diff options
| author | Linnnus <[email protected]> | 2024-07-31 17:43:37 +0200 |
|---|---|---|
| committer | Linnnus <[email protected]> | 2024-07-31 17:53:46 +0200 |
| commit | 067aa5baf419711eb24c5f4081c692f15c5fec47 (patch) | |
| tree | 07393217a43c95ad970b5ad3e7b9a67d11095f5b /hosts | |
| parent | c8b64a7f95bb3e6074fb36127b843e7879fbd8c4 (diff) | |
ahmed: Fix Git clone
CGit farms out the handling of the HTTP requests sent by the Git CLI to
another CGI script. This script was failing because of "dubious
ownership". This is a security check run by Git to ensure malicious
repositories on network drives don't get arbitrary code execution. The
problem is: the CGI script was running as root, as that is what the
fcgiwrap systemd service was configured for, but the repository is owned
by the 'git' user.
Since I trust the repositories, I had to patch Git to ignore this mark.
Actually getting the NixOS CGit module to use the patched version of Git
proved rather difficult...
In the future I should probably
a) Make sure fcgiwrap isn't running as root since it directly interacts
with all sorts of untrusted user input.
b) Remove this ugly hack. There's a reason for the security check after
all. Just because it matters _less_ in this case doesn't mean it's
wise to ignore it completely.
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/ahmed/git.linus.onl/default.nix | 14 | ||||
| -rw-r--r-- | hosts/ahmed/git.linus.onl/no-ownership-check-for-root.patch | 14 |
2 files changed, 28 insertions, 0 deletions
diff --git a/hosts/ahmed/git.linus.onl/default.nix b/hosts/ahmed/git.linus.onl/default.nix index 1436eda..bf9fe0b 100644 --- a/hosts/ahmed/git.linus.onl/default.nix +++ b/hosts/ahmed/git.linus.onl/default.nix @@ -2,6 +2,7 @@ config, pkgs, metadata, + lib, ... }: let git-shell = "${pkgs.gitMinimal}/bin/git-shell"; @@ -54,6 +55,7 @@ in { # Public git viewer. services.cgit."git.linus.onl" = { enable = true; + scanPath = location; settings = let package = config.services.cgit."git.linus.onl".package; @@ -84,5 +86,17 @@ in { enableACME = useACME; forceSSL = useACME; }; + + # Monkey-patch the version of Git used by CGit to handle requests. + services.nginx.virtualHosts."git.linus.onl" = { + locations."~ /.+/(info/refs|git-upload-pack)".fastcgiParams = { + SCRIPT_FILENAME = lib.mkForce "${pkgs.git.overrideAttrs (old: { + patches = (old.patches or []) ++ [ + ./no-ownership-check-for-root.patch + ]; + })}/libexec/git-core/git-http-backend"; + GIT_NO_CHECK_OWNERSHIP = "1"; + }; + }; }; } diff --git a/hosts/ahmed/git.linus.onl/no-ownership-check-for-root.patch b/hosts/ahmed/git.linus.onl/no-ownership-check-for-root.patch new file mode 100644 index 0000000..7749d2d --- /dev/null +++ b/hosts/ahmed/git.linus.onl/no-ownership-check-for-root.patch @@ -0,0 +1,14 @@ +diff --git a/setup.c b/setup.c +index 18927a8..ac6823f 100644 +--- a/setup.c ++++ b/setup.c +@@ -1159,6 +1159,9 @@ static int ensure_valid_ownership(const char *gitfile, + const char *worktree, const char *gitdir, + struct strbuf *report) + { ++ if (git_env_bool("GIT_NO_CHECK_OWNERSHIP", 0)) ++ return 1; ++ + struct safe_directory_data data = { + .path = worktree ? worktree : gitdir + }; |