I am trying to set up nginx with fcgiwrap to forward requests under https://<host>/git/<repo>.git
to git-http-backend.
The server is freshly installed debian linux, so there should be no awkward things in the background.
The fcgiwrap socket runs as www-data
user and should have access to the git repository (see below). However, when trying to push I get below git message (pertaining to a problem with access permission, I presume):
$ git push origin master
Counting objects: 6, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (6/6), 385 bytes | 0 bytes/s, done.
Total 6 (delta 0), reused 0 (delta 0)
remote: error: insufficient permission for adding an object to repository database objects
remote: fatal: failed to write object
error: unpack failed: unpack-objects abnormal exit
To https://xxx:xxx@127.0.0.1/git/test.git
! [remote rejected] master -> master (unpacker error)
error: failed to push some refs to 'https://xxx:xxx@127.0.0.1/git/test.git'
nginx config:
server {
server_name xxxxxxx.com;
location ~ /git(/.*) {
auth_basic "Private Git Repository";
auth_basic_user_file /etc/nginx/.htpasswd;
# fcgiwrap is set up to listen on this host:port
fastcgi_pass unix:/var/run/fcgiwrap.socket;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
# export all repositories under GIT_PROJECT_ROOT
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /opt/git;
fastcgi_param PATH_INFO $1;
fastcgi_param REMOTE_USER $remote_user;
}
}
FastCGIWrap:
$ apt-get install fcgiwrap
$ cat /etc/init.d/fcgiwrap
...
FCGI_USER="www-data"
FCGI_GROUP="www-data"
# Socket owner/group (will default to FCGI_USER/FCGI_GROUP if not defined)
FCGI_SOCKET_OWNER="www-data"
FCGI_SOCKET_GROUP="www-data"
...
Permissions in /opt/git:
$ chown -R git:git /opt/git/
$ chmod -R 775 /opt/git/
$ chmod -R a+s /opt/git/
$ ls -la /opt/git 0 !193 0jobs
drwsrwsr-x 6 git git 4096 Aug 11 15:21 .
drwxr-xr-x 3 root root 4096 Jul 15 12:01 ..
drwsrwsr-x 7 git git 4096 Aug 12 11:47 test.git
git repo config:
$ cat /opt/git/test.git/config
[core]
repositoryformatversion = 0
filemode = true
bare = true
sharedrepository = 1
sharedRepository = 1
[receive]
denyNonFastforwards = true
[http]
receivepack = true
nginx user is www-data
which is a member of git
group:
$ groups www-data
www-data : www-data git
$ cat /etc/group | grep www-data
www-data:x:33:
git:x:1001:www-data
Oddly, if I chgrp -R www-data /opt/git/
it works. I would like to have it as git:git
though.
chmod a+s /usr/lib/git-core/git-http-*
works. Now I can also do chmod -R 705 /opt/git/
and it works. I suppose because now the root user executes the commands. I doubt this is secure. So it should not be used...
Use ssh. Using ssh works, or even logging in as user www-data
and pushing directly to the repo works (since the group permissions ARE set correctly!). However, this is no option as https
access is required!
I'm running out of ideas.
Pushing per ssh works.
If I do chown -R 770 /opt/git/
then I can't even clone or fetch via https any more. So it seems like www-data
user does not have access via the git-http-backend
cgi script. But why??? The user is a member of the git
group and should have group access!!!
Related
Can't believe it...
A simple server reboot
solved it.
I just came to trying this because I had to actually log out and back in when adding group permission to my user. Seems like permission stuff sometimes does not apply on-the-fly? Wow...