnt a '-q' flag (not for manual use!)
...only for easy install to use in "quiet" mode
2009-10-25 17:48:13 +05:30
Sitaram Chamarty 78d02e1437 the rc file can now be in one of 2 places...
Packaging gitolite for debian requires the rc file to be in /etc/gitolite.
But non-root installs must still be supported, and they need it in $HOME.

This means the rc file is no longer in a fixed place, which needs code to find
the rc file first.  See comments inside new file 'gitolite.pm' for details.

The rest of the changes are in the other programs, to replace the hard-coded
rc filename with a call to this new code.
2009-10-25 12:45:45 +05:30
Sitaram Chamarty 96fa0da946 allow a/b/c type repos to be created 2009-10-23 10:14:41 +05:30
Sitaram Chamarty 59e15e62a1 support git installed outside default $PATH
(also some minor fixes to doc/3)
2009-10-13 10:03:12 +05:30
Sitaram Chamarty f883fe7d71 compile: comments+efficiency
- add better comments on the 2 main hashes
  - work around an inefficiency caused by the exclude prep code needing
    a list instead of a hash at a certain place
2009-10-05 20:21:33 +05:30
Sitaram Chamarty 616d8a5f7d compile: (large changes) parse delegated fragments if any
[Note: this is a fairly involved commit, compared to most of the others.
    See doc/5-delegation.mkd for a user-level feature description.]

    parse delegated config fragments (found as conf/fragments/*.conf).  Any
    repos being referenced within a fragment config *must* belong to the
    "@group" with the same name as the fragment.

    That is, a fragment called conf/fragments/abc.conf can only refer to repos
    that are members of the "@abc" repo group.  It cannot specify access
    control for any other repos.  If it does, those settings are ignored, and
    a warning message is produced.

    since the delegated config must have the flexibility of (re-)defining
    group names for internal convenience, and since all such definitions go
    into the same "groups" hash, it is quite easy for conf/fragments/abc.conf
    to write in its own (re-)definition of "@abc"!  That would be a neat
    little security hole :)

    The way to close it is to consider only members of the "@abc" groupset
    defined in the main ("master") config file for this purpose.
2009-10-04 10:22:57 +05:30
Sitaram Chamarty 34a6f89c26 compile: make the parse a function instead of inline
Again, prep for delegation, when we'll be reading fragments of config rules
from various files and tacking them onto the %repos hash.

note: this patch best viewed with "git diff -w", clicking "Ignore space
change" in gitk, or eqvt :-)
2009-10-04 10:10:39 +05:30
Sitaram Chamarty 3267c3f4be compile: change %groups from hash of lists to hash of hashes
This makes it easier to test if a repo is a member of a group, which is
required for the delegation feature coming up
2009-10-04 10:10:39 +05:30
Sitaram Chamarty c15c75749b compile: special-case 'gitweb' and 'daemon' from the linting
not a big deal since there's a very simple and obvious workaround -- create a
new keypair, throw away the private key, and use the pubkey
2009-10-03 10:55:30 +05:30
Sitaram Chamarty c66e1ad732 compile: pubkey related linting added
- warn about files in keydir/ that dont end with ".pub"
  - warn about pubkey files for which the user is not mentioned in config
  - warn more sternly about the opposite (user in config, no pubkey!)

update hook: add reponame to message on deny
auth: minor typo
2009-09-27 09:51:00 +05:30
Sitaram Chamarty 70d26d810b compile, all docs/confs: specify gitweb/daemon access + bonus
bonus: documented the "bits and pieces" thing properly; should have done this
long ago, but it came to the forefront now thanks to this item
2009-09-25 13:50:59 +05:30
Sitaram Chamarty 978046acb9 compile/update hook: COMPILED FILE CHANGE -- PLEASE READ BELOW
Summary:
    DONT forget to run src/gl-compile-conf as the last step in the upgrade

Details:

The compiled file format has changed quite a bit, to make it easier for the
rebel edition coming up :-)

compile:
  - we don't split RW/RW+ into individual perms anymore
  - we store the info required for the first level check separately now:
    (repo, R/W, user)
  - the order for second level check is now:
    repo, user, [{ref=>perms}...] (list of hashes)

update hook logic: the first refex that:
  - matches the incoming ref, AND
  - contains the perm you're trying to use,
causes the match loop to exit with success.  Fallthrough is failure
2009-09-21 19:36:39 +05:30
Sitaram Chamarty df3dd0de48 compile, rc, doc/3: allow custom umask 2009-09-21 14:49:27 +05:30
Sitaram Chamarty 838dd65d5f compile+doc/3: deal with older gits
- detect/warn git version < 1.6.2
  - create documentation with details on client-side workaround
  - change the "git init --bare" to (older) "git --bare init", since the old
    syntax still works anyway
2009-09-21 14:17:53 +05:30
Sitaram Chamarty 86faae4d4c compile+conf: allow lists (@listname) for reponames too
why should just usernames have all the fun :)  The "expand_userlist" function
is now "expand_list" and serves generically.  The example conf has also been
updated correspondingly
2009-09-17 20:03:38 +05:30
Sitaram Chamarty fde9708cbf compile: better message when authkeys absent
for security reasons, we refuse to create ~/.ssh/authorized_keys if it doesn't
exist.  Explain this better and point to the documentation
2009-09-17 19:57:59 +05:30
Sitaram Chamarty f54c6c7a52 compile: make error messages grab the admin's attention
required if you do "push to admin"
2009-09-15 21:02:23 +05:30
Sitaram Chamarty 694050d6c4 all src: suffixed a \n to all die's; error output looks cleaner now 2009-09-10 21:35:49 +05:30
Sitaram Chamarty 804c70f570 almost all src/conf: logging totally redone, upgrade doc added
- logs go into $GL_ADMINDIR/logs by default, named by year-month
  - logfile name template (including dir prefix) now in $GL_LOGT
  - two new env vars passed down: GL_TS and GL_LOG (timestamp, logfilename)
  - log messages timestamps more compact, fields tab-delimited
  - old and new SHAs cut to 14 characters
2009-09-06 18:07:38 +05:30
Sitaram Chamarty 208c401858 compile: chmod internal, and save "old" authkeys 2009-09-01 19:40:42 +05:30
Sitaram Chamarty 5d4d5184b4 sources: 1-line all the "do"s for brevity and clarity
and yes, brevity and clarity "do" go together in perl :)
2009-09-01 19:36:00 +05:30