| commit | 56a52a1e7768ddd718a2df14c8ee7d6477ec5ebb | |
| author | Kyle J. McKay <mackyle@gmail.com> | |
| Tue, 7 May 2013 18:21:27 +0000 (7 11:21 -0700) | ||
| committer | Kyle J. McKay <mackyle@gmail.com> | |
| Sat, 29 Jun 2013 10:34:22 +0000 (29 03:34 -0700) | ||
| tree | cce061d9998cd46343c5f6ea2aa531a7e2239ab5 | treesnapshot (tar.gz zip) |
| parent | c2c0b8e3031b1e3e8c06f3fff2f040cb664cd0d4 | commitdiff |
Remove fixupd entirely
By making all the chroot jail users a member of the $owning_group
(changing their passwd group from 65534 to $owning_group) and adding
a simple can_user_push utility to the jail, individual projects can
now remain owned by $cgi_user:$owning_group instead of the chroot
jail users and groups.
These changes make it possible to support pushing via https and
such permission checks are enabled in the update hook whenever
GIT_PROJECT_ROOT is set as it will be when pushing via the
git-http-backend utility.
After installing this update, the can_user_push utility must be
installed in the chroot jail and then the update hook of all
pre-existing repositories must be replaced with the new version
from $basedir/hooks/update and sudo chown -R $cgi_user:$owning_group
must be performed on $reporoot (and possibly $reporoot-recyclebin)
followed by sudo chmod -R g+w on $reporoot (and possibly
$reporoot-recyclebin). And lastly all the user passwd entries in
the chroot jail etc/passwd file need to have their group changed
from 65534 to $owning_group.
In order to support smart https push, apache must be configured so
that REMOTE_USER is set properly (the push user name with an optional
"/UID=" prefix) when git-http-backend is run.
By making all the chroot jail users a member of the $owning_group
(changing their passwd group from 65534 to $owning_group) and adding
a simple can_user_push utility to the jail, individual projects can
now remain owned by $cgi_user:$owning_group instead of the chroot
jail users and groups.
These changes make it possible to support pushing via https and
such permission checks are enabled in the update hook whenever
GIT_PROJECT_ROOT is set as it will be when pushing via the
git-http-backend utility.
After installing this update, the can_user_push utility must be
installed in the chroot jail and then the update hook of all
pre-existing repositories must be replaced with the new version
from $basedir/hooks/update and sudo chown -R $cgi_user:$owning_group
must be performed on $reporoot (and possibly $reporoot-recyclebin)
followed by sudo chmod -R g+w on $reporoot (and possibly
$reporoot-recyclebin). And lastly all the user passwd entries in
the chroot jail etc/passwd file need to have their group changed
from 65534 to $owning_group.
In order to support smart https push, apache must be configured so
that REMOTE_USER is set properly (the push user name with an optional
"/UID=" prefix) when git-http-backend is run.
25 files changed:
| Girocco/Config.pm | diffblobblamehistory | |
| Girocco/ProjPerm.pm | diffblobblamehistory | |
| Girocco/Project.pm | diffblobblamehistory | |
| Girocco/User.pm | diffblobblamehistory | |
| INSTALL | diffblobblamehistory | |
| Makefile | diffblobblamehistory | |
| README | diffblobblamehistory | |
| TODO | diffblobblamehistory | |
| cgi/regproj.cgi | diffblobblamehistory | |
| cron/README | diffblobblamehistory | |
| cron/girocco | diffblobblamehistory | |
| fixupd/README | [deleted file] | blobblamehistory |
| fixupd/fixup.sh | [deleted file] | blobblamehistory |
| fixupd/fixupd.sh | [deleted file] | blobblamehistory |
| hooks/update | diffblobblamehistory | |
| install.sh | diffblobblamehistory | |
| jailsetup.sh | diffblobblamehistory | |
| jobd/gc.sh | diffblobblamehistory | |
| screen/README | diffblobblamehistory | |
| screen/root | [deleted file] | blobblamehistory |
| src/.gitignore | [new file with mode: 0644] | blob |
| src/Makefile | [new file with mode: 0644] | blob |
| src/can_user_push.c | [new file with mode: 0644] | blob |
| toolbox/run-fixupd.sh | [deleted file] | blobblamehistory |
| toolbox/updateroot.sh | [deleted file] | blobblamehistory |