daemon: clarify directory arguments
The undecorated arguments to the 'git-daemon' command provide a list of directories. When at least one directory is specified, then 'git-daemon' only serves requests that are within that directory list. The boolean '--strict-paths' option makes the list more explicit in that subdirectories are no longer included. The existing documentation and error messages around this directory list refer to it and its behavior as a "whitelist". The word "whitelist" has cultural implications that are not inclusive. Thankfully, it is not difficult to reword and avoid its use. In the process, we can define the purpose of this directory list directly. In Documentation/git-daemon.txt, rewrite the OPTIONS section around the '<directory>' option. Add additional clarity to the other options that refer to these directories. Some error messages can also be improved in daemon.c. The '--strict-paths' option requires '<directory>' arguments, so refer to that section of the documentation directly. A logerror() call points out that a requested directory is not in the specified directory list. We can use "list" here without any loss of information. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
parent
e4a4b31577
commit
dee8a1455c
@ -32,8 +32,8 @@ that service if it is enabled.
|
|||||||
It verifies that the directory has the magic file "git-daemon-export-ok", and
|
It verifies that the directory has the magic file "git-daemon-export-ok", and
|
||||||
it will refuse to export any Git directory that hasn't explicitly been marked
|
it will refuse to export any Git directory that hasn't explicitly been marked
|
||||||
for export this way (unless the `--export-all` parameter is specified). If you
|
for export this way (unless the `--export-all` parameter is specified). If you
|
||||||
pass some directory paths as 'git daemon' arguments, you can further restrict
|
pass some directory paths as 'git daemon' arguments, the offers are limited to
|
||||||
the offers to a whitelist comprising of those.
|
repositories within those directories.
|
||||||
|
|
||||||
By default, only `upload-pack` service is enabled, which serves
|
By default, only `upload-pack` service is enabled, which serves
|
||||||
'git fetch-pack' and 'git ls-remote' clients, which are invoked
|
'git fetch-pack' and 'git ls-remote' clients, which are invoked
|
||||||
@ -50,7 +50,7 @@ OPTIONS
|
|||||||
Match paths exactly (i.e. don't allow "/foo/repo" when the real path is
|
Match paths exactly (i.e. don't allow "/foo/repo" when the real path is
|
||||||
"/foo/repo.git" or "/foo/repo/.git") and don't do user-relative paths.
|
"/foo/repo.git" or "/foo/repo/.git") and don't do user-relative paths.
|
||||||
'git daemon' will refuse to start when this option is enabled and no
|
'git daemon' will refuse to start when this option is enabled and no
|
||||||
whitelist is specified.
|
directory arguments are provided.
|
||||||
|
|
||||||
--base-path=<path>::
|
--base-path=<path>::
|
||||||
Remap all the path requests as relative to the given path.
|
Remap all the path requests as relative to the given path.
|
||||||
@ -73,7 +73,7 @@ OPTIONS
|
|||||||
%IP for the server's IP address, %P for the port number,
|
%IP for the server's IP address, %P for the port number,
|
||||||
and %D for the absolute path of the named repository.
|
and %D for the absolute path of the named repository.
|
||||||
After interpolation, the path is validated against the directory
|
After interpolation, the path is validated against the directory
|
||||||
whitelist.
|
list.
|
||||||
|
|
||||||
--export-all::
|
--export-all::
|
||||||
Allow pulling from all directories that look like Git repositories
|
Allow pulling from all directories that look like Git repositories
|
||||||
@ -218,9 +218,11 @@ standard output to be sent to the requestor as an error message when
|
|||||||
it declines the service.
|
it declines the service.
|
||||||
|
|
||||||
<directory>::
|
<directory>::
|
||||||
A directory to add to the whitelist of allowed directories. Unless
|
The remaining arguments provide a list of directories. If any
|
||||||
--strict-paths is specified this will also include subdirectories
|
directories are specified, then the `git-daemon` process will
|
||||||
of each named directory.
|
serve a requested directory only if it is contained in one of
|
||||||
|
these directories. If `--strict-paths` is specified, then the
|
||||||
|
requested directory must match one of these directories exactly.
|
||||||
|
|
||||||
SERVICES
|
SERVICES
|
||||||
--------
|
--------
|
||||||
@ -264,9 +266,8 @@ git 9418/tcp # Git Version Control System
|
|||||||
|
|
||||||
'git daemon' as inetd server::
|
'git daemon' as inetd server::
|
||||||
To set up 'git daemon' as an inetd service that handles any
|
To set up 'git daemon' as an inetd service that handles any
|
||||||
repository under the whitelisted set of directories, /pub/foo
|
repository within `/pub/foo` or `/pub/bar`, place an entry like
|
||||||
and /pub/bar, place an entry like the following into
|
the following into `/etc/inetd` all on one line:
|
||||||
/etc/inetd all on one line:
|
|
||||||
+
|
+
|
||||||
------------------------------------------------
|
------------------------------------------------
|
||||||
git stream tcp nowait nobody /usr/bin/git
|
git stream tcp nowait nobody /usr/bin/git
|
||||||
|
8
daemon.c
8
daemon.c
@ -279,7 +279,7 @@ static const char *path_ok(const char *directory, struct hostinfo *hi)
|
|||||||
/* The validation is done on the paths after enter_repo
|
/* The validation is done on the paths after enter_repo
|
||||||
* appends optional {.git,.git/.git} and friends, but
|
* appends optional {.git,.git/.git} and friends, but
|
||||||
* it does not use getcwd(). So if your /pub is
|
* it does not use getcwd(). So if your /pub is
|
||||||
* a symlink to /mnt/pub, you can whitelist /pub and
|
* a symlink to /mnt/pub, you can include /pub and
|
||||||
* do not have to say /mnt/pub.
|
* do not have to say /mnt/pub.
|
||||||
* Do not say /pub/.
|
* Do not say /pub/.
|
||||||
*/
|
*/
|
||||||
@ -298,7 +298,7 @@ static const char *path_ok(const char *directory, struct hostinfo *hi)
|
|||||||
return path;
|
return path;
|
||||||
}
|
}
|
||||||
|
|
||||||
logerror("'%s': not in whitelist", path);
|
logerror("'%s': not in directory list", path);
|
||||||
return NULL; /* Fallthrough. Deny by default */
|
return NULL; /* Fallthrough. Deny by default */
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -403,7 +403,7 @@ static int run_service(const char *dir, struct daemon_service *service,
|
|||||||
* a "git-daemon-export-ok" flag that says that the other side
|
* a "git-daemon-export-ok" flag that says that the other side
|
||||||
* is ok with us doing this.
|
* is ok with us doing this.
|
||||||
*
|
*
|
||||||
* path_ok() uses enter_repo() and does whitelist checking.
|
* path_ok() uses enter_repo() and checks for included directories.
|
||||||
* We only need to make sure the repository is exported.
|
* We only need to make sure the repository is exported.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
@ -1444,7 +1444,7 @@ int cmd_main(int argc, const char **argv)
|
|||||||
cred = prepare_credentials(user_name, group_name);
|
cred = prepare_credentials(user_name, group_name);
|
||||||
|
|
||||||
if (strict_paths && (!ok_paths || !*ok_paths))
|
if (strict_paths && (!ok_paths || !*ok_paths))
|
||||||
die("option --strict-paths requires a whitelist");
|
die("option --strict-paths requires '<directory>' arguments");
|
||||||
|
|
||||||
if (base_path && !is_directory(base_path))
|
if (base_path && !is_directory(base_path))
|
||||||
die("base-path '%s' does not exist or is not a directory",
|
die("base-path '%s' does not exist or is not a directory",
|
||||||
|
Loading…
Reference in New Issue
Block a user