1

I am running Gitolite on both ssh and http mode on centOS 7. I followed this tutorial as it is.

My problem is I am able to clone all repos through ssh but can only clone the testing.git repo via http even after adding R = daemon access rule to all repositories that I want to make available via http.

gitolite.conf looks like this:

cat gitolite.conf

repo gitolite-admin
    RW+     =   Git-Admin

repo testing
    RW+     =   @all

repo avengers
    RW+     =   Git-Admin

repo @all
    R       =   daemon gitweb

ssh git@192.168.15.2 info

hello Git-Admin, this is git@osboxes running gitolite3 v3.6.9-0-g144d8a2 on git 1.8.3.1

 R W    avengers
 R W    gitolite-admin
 R W    testing

curl http://admin:admin@192.168.15.2/git/info 

hello admin, this is httpd@osboxes running gitolite3 v3.6.9-0-g144d8a2 on git 1.8.3.1

 R W    testing

I am not able to figure out where I'm going wrong.

thanks in advance

[root@osboxes repositories]# vim /var/www/bin/gitolite-suexec-wrapper.sh 

#!/bin/bash 
# 
#Suexec wrapper for gitolite-shell 
# 

export GIT_PROJECT_ROOT="/home/git/repositories" 
export GITOLITE_HTTP_HOME="/home/git" 

exec ${GITOLITE_HTTP_HOME}/gitolite/src/gitolite-shell

[root@osboxes repositories]# cat /etc/httpd/conf/httpd.conf

<VirtualHost *:80> 
  # You can comment out the below 3 lines and put correct value as per your server information
  #  ServerName        gitserver.example.com
  #  ServerAlias       gitserver
    ServerAdmin       youremailid@example.com

    DocumentRoot /var/www/git
    <Directory /var/www/git>
        Options       None
        AllowOverride none
        Order         allow,deny
        Allow         from all

    </Directory>

    SuexecUserGroup git git
    ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
    ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/
    #ScriptAlias /git/ /home/git/gitolite/src/gitolite-shell
    #ScriptAlias /gitmob/ /home/git/gitolite/src/gitolite-shell

    <Location /git>
        AuthType Basic
        AuthName "Git Access"
        Require valid-user
        AuthUserFile /etc/httpd/conf/git.passwd
    </Location>
</VirtualHost>
Vedant Aggrawal
  • 400
  • 4
  • 17

1 Answers1

1

Check the content of /etc/httpd/conf/git.passwd on your Gitolite server.

If it does not include admin/<encrypted password>, it would authenticate you as "anonymous", meaning you have access only to the repos from the @all group.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • But my git.passwd file does contain the admin/ – Vedant Aggrawal Sep 13 '18 at 06:57
  • Is it something to do with the git daemon service? – Vedant Aggrawal Sep 13 '18 at 07:00
  • @VedantAggrawal probably not `admin` as a *password* though. That or your `/var/www/bin/gitolite-suexec-wrapper.sh/` does not correctly pass your username to gitolite. The git daemon should not be involved. Actually, as I commented here, https://stackoverflow.com/questions/21289643/gitolite-with-http-acces-via-ldap-does-not-pass-the-username/21303301#comment32105331_21289643, you should not need a wrapper. – VonC Sep 13 '18 at 07:02
  • @VedantAggrawal So it has to do with using a recent gitolite with an obsolete tutorial. – VonC Sep 13 '18 at 07:02
  • So the possible solution that you are suggesting is that i remove the gitolite-suexec-wrapper.sh and add the path that points to gitolite-shell, directly in the httpd.conf? – Vedant Aggrawal Sep 13 '18 at 07:21
  • @VedantAggrawal No, apparently you need that wrapper, according to the official docs: http://gitolite.com/gitolite/contrib/ssh-and-http/ – VonC Sep 13 '18 at 08:42
  • so what can be done to fix this problem? any other suggestions. – Vedant Aggrawal Sep 13 '18 at 09:58
  • @VedantAggrawal From https://github.com/sitaramc/gitolite/blob/144d8a202edaa30b19b0946051630da8ca561c6b/src/gitolite-shell#L66-L78: add "`env`" in your wrapper script, in order to print all variables: check that REMOTE_USER is present, set to the value 'admin', which means the Basic Authentication has worked. – VonC Sep 13 '18 at 11:47
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/179991/discussion-between-vedant-aggrawal-and-vonc). – Vedant Aggrawal Sep 13 '18 at 12:24
  • i am posting the wrapper script in my question – Vedant Aggrawal Sep 13 '18 at 12:32
  • @VedantAggrawal Simply add the line `env>/path/to/file` in your wrapper script, then try to log on through apache: check the environment variable present during the wrapper script execution (just after trying to authenticate) and see if there is a REOMTE_USER one set to apache. If not, as shown in https://github.com/sitaramc/gitolite/blob/144d8a202edaa30b19b0946051630da8ca561c6b/src/gitolite-shell#L78, Gittolite would identify you as "anonymous". Hence your limited access. The goal is to ascertain that your basic authentication is *not* working: check also your Apache logs. – VonC Sep 13 '18 at 12:34
  • okay, sorry for the inconvenience, but I ambit of a novice, with very little knowledge of linux and git. I am having a hard time here trying to get what you're suggesting. sorry again :( – Vedant Aggrawal Sep 13 '18 at 13:19
  • @VedantAggrawal Can you edit your question with the content of httpd.conf? – VonC Sep 13 '18 at 13:21
  • sure :). i have edited the question with a portion of config from httpd.conf – Vedant Aggrawal Sep 13 '18 at 13:28
  • @VedantAggrawal Looking good. From there, addd the env line I mentioned in your wrapper script, and check your apache log for any suspicious message just after trying to log on. Or just after your curl admin:admin. – VonC Sep 13 '18 at 13:30
  • env>/path/to/file will point to gitolite-shell path ie "env>/home/git/gitolite/src/gitolite-shell", right? – Vedant Aggrawal Sep 13 '18 at 13:38
  • there's no suspicious message in apache logs after i curl : 192.168.15.3 - admin [12/Sep/2018:23:34:44 -0400] "GET /git/info HTTP/1.1" 200 100 "-" "curl/7.29.0" – Vedant Aggrawal Sep 13 '18 at 14:12
  • @VedantAggrawal what kind of URL are you using? http://myserver/git/myrepo? There should be no path between /git and /myrepo. – VonC Sep 13 '18 at 14:32
  • yes, i am using this url : git clone htp://admin:admin@myserver/git/myrepo.git to clone and curl http://admin:admin@myserver/git/info to see which all repos i am authorised to clone. – Vedant Aggrawal Sep 13 '18 at 15:27
  • i can clone the testing.git repo through http. Problem is, I am not able to clone avengers.git even after adding R = daemon rule as mentioned in http://gitolite.com/gitolite/contrib/ssh-and-http/ last line. – Vedant Aggrawal Sep 14 '18 at 05:02
  • @VedantAggrawal See https://chat.stackoverflow.com/rooms/179991/discussion-between-vedant-aggrawal-and-vonc – VonC Sep 14 '18 at 07:29