From 067aa5baf419711eb24c5f4081c692f15c5fec47 Mon Sep 17 00:00:00 2001 From: Linnnus Date: Wed, 31 Jul 2024 17:43:37 +0200 Subject: ahmed: Fix Git clone CGit farms out the handling of the HTTP requests sent by the Git CLI to another CGI script. This script was failing because of "dubious ownership". This is a security check run by Git to ensure malicious repositories on network drives don't get arbitrary code execution. The problem is: the CGI script was running as root, as that is what the fcgiwrap systemd service was configured for, but the repository is owned by the 'git' user. Since I trust the repositories, I had to patch Git to ignore this mark. Actually getting the NixOS CGit module to use the patched version of Git proved rather difficult... In the future I should probably a) Make sure fcgiwrap isn't running as root since it directly interacts with all sorts of untrusted user input. b) Remove this ugly hack. There's a reason for the security check after all. Just because it matters _less_ in this case doesn't mean it's wise to ignore it completely. --- hosts/ahmed/git.linus.onl/default.nix | 14 ++++++++++++++ .../ahmed/git.linus.onl/no-ownership-check-for-root.patch | 14 ++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 hosts/ahmed/git.linus.onl/no-ownership-check-for-root.patch diff --git a/hosts/ahmed/git.linus.onl/default.nix b/hosts/ahmed/git.linus.onl/default.nix index 1436eda..bf9fe0b 100644 --- a/hosts/ahmed/git.linus.onl/default.nix +++ b/hosts/ahmed/git.linus.onl/default.nix @@ -2,6 +2,7 @@ config, pkgs, metadata, + lib, ... }: let git-shell = "${pkgs.gitMinimal}/bin/git-shell"; @@ -54,6 +55,7 @@ in { # Public git viewer. services.cgit."git.linus.onl" = { enable = true; + scanPath = location; settings = let package = config.services.cgit."git.linus.onl".package; @@ -84,5 +86,17 @@ in { enableACME = useACME; forceSSL = useACME; }; + + # Monkey-patch the version of Git used by CGit to handle requests. + services.nginx.virtualHosts."git.linus.onl" = { + locations."~ /.+/(info/refs|git-upload-pack)".fastcgiParams = { + SCRIPT_FILENAME = lib.mkForce "${pkgs.git.overrideAttrs (old: { + patches = (old.patches or []) ++ [ + ./no-ownership-check-for-root.patch + ]; + })}/libexec/git-core/git-http-backend"; + GIT_NO_CHECK_OWNERSHIP = "1"; + }; + }; }; } diff --git a/hosts/ahmed/git.linus.onl/no-ownership-check-for-root.patch b/hosts/ahmed/git.linus.onl/no-ownership-check-for-root.patch new file mode 100644 index 0000000..7749d2d --- /dev/null +++ b/hosts/ahmed/git.linus.onl/no-ownership-check-for-root.patch @@ -0,0 +1,14 @@ +diff --git a/setup.c b/setup.c +index 18927a8..ac6823f 100644 +--- a/setup.c ++++ b/setup.c +@@ -1159,6 +1159,9 @@ static int ensure_valid_ownership(const char *gitfile, + const char *worktree, const char *gitdir, + struct strbuf *report) + { ++ if (git_env_bool("GIT_NO_CHECK_OWNERSHIP", 0)) ++ return 1; ++ + struct safe_directory_data data = { + .path = worktree ? worktree : gitdir + }; -- cgit v1.2.3