| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
UKM was never updated for new-style fingerprints at all.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
|
| |
|
|
|
|
| |
SSKM was never updated for new-style fingerprints at all.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New Gitolite::Common functions:
ssh_fingerprint_file
ssh_fingerprint_line
The existing code for new-style fingerprint did not correctly match on
some inputs, as it was not strict enough about the MD5-format
fingerprint. Additionally, some places in the codebase had not been
updated for new-style fingerprints at all.
Two fingerprints both starting with 'SHA256:34' were matched by the old
regex as '56:34', instead of a full MD5 fingerprint, and gitolite
mistakenly thought they were identical. This held for ANY new form
fingerprint where both the hashname ended with AND the hash content
started with [0-9a-f]{2}.
Be stricter about the form of the fingerprints instead:
- MD5 can have a 'MD5:' prefix (new OpenSSH versions only).
- MD5 has a known length (16 octets of hex digits, with colons)
- Other hashes are more than just SHA256, but all follow the form
'$HASHNAME:$base64_str'
This commit introduces the new functions only.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Verify that each line from a multiline keyfile is plausible using
`ssh-keygen -l` to generate a fingerprint. This is similar to the
check performed by the main ssh-authkeys script, except we don't
bother checking the fingerprint format in ssh-authkeys-split.
This should reduce the damage due to problems such as stray blank
lines or unexpected key formats (e.g. PuTTY keys).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, every time someone does a push to a master server, a slave push
(one for each slave) is triggered.
This is not only wasteful, it also causes too much load. First of all, pushes
should be serialised -- there is no point running TWO 'git push --mirror' from
one server to another. This means when one push is running, any more pushes
of the same repo to the same slave must be queued.
But more importantly, it does not make sense to queue more than one!
Hence the "one(running) plus one(queued)" name of the helper script.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, every time someone does a push to a master server, a slave push
(one for each slave) is triggered.
This is not only wasteful, it also causes too much load. First of all, pushes
should be serialised -- there is no point running TWO 'git push --mirror' from
one server to another. This means when one push is running, any more pushes
of the same repo to the same slave must be queued.
But more importantly, it does not make sense to queue more than one!
Hence the "one(running) plus one(queued)" name of the helper script.
|
| |
|
|
|
|
|
|
| |
On repo creation, setup objects/info/alternates for a server side
alternate object store. The value is configured via `option
reference.repo`.
Intended to use with forks and mirrors to save network bandwidth.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We used to say if you need the status of all slaves for all repos you have to
roll it yourself, maybe like this:
gitolite list-phy-repos | while read r
do
echo ---- $r
gitolite mirror list slaves $r
done
This isn't great for automation.
The new feature simply prints a list of repos that have *some* error, which is
arguably more useful for further action/processing.
|
| | |
|
| | |
|
| |
|
|
|
| |
makes creating slave lists a lot more convenient for some cases; see
https://groups.google.com/forum/#!topic/gitolite/_jL--PR0AXM
|
| |
|
|
|
|
|
|
|
|
|
| |
- allow incrementally adding more repo-specific hooks
see https://groups.google.com/forum/#!topic/gitolite/YcfuFDzhq4A
- allow gitolite-admin repo also to be "hooked" (but not post-update of
course)
see https://groups.google.com/forum/#!topic/gitolite/zAi4H1OKkgI
|
| | |
|
| | |
|
| |
|
|
|
|
| |
because "this should not happen"... happened!
(thanks to hseg on irc for catching this)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLDR: users are able to *create* new refs that they are not supposed to.
Upgrading gitolite is not mandatory; there is a workaround within the conf
syntax itself (see below).
The bug shows up if the following four conditions are satisfied:
repo foo/..* # 1 (see below)
C = @all # 2
RW+CD = CREATOR # 3
RW = special_user # 4
1. must be a wild repo
2. the create-repo line must allow "special_user(s)"
3. there is at least one rule containing RW.*C in the repo
4. the intent is that special user(s) can ff-push but cannot *create* refs
since they have only RW; for a refresher on this, see
http://gitolite.com/gitolite/conf.html#write-types
In such cases, the restriction on creating a ref is ignored. (Only creation
is affected; the bug does not affect delete, rewind permissions).
In general, this is a relatively minor bug. No data is destroyed, and no data
is leaked. Some cleanup of useless refs may be required if someone has
(ab)used this. At worst this could be a potential DOS, but I have never
considered DOS to be a valid concern when it requires *authorised* users.
If you have such a conf, and cannot immediately upgrade, there is a
workaround:
repo foo/..*
RW+CD = CREATOR
RW = special_user
- = special_user # add a deny rule for the special user(s)
C = @all # move the repo-create perm to the end,
# *after* the deny rule above
(Thanks to hseg on #gitolite for catching this and being tenacious about it!
At first, I was arrogant enough to reject the idea that such a bug could
exist; it took me a bit to get the right conditions in place and see the
problem!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- when list_roles is invoked as part of the error reporting for an invalid
role (as opposed to being explicitly asked for by option '-lr'), the
output should go to STDERR, just like the error message.
- the Ctrl-C stuff doesn't work when the user is sharing multiple ssh
sessions over a single connection (see, ControlMaster, ControlPersist,
etc., in 'man ssh_config'). Replaced it with a more explicit means to
allow a user who inadvertently walked into this mode of operation to
gracefully get out.
Thanks to Stephane Chazelas on the mailing list[1] for reporting the issues,
subsequent discussion, and patches which I was able to modify as needed.
[1]: https://groups.google.com/forum/#!topic/gitolite/Fcw1Et9PGmw
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
note that this does not affect anything, since the 6 extra characters that
would be matched are not part of the base64 character set anyway, so they
should not be *produced* by your ssh-keygen.
thanks to 'ayekat' on irc pointing me to a comment on the commit on github.
(Please don't put stuff on github and expect me to find it; I prefer plain old
email because -- among other things -- I don't want to insist that you have a
github account in order to discuss gitolite).
|
| | |
|
| |
|
|
|
|
|
|
|
| |
(thanks to Nicholas Clark for the first requirement)
- allow replacement by "prefix"
- allow customised warning message (to better warn users of the new repo
name)
- allow "inform and abort" -- forces users to switch to the new name
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because of the pipe in the create command, 'gitolite git-config' and 'perms
-c' would run simultaneously. The problem was, if git-config ran between
these two statements in new_wild_repo() in Store.pm:
new_repo($repo);
# 'gitolite git-config' runs here
_print( "$repo.git/gl-creator", $user );
*and* the repo pattern had CREATOR in it, it would not return the correct
values for the default.roles options, since the repo pattern would not be
deemed to match the actual repo (between creator() and generic_name()).
Thanks to Ronald Wirth for catching this; see [1] for details.
[1]: https://groups.google.com/forum/#!topic/gitolite/5Dv6ViDmfF4
----
...and while we're about it, I changed it to use /bin/sh and smoke tested it
using "dash", which I believe is close enough.
|
| |
|
|
|
|
|
| |
apparently the git client, when using ext:: transports, does not send those
quotes
https://groups.google.com/forum/#!topic/gitolite/x8rUaxJU0iM
|
| | |
|
| |
|
|
|
| |
_print always overwrites the target file. Empty the file at the
beginning of the migrate run but subsequently append new entries.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- add (commented out) values to LOG_DEST in the default rc file to allow
'repo-log' as a destination
- make gl_log() respect this and append update log records to a file called
'gl-log' within the bare repo dir. (This is only the update log records,
not everything.)
- let 'who-pushed' use gl-log if found, and the normal ones (much slower)
only if not
- add more help to who-pushed
- help admin migrate log records (or rather, generate the new ones from the
normal gitolite logs)
|
| |
|
|
| |
to better accommodate additional custom help messages
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
It seems that (some versions of) git-annex use repository paths that simply
start with '/' instead of '/~/', so make the '~/' part optional.
|
| | |
|
| |
|
|
| |
reminder: bugly = bug that makes something look ugly :)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I don't like "find -L" in a security program. Period. If you MUST keep some
of your repos somewhere else, you'll need to do it this way.
Let's say all the repos under foo/bar and baz are actually on a different
disk. That is, ~/repositories/foo/bar is a symlink to some other disk, as is
~/repositories/baz.
Then add this to the rc file somewhere in the "rc variables used by various
features" section:
REPO_SYMLINKS => "foo/bar/ baz/",
DON'T forget the trailing slash at the end of each name, and the comma
outside.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(much thanks to Tony Finch!)
- show valid roles and their access rights, for the given repo ("-lr")
- check a role not just against the rc, but against the roles that this
specific repo actually uses, which may be a smaller subset. (This is the
most important improvement in this patch; the rest is just fluff!)
- fixup usage message
WARNING: minor backward compat breakage: 'ssh ... perms -l repo' no longer
works; the '-l' goes *after* the repo name now.
|
| |
|
|
|
| |
The error message is explicitly the same as you get when you do send in an
invalid git/gitolite command; this is by design.
|
| |
|
|
|
|
|
|
|
| |
0600 is sufficient.
Caught by Christoph. I don't actually think there is any possibility of this
being used to attack gitolite but it's just a 1-bit change :)
ref: https://groups.google.com/forum/#!topic/gitolite/C_kzny--yP8
|
| |
|
|
|
|
|
| |
Experts only; no support and no docs.
Idea courtesy "calestyo"; see mails on Feb 20 or so in this:
https://groups.google.com/forum/#!msg/gitolite/eLTiK8hvijo/9dKI8YfTSecJ
|
| |
|
|
| |
...instead of ~/.gitconfig, and add an include.path in it
|
| |
|
|
|
|
|
|
|
|
|
| |
sshkeys-lint was rejecting Ed25519 type keys, and also not detecting
ecdsa keys for shell users; refactor the key type detection code to use
a single variable and introduce Ed25519 into the new variable.
Also explicitly matches the ECDSA key types now, rather than leaving it
open-ended.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
In src/triggers/post-compile/update-description-file and
src/triggers/post-compile/update-gitweb-daemon-from-options the perl
module Gitolite::Easy is directly loaded from the command line but
the include path was not set. This change also sets this missing
include path.
(a typo in one of the arguments was also fixed -- sitaram)
|
| |
|
|
|
|
|
|
| |
- allow users with RW to use it
- fix bug where, when a repo's writable status is checked, the global status
was not checked
Thanks to Michel Bourget for discussion and ideas.
|
Robin H. Johnson
Tony Finch
Sitaram Chamarty
gitolite tester
milki
Jonathan Gray
Tony Xue
Benoît Knecht
Robert Schiele
GitWeb