From af9c50c1c92828f58645dcaec8bc9d092928894f Mon Sep 17 00:00:00 2001
From: "Kyle J. McKay" <mackyle@gmail.com>
Date: Mon, 17 Nov 2014 08:43:40 -0800
Subject: [PATCH] git: make sure Git runs with a consistent and reproducible
 config

Arrange for GIT_CONFIG_NOSYSTEM=1 and GIT_ATTR_NOSYSTEM=1 to always
be set when running Git.

Addtionally cause XDG_CONFIG_HOME to be set to
$Config::chroot.'/var/empty' and HOME to be set to
$Config::chroot.'/etc/girocco' when running Git so that a consistent
set of config values will be seen.

After the $chroot database is set up (by running `make install`),
a $chroot/etc/girocco/.gitconfig file may be created (along with
its girocco parent directory) in order to set non-default values
for any desired config items when Girocco runs Git.
---
 Girocco/Config.pm           |  7 +++++++
 bin/git-http-backend-verify |  9 +++++++++
 bin/git-shell-verify        | 12 ++++++++++++
 install.sh                  | 19 +++++++++++++------
 shlib.sh                    |  8 ++++++++
 5 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/Girocco/Config.pm b/Girocco/Config.pm
index ad6321b..dbd07e2 100644
--- a/Girocco/Config.pm
+++ b/Girocco/Config.pm
@@ -523,4 +523,11 @@ our $httpsdnsname = ($httpspushurl =~ m,https://([A-Za-z0-9.-]+),i) ? lc($1) : u
 ($chrooted or not $mob) or die "Girocco::Config: mob user supported only in the chrooted mode";
 (not $httpspushurl or $httpsdnsname) or die "Girocco::Config invalid \$httpspushurl does not start with https://domainname";
 
+# Make sure Git has a consistent and reproducible environment
+
+$ENV{'XDG_CONFIG_HOME'} = $chroot.'/var/empty';
+$ENV{'HOME'} = $chroot.'/etc/girocco';
+$ENV{'GIT_CONFIG_NOSYSTEM'} = 1;
+$ENV{'GIT_ATTR_NOSYSTEM'} = 1;
+
 1;
diff --git a/bin/git-http-backend-verify b/bin/git-http-backend-verify
index cabade8..f9e886b 100755
--- a/bin/git-http-backend-verify
+++ b/bin/git-http-backend-verify
@@ -16,6 +16,15 @@ set -e
 
 . @basedir@/shlib.sh
 
+GIT_CONFIG_NOSYSTEM=1
+GIT_ATTR_NOSYSTEM=1
+XDG_CONFIG_HOME="$cfg_chroot/var/empty"
+HOME="$cfg_chroot/etc/girocco"
+export GIT_CONFIG_NOSYSTEM
+export GIT_ATTR_NOSYSTEM
+export XDG_CONFIG_HOME
+export HOME
+
 [ -z "$GIT_HTTP_BACKEND_BIN" ] || cfg_git_http_backend_bin="$GIT_HTTP_BACKEND_BIN"
 [ -n "$cfg_git_http_backend_bin" ] ||
 	cfg_git_http_backend_bin=/usr/lib/git-core/git-http-backend
diff --git a/bin/git-shell-verify b/bin/git-shell-verify
index 351fde7..4d54b81 100755
--- a/bin/git-shell-verify
+++ b/bin/git-shell-verify
@@ -8,16 +8,28 @@
 
 set -e
 
+GIT_CONFIG_NOSYSTEM=1
+GIT_ATTR_NOSYSTEM=1
+
 if ! [ -x /usr/bin/perl ]; then
 	# We are INSIDE the chroot
 	reporoot=/@jailreporoot@
+	XDG_CONFIG_HOME=/var/empty
+	HOME=/etc/girocco
 else
 	# We are NOT INSIDE the chroot
 	reporoot=@reporoot@
+	XDG_CONFIG_HOME=@chroot@/var/empty
+	HOME=@chroot@/etc/girocco
 fi
 mob=@mob@
 webadmurl=@webadmurl@
 
+export GIT_CONFIG_NOSYSTEM
+export GIT_ATTR_NOSYSTEM
+export XDG_CONFIG_HOME
+export HOME
+
 # Only the following commands are allowed:
 #
 #   git-shell -c "git-receive-pack 'dir'"
diff --git a/install.sh b/install.sh
index 2ee3159..f4581b0 100755
--- a/install.sh
+++ b/install.sh
@@ -114,12 +114,19 @@ cp -p src/can_user_push src/can_user_push_http src/get_user_uuid ezcert.git/CACr
 
 echo "*** Preprocessing scripts..."
 perl -I. -M$GIROCCO_CONF -i -p \
-	-e 's/(?<!")\@basedir\@/"$Girocco::Config::basedir"/g;' -e 's/(?<=")\@basedir\@/$Girocco::Config::basedir/g;' \
-	-e 's/\@reporoot\@/"$Girocco::Config::reporoot"/g;' -e 's/\@jailreporoot\@/"$Girocco::Config::jailreporoot"/g;' \
-	-e 's/\@webadmurl\@/"$Girocco::Config::webadmurl"/g;' -e 's/\@screen_acl_file\@/"$Girocco::Config::screen_acl_file"/g;' \
-	-e 's/\@mob\@/"$Girocco::Config::mob"/g;' "$cfg_basedir"/jobs/*.sh "$cfg_basedir"/jobd/*.sh \
-	"$cfg_basedir"/taskd/*.sh "$cfg_basedir"/gitweb/*.sh "$cfg_basedir"/shlib.sh "$cfg_basedir"/hooks/* \
-	"$cfg_basedir"/toolbox/* "$cfg_basedir"/bin/git-* "$cfg_basedir"/bin/create-* "$cfg_basedir"/bin/update-* \
+	-e 's/(?<!")\@basedir\@/"$Girocco::Config::basedir"/g;' \
+	-e 's/(?<=")\@basedir\@/$Girocco::Config::basedir/g;' \
+	-e 's/\@reporoot\@/"$Girocco::Config::reporoot"/g;' \
+	-e 's/\@jailreporoot\@/"$Girocco::Config::jailreporoot"/g;' \
+	-e 's/\@chroot\@/"$Girocco::Config::chroot"/g;' \
+	-e 's/\@webadmurl\@/"$Girocco::Config::webadmurl"/g;' \
+	-e 's/\@screen_acl_file\@/"$Girocco::Config::screen_acl_file"/g;' \
+	-e 's/\@mob\@/"$Girocco::Config::mob"/g;' \
+	"$cfg_basedir"/jobs/*.sh "$cfg_basedir"/jobd/*.sh \
+	"$cfg_basedir"/taskd/*.sh "$cfg_basedir"/gitweb/*.sh \
+	"$cfg_basedir"/shlib.sh "$cfg_basedir"/hooks/* \
+	"$cfg_basedir"/toolbox/* "$cfg_basedir"/bin/git-* \
+	"$cfg_basedir"/bin/create-* "$cfg_basedir"/bin/update-* \
 	"$cfg_basedir"/bin/authrequired.cgi "$cfg_basedir"/screen/*
 
 # Dump all the cfg_ and defined_ variables to shlib_vars.sh
diff --git a/shlib.sh b/shlib.sh
index f57b958..6c4a8b0 100644
--- a/shlib.sh
+++ b/shlib.sh
@@ -65,6 +65,14 @@ git() (
 	[ "${GIT_SSL_NO_VERIFY+set}" = "set" ] && export GIT_SSL_NO_VERIFY
 	[ "${GIT_TRACE_PACKET+set}" = "set" ] && export GIT_TRACE_PACKET
 	[ "${GIT_USER_AGENT+set}" = "set" ] && export GIT_USER_AGENT
+	XDG_CONFIG_HOME="$cfg_chroot/var/empty"
+	HOME="$cfg_chroot/etc/girocco"
+	GIT_CONFIG_NOSYSTEM=1
+	GIT_ATTR_NOSYSTEM=1
+	export XDG_CONFIG_HOME
+	export HOME
+	export GIT_CONFIG_NOSYSTEM
+	export GIT_ATTR_NOSYSTEM
 	exec "$cfg_git_bin" "$@"
 )
 
-- 
2.11.4.GIT