Commit graph

576 commits

Author SHA1 Message Date
Sitaram Chamarty e98bde322e allow gitolite to be used when the users already have real IDs
Fedora (for example) runs like this:

  * each user has his own userid and login
  * his/her ~/.ssh/authkeys file (containing only his/her key) has a
    "command=" clause invoking just "gl-auth-command"
  * trusted users have "gl-auth-command -s" meaning they can get a shell if
    they want to

As a result, there is no specific $HOME where you can look for
.gitolite.rc.  Hence this patch

----

Side note: in addition, Fedora may have one or more of the following
characteristics (writing them here for convenience; they're not directly
relevant to this patch):

  * actual git repos are under "git" (or some such), and include the chmod g+s
    (git init --shared) unix perms tricks for shared access

  * but since they're coming through gl-auth, branch-level acls are in effect

  * the gitolite config file is generated from some database and compiled (all
    via cron)

  * they keydir/ is empty; in fact they probably don't use the admin repo at
    all, AFAIK
2010-12-28 13:58:53 +05:30
Sitaram Chamarty 5b9bf700cc allow access checks from ADC or hook
For sample code see new file contrib/adc/get-rights-and-owner.in-perl.
Despite the name, you can use similar code in a hook also -- comments in
that file will tell you how.

implementation notes:

  - check_access now takes an optional last arg "dry_run", which is also
    passes through to check_ref
  - check_ref returns a "DENIED by ..." instead of die-ing if dry_run is
    passed in

  - as a side effect, cli_repo_rights is now just a stub calling
    check_access (we kept it hanging around for backward compat -- too
    much adc pain for too many people if we change it now)
2010-12-25 12:40:41 +05:30
Sitaram Chamarty f88b097db1 v1.5.8 2010-12-25 05:58:27 +05:30
Sitaram Chamarty 975a0d05b0 minor fix to mirror-shell...
needed if $REPO_BASE contains slashes.

(reported/code sent by Dylan Simon)
2010-12-25 05:58:26 +05:30
Sitaram Chamarty 45a696c419 fine tune "no pubkeys" warning
perm categories (like READERS and WRITERS, or whatever you put in your
$GL_WILDREPOS_PERM_CATS) are *supposed* to "have no pubkeys"; don't warn
about them
2010-12-25 05:58:26 +05:30
Sitaram Chamarty 5f3344025c (minor) doc updates 2010-12-25 05:58:26 +05:30
Sitaram Chamarty 2bbcc8239c tighten up pattern to check rsync arguments
thanks to Joe Schaefer at the ASF for catching it.  Note that this new
pattern *may* be too restrictive -- if you're using this feature and
have a problem with the new pattern please email me.

See email to gitolite mailing list around this date (2010-11-28) for
more details.
2010-11-28 20:12:39 +05:30
Sitaram Chamarty db97c5a40a (minor) indentation fix
been meaning to do it for a while, but I got a push:

http://colabti.org/irclogger/irclogger_log/git?date=2010-11-26#l622

----

If I had been on the channel at that time I may have quoted Emerson on
"consistency" just for the fun of it...  ;-)
2010-11-28 09:34:47 +05:30
Teemu Matilainen 21a00bd6a9 gl-setup: Replace similar long one-liners with functions 2010-11-21 19:16:52 +05:30
Teemu Matilainen b0d641ef48 gl-setup: Avoid stupid "cd -" simulation tricks
They don't work if someone calls the script for example
    su - gitolite -c gl-setup <key>
from a directory where "gitolite" user does not have permissions (e.g.
0700), then 'cd $od' fails and we stay in gitolite's $HOME.

[commit message changed by committer; author was more polite ;-)]
2010-11-20 22:18:16 +05:30
Teemu Matilainen d8179f09bf Print to STDERR when dying
Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-11-20 21:54:56 +05:30
Sitaram Chamarty 5ce22e135d (contrib) update-email-check added; please read comments first! 2010-11-19 15:33:26 +05:30
Sitaram Chamarty c1b27eae22 stick to regex metas that come with perl 5.8
we have a stated aim to work with any perl that git is happy with, which
means it should work with perl 5.8.  At least :)
2010-11-18 19:23:13 +05:30
Sitaram Chamarty 74726fdc31 added watch ADC (includes documentation), courtesy mitchell@kde.org 2010-11-18 12:40:09 +05:30
Sitaram Chamarty 7313d48247 gitolite-down: disable write-access to take backups
(we quietly do not document the 'able' adc, which is now the most
"official" adc in the sense that it has a new test, t64-write-able!)

other notes: fix bug in 'able' (not setting $loc)
2010-11-16 22:57:23 +05:30
Sitaram Chamarty 16ab95665c (admin doc) try that "moving servers" thing again :) 2010-11-16 14:35:39 +05:30
Sitaram Chamarty acfaa421d1 BSD compat changes
- openssh 5.6 doesn't like "ssh user@host" with no command following
    it, because they changed the rules for pty allocation failure.

    I'm calling this a BSD compat change because BSD hit it first, but
    really, the "ssh -T" will eventually be needed by Linuxes also, as
    they start upgrading to openssh 5.6

  - FreeBSD (and I presume the other BSDs also) *require* a "-t"
    argument to mktemp (thanks to matias for finding this).

    Note that on FreeBSD, -t is a prefix (the X's are taken literally,
    and the real random stuff gets appended to the prefix), while on
    Linux, it is a template (the X's are converted to random
    characters).  Thus, on BSD you will get names like
    /tmp/tmp.XXXXXXXXXX.1BAEGkHm, whereas on Linux you'll get
    /tmp/tmp.Aq7vbdNpGp or something.
2010-11-15 05:25:19 +05:30
Sitaram Chamarty 0b6edbf7c2 (minor) fix doc refs missed when we renamed some doc files 2010-11-15 05:25:18 +05:30
Sitaram Chamarty ad727488fc (install doc) various updates
(thanks to a somewhat heated "discussion" with "abstrakt" on #git)

While I don't agree with everything he said, some improvements are
always possible (always, always!) in docs:

  - move the "conventions used" section closer to the action
  - add note about RPM/DEB using "gitolite" as the user, not "git"
  - de-emphasise multiple gitolite hosting users at the top; refer
    advanced users to the already present detailed section later instead
  - in that section, add a bit of intro, and hand-wave the inconsistency
    between its 2 sub-sections ;-)

----

Unrelated to the "discussion" today, someone else (running Arch? don't
remember) had a system where /usr/local/bin was not in $PATH for a
normal user, so I added a note about that.
2010-11-14 11:05:13 +05:30
Sitaram Chamarty 64728c805b (admin doc) moving servers 2010-11-12 19:27:17 +05:30
Sitaram Chamarty 270e0b9157 (minor) support saying 'repo.git' in the config file
but complain loudly so they stop doing this... :-)
2010-11-10 18:07:58 +05:30
Teemu Matilainen 6eb8558e8d compile: Allow empty @group definitions
Use case: group information is generated from an external system and
because of synchronization or authorization restrictions some groups
can be empty.

Signed-off-by: Teemu Matilainen <teemu.matilainen@reaktor.fi>
2010-11-10 12:38:15 +05:30
Sitaram Chamarty 182b1d0b34 (who-uses) Gentoo's overlay system now uses gitolite 2010-11-07 21:59:49 +05:30
Sitaram Chamarty 047790140a custom perm categories in setperms (WARNING: PLEASE READ FULL COMMIT MESSAGE)
THE COMPILED CONFIG FILE FORMAT CHANGES WITH THIS VERSION.  PLEASE DO
NOT MIX VERSIONS OR DOWNGRADE.  Upgrading using normal gitolite upgrade
means should be fine, though.

Originally, we only allowed "R" and "RW" as categories of users supplied
to the `setperms` command.  These map respectively to "READERS" and
"WRITERS" in the access rules.

Now:

  - we prefer READERS instead of R and WRITERS instead of RW
  - we allow the admin to define other categories as she wishes
    (example: MANAGERS, TESTERS, etc).  These do not have abbreviations,
    however, so they must be supplied in full.

PLEASE, *PLEASE*, read the section in doc/wildcard-repositories.mkd for
more info.  This is a VERY powerful feature and if you're not careful
you could mess up the ACLs nicely.

Backward compat note: you can continue to use the "R" and "RW"
categories when running the "setperms" command, and gitolite will
internally convert them to READERS and WRITERS categories.

----

implementation notes:

  - new RC var called GL_WILDREPOS_PERM_CATS that is a space-sep list of
    the allowed categories in a gl-perms file; defaults to "R RW" if not
    specified

  - wild_repo_rights no longer returns $c, $r, $wC, where $r = $user if
    "R $user", $r = '@all' if "R @all", and similarly with $w and "RW".

    Instead it returns $c and a new hash that effectively gives the same
    info, but expanded to include any other valid categories (listed in
    GL_WILDREPOS_PERM_CATS)

  - consequently, the arguments that parse_acl takes also change the
    same way

  - (side note: R and RW are quietly converted to READERS and WRITERS;
    however, new categories that you define yourself do not have
    abbreviations)

  - setperms validates perms to make sure only allowed categories are
    used; however even if someone changed them behind the scenes,
    wild_repo_rights will also check.  This is necessary in case the
    admin tightened up GL_WILDREPOS_PERM_CATS after someone had already
    setperms-d his repos.

  - as a bonus, we eliminate all the post-Dumper shenanigans, at least
    for READERS and WRITERS.  Those two now look, to the compile script,
    just like any other usernames.
2010-11-06 21:03:34 +05:30
Sitaram Chamarty 4df32c3ff0 v1.5.7 2010-11-06 18:53:01 +05:30
Sitaram Chamarty a690058ce6 (test driver) editrc function buglet
Till now I did not have an RC var whose name was a prefix of another
valid RC var, so I never noticed that editrc would set the longer one
also when you set the shorter one.

Fixed
2010-11-06 12:35:46 +05:30
Sitaram Chamarty 0be96f7cc1 (tests) added t62 for 32056e0 2010-11-06 12:35:46 +05:30
Sitaram Chamarty 70359ce9ba (minor) doc fixes 2010-11-05 16:08:11 +05:30
Sitaram Chamarty 9716e32456 cbreak on #git: "I did bet that there are hundreds of sitaram admins out there"
Well from now on they will be called "YourName".

Even better quote from essial on #git (after literally typing in
"sitaram.pub" instead of substituting his name as the instructions [in
bold] tell him to do):

    come on you know how ubuntu users are
    if they see fixed width fonts inside a box they immediately copy-paste it

UBUNTU USERS: I DIDN'T SAY THAT, SOMEONE ELSE DID!  For details see
http://colabti.org/irclogger/irclogger_log/git?date=2010-11-04#l2417

[Although, since you apparently are quite happy to use a system that
default installs mono I doubt these little jibes matter to you
anyway...]

[idea: distribute my own pubkey with gitolite and instantly get access
to every gitolite install that is not behind a firewall, anywhere in the
world.  No one will notice or realise what I'm doing - MUAHAHAHAHA!!!]
2010-11-05 06:36:35 +05:30
Sitaram Chamarty 7ddc3ea4c6 gl-setup should not assume $PWD is writable
noticed by idl0r when running it via cfengine
2010-11-04 13:24:41 +05:30
Sitaram Chamarty 04d68fe3e9 gerrit doc updates following Shawn's email
(git ml, subject line "bugs in gitosis")
2010-10-29 16:15:33 +05:30
Sitaram Chamarty 6386d8ca2f gl-reflog adc gains 'usage', loses some crappy warnings
(actually these warnings can come in many other situations; I just
noticed them when testing this adc)
2010-10-28 19:34:46 +05:30
Sitaram Chamarty 5b3dcb3757 a slew of adc changes; details below:
- get_rights_and_owner normalises its arg1 by stripping .git if
    supplied, then sets the variable "repo" to the result as a side
    effect
  - new "help" adc with some default text but main purpose is to allow
    site local help text
  - other adc's refer to 'help' adc when appropriate
  - 'undelete' renamed to 'restore'; that's what the KDE "trashcan"
    program calls that operation
  - minor typo in sample script in documentation
  - main adc doc points to contrib/adc/repo-deletion.README now
2010-10-28 16:43:04 +05:30
Sitaram Chamarty 9fc521930d new adc: "who-pushed" prints the last person who pushed the given sha 2010-10-27 18:45:51 +05:30
Sitaram Chamarty 3e5cfab61f (minor) update gerrit doc re read restrictions 2010-10-26 20:30:10 +05:30
Sitaram Chamarty 84fe767b64 pubkeys and the pareto principle! 2010-10-26 20:30:10 +05:30
Sitaram Chamarty 0316baf726 mirror code learns receive.fsckObjects 2010-10-26 20:30:10 +05:30
Clint Adams 38c23b850f Monkeysphere integration documentation. 2010-10-26 09:01:24 +05:30
Sitaram Chamarty 8202ad6d8a (minor) allow @all to be combined with other items
This was a very old quirk/oddity.  Doing

    R       =   @all alice

would fail, but you could still do

    R       =   @all
    R       =   alice

Now we fixed it so it's consistent.

----

This also fixed a curious bug that no one ever caught:

    @all = u1 u2        # yes -- there was no check on redefining @all
    repo foo
        R   =   @all u3 # now would not fail because of defining @all

would have given only those 3 users R access to foo, not really @all
users!  This was because the previous failure message was an artifact of
not finding an expansion for @all, not a genuine "why are you saying
@all and then specifying some user explicitly" warning!
2010-10-24 18:27:56 +05:30
Sitaram Chamarty 10289c6d64 warning against server-side fiddling (<sigh>)
I had someone delete the admin repo on the server, then run gl-setup
again, and complain that included config files did not get restored.

There have been others (see below) before with similar demands, but
those at least had the excuse of being provoked by genuine mistakes.
This guy was intentionally breaking stuff server side.

Wish I could say he was stupid, but actually he was probably smarter
than I.  Just that his idea of the limits of gitolite's responsibility
was vastly different from mine.

----

[1] There was this guy who, as root, went on a "chmod go-rwx" spree for
security, which bollixed up gitweb access to all his repos, so he tells
me gitolite should be able to fix all the permissions on the next admin
push at least?  (That is, instead of just setting umask as it currently
does, it should go on a chmod spree just like he did).

[2] Then there was the guy who told me gitolite should re-create all the
"gl-creater" files for his wildcard repos because he was restoring from
a git push --mirror backup and that doesn't preserve those files?  I
tried to tell him that a git push --mirror doesn't preserve "config" or
"description" or "info/exclude" or any of the other files that git (not
gitolite) maintains, but he didn't care -- losing those did not affect
him (or he never had them), but losing these affected access control,
and it's my fault.
2010-10-23 23:01:12 +05:30
Sitaram Chamarty cd0eac8c3f (minor) a slew of little docfixes 2010-10-23 23:01:12 +05:30
Sitaram Chamarty 66b65e5e1d (doh!) make gitolite.pm easier for packagers
should have done this long ago...
2010-10-23 17:43:19 +05:30
Sitaram Chamarty cb0a9bdb0c ADC "rmrepo" replaced by "rm" and "trash", with helper ADCs
helpers for 'rm': lock, unlock
helpers for 'trash': list-trash, undelete

common functions updated with local settings for ADCs as well
2010-10-22 17:43:09 +05:30
Sitaram Chamarty a0aecbb012 (minor) provide more info on symlink failure 2010-10-19 19:27:27 +05:30
Sitaram Chamarty 87cf2d4892 minor doc clarification on easy-install requiring 2 keys for the admin 2010-10-17 05:12:19 +05:30
Sitaram Chamarty d1515ea8d8 update CHANGELOG 2010-10-16 14:46:32 +05:30
Sitaram Chamarty 99d6b4875c adc su-expand to allow admin to run 'expand' on other users 2010-10-16 12:22:47 +05:30
Sitaram Chamarty 3cf2970e0e info leak prevention can be a little more friendly
and acquire some German formality while you're about it ;-)
2010-10-08 05:45:26 +05:30
Sitaram Chamarty db0485fa7e new method for passing usergroup info (warning: minor backward compat breakage)
The old method of passing in usergroup info had some problems, which are
now fixed.  It is also much easier to use now -- no more "wrapper"
script, plus it should work identially whether you use sshd or httpd.

See doc/big-config.mkd for details on the new method.

----

Notes on problems with the old method:

The old method for passing in usergroup info consisted of tacking them
on as extra arguments to gl-auth-command, after the username.

However, there are some problems with this method.

Some actions in gitolite look for permissions for users other than the
invoking user.  Determining permissions for gitweb and daemon is one.
An admin asking for "info" on some other user, is another.

However, the list of groups sent in via the command line
pertains only to the invoking user, so these actions don't work
correctly.  They may even pick up the wrong permissions.

What it all boils down to is that we need group information for any user
dynamically, instead of being passed a (static) list just for the
invoking user.
2010-10-07 20:20:39 +05:30
Sitaram Chamarty ba39d93e28 (minor glitch in sudo adc)
thanks to jeff for finding it...
2010-10-06 22:57:45 +05:30