File: anonymous_git_push.mdwn

package info (click to toggle)
ikiwiki-hosting 0.20140613
  • links: PTS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 788 kB
  • ctags: 283
  • sloc: perl: 5,124; sh: 182; ansic: 168; makefile: 50
file content (67 lines) | stat: -rw-r--r-- 3,165 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
[[done]].. needs some testing though

<http://ikiwiki.info/tips/untrusted_git_push/>

The main sticking point on this is that git-daemon runs as a single user,
who cannot write to all the sites. Seems some sort of suid wrapper is
called for.. Or is it?

How about this:

* Add a "ikiwiki-anon" user, with locked password etc. Run git-daemon
  as that user. (done)
* In branchable plugin, add a new "anonpush" config setting.
  Should default to false, and be forced to false when branchable=0.
  (done)
* Set `untrusted_committers` to ikiwiki-anon on all sites by default.
  (done)
* Set `git_wrappermode: 6755` on all sites. (ikiwiki-anon will run the
  wrapper when a commit is pushed; need to run it as the site user) (done)
* Make ~/source.git and all its contents be writable be ikiwiki-anon.
  Somehow. Note that normal unix permissions don't suffice. (done?)
* When anonpush is enabled, enable `git_test_receive_wrapper` -- 
  and when it's disabled, disable it, and delete the hook. (That
  hook slows down all commits some.. a C wrapper that
  just checks the uid of the committer would allow speeding it back up.)
  (done)
* When anonpush is enabled, **after** wrapper setup. 
  run: `git config daemon.receivepack = true`
  (and undo when disabled). (done)
* Set core.sharedRepository to true, in all bare repos. Needed to ensure
  dirs in bare repo are always made writable by group.
  (Already done, and spot checks indicate it's working; also tested
  that it works when the sourcedir is temporarily 700 and a commit comes
  in.)
* Update do=branchable page to say when anonpush is enabled. (done)

## permissions mess

All the above is reasonable except the bit about permissions. Problem is
that both ikiwiki-anon and the site user need to be able to write to the
git repo. But it's not enough to make it 02775 siteuser:ikiwiki-anon, because
when ikiwiki-anon makes new directories like objects/xx/, it will own
them, and as the site user is not in the ikiwiki-anon group, it will not
be able to write to those subdirs, leading to later failure.
Similarly, when the site user makes commits, it will make directories owned
by it, that ikiwiki-anon cannot write to.

The site user cannot be in the ikiwiki-anon group, because then they could
access and write to other sites' repositories.

Pre-creating all possible object subdirectories and making them 
02755 siteuser:ikiwiki-anon probalby won't work well; git-gc will
delete empty object subdirectories, and it would be easy to miss some
directory that git creates.

Use ACLs? Would require filesystem support (ie, that ext234 filesystems be
mounted with 'acl' option, which does not appear to be the default). 

The magic settings seem to be:

	chmod g+s source.git # already done by git init --bare --shared
	sudo setfacl -R -m d:g:ikiwiki-anon:rwX,d:g:$siteuser:rwX,g:ikiwiki-anon:rwX,g:$siteuser:rwX source.git

This allows ikiwiki-anon to read/write to all files/dirs in the repo,
and sets all directories to propigate the ACL to new files/dirs as they
are created. When ikiwiki-anon creates a file or directory, it will
be owned by ikiwiki-anon:siteuser, and siteuser can always write to it.