[Fusionforge-general] [RFC] Git over smart-HTTP

Roland Mas lolando at debian.org
Wed Apr 9 15:28:21 CEST 2014


  Hi all,

  In order to allow concurrent SSH + HTTP(S) access to Git repositories,
I implemented a prototype using the MPM-ITK Apache2 module.  It
basically runs git-http-backend as a CGI when inside a specific vhost,
under the identity of the user performing the request.  So that means
that hooks and so on don't grant access to anything beyond what the user
would have through SSH, yet they can clone and push even from
restrictive networks.  The authentication/authorization part is managed
by Apache with basic auth (userfile/groupfile) and a set of macros.

  The patch (currently based on deb-packaging/debian/5.3 because that's
where I work) works, and allows both authenticated read-write access and
anonymous read-only access.  It's not complete (in particular from the
packaging point of view), though.

  On top of the possible performance penalty due to MPM-ITK, there's
another downside: since MPM-ITK performs HTTP authentication *after* the
setuid()/setgid(), the userfile needs to be readable, which exposes the
(encrypted) passwords.  It may be possible to fix that, by doing the
authentication first (as the standard Apache user) then proxying the
request through an Unix socket to a different process that will perform
the setuid()/setgid() and then the Git command.  I'll work on that in
the coming days.

  In the meantime, please find attached the current version of the
patch.  I welcome comments and suggestions.

Roland.
-- 
Roland Mas

Shyumiribirikku ga susunde imashyou ka ?
  -- Le Schmilblick en japonais
-------------- section suivante --------------
Une pièce jointe autre que texte a été nettoyée...
Nom: git-over-smarthttp.diff
Type: text/x-diff
Taille: 22603 octets
Desc: non disponible
URL: <http://lists.fusionforge.org/pipermail/fusionforge-general/attachments/20140409/23b76e07/attachment.diff>


More information about the Fusionforge-general mailing list