Updates on centos7 break git access via git-http-backend

Updates on centos7 break git access via git-http-backend

[Gaeseric Vandal]

This a is a clarification of an earlier post.     I thought gitweb was the problem.   


The actual problem appears to be with /usr/libexec/git-core/git-http-backend.

Gitweb provides a list to unauthenticated users of available repositories.  I don't need that function so I have removed that package to avoid unexpected conflicts.

I recently applied the latest patches on centos7, including git-1.8.3.1-20.      When I try to access git repos (either via web  browser or git command line.) Repos are configured to require LDAP  authentication.

The httpd ssl-error.log shows
#
[Sun Aug 18 09:22:48.113435 2019] [authz_core:debug] [pid 30167] mod_authz_core.c(809): [client x.x.x.x:35876] AH01626: authorization result of <RequireAny>: granted [Sun Aug 18 09:22:48.119012 2019] [cgi:error] [pid 30167] [client x.x.x.x:x] AH01215: Request not supported: '/export/gitrepos/ABC [Sun Aug 18 09:22:48.119069 2019] [headers:debug] [pid 30167] mod_headers.c(823): AH01502: headers: ap_headers_output_filter() [Sun Aug 18 09:22:53.124599 2019] [ssl:info] [pid 30167] (70007)The timeout specified has expired: [client x.x.x.x:35876] AH01991: SSL input filter read failed.
[Sun Aug 18 09:22:53.124723 2019] [ssl:debug] [pid 30167] ssl_engine_io.c(993): [client x.x.x.x:35876] AH02001: Connection closed to child 1 with standard shutdown (#


If I change gitrepos.conf as follows I will get an error about the script not being found - so I know it is being called.

	#ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
	ScriptAlias /git/ /usr/libexec/git-core/git-http-backend_not/



# git --version
git version 1.8.3.1


# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Jul 29 2019 17:18:49
#


Partial config

       # cat /etc/httpd/conf.d/gitrepos.conf
       SetEnv GIT_PROJECT_ROOT /export/gitrepos
       SetEnv GIT_HTTP_EXPORT_ALL
       ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/

       RewriteEngine on
       RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
       RewriteCond %{REQUEST_URI} /git-receive-pack$
       RewriteRule ^/git/ - [E=AUTHREQUIRED]

       <Files "git-http-backend">
       AuthType Basic
       AuthBasicProvider ldap
       AuthLDAPURL "ldaps://xxxxxxxxxxxxxxx)"
       AuthLDAPBindDN  "uid=xxxxxxxxxxxx"
       AuthLDAPBindPassword xxxxxxxxxxxxxxx
      AuthName "Git Access"
       Require user xxxxx xxxxx xxxxx
       Order deny,allow
       Deny from env=AUTHREQUIRED
       Satisfy any
       </Files>


       <Location /git/ABC>
       AuthType Basic
       AuthBasicProvider ldap
       AuthLDAPURL "ldaps://xxxxxxxxxxxxxxx)"
       AuthLDAPBindDN  "uid=xxxxxxxxxxxx"
       AuthLDAPBindPassword xxxxxxxxxxxxxxx
       AuthName "Git Access ABC"
       Require user xxxxx xxxxx xxxxx
       Order deny,allow
 </Location>


This had been working fine for several years.

Appreciate any advice

Thanks

Re: Updates on centos7 break git access via git-http-backend

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 2117 bytes --]

On 2019-08-18 at 13:53:28, Gaeseric Vandal wrote:
> 
> This a is a clarification of an earlier post.     I thought gitweb was the problem.
> 
> 
> The actual problem appears to be with /usr/libexec/git-core/git-http-backend.
> 
> Gitweb provides a list to unauthenticated users of available repositories.  I don't need that function so I have removed that package to avoid unexpected conflicts.
> 
> I recently applied the latest patches on centos7, including git-1.8.3.1-20.      When I try to access git repos (either via web  browser or git command line.) Repos are configured to require LDAP  authentication.
>
> The httpd ssl-error.log shows
> #
> [Sun Aug 18 09:22:48.113435 2019] [authz_core:debug] [pid 30167] mod_authz_core.c(809): [client x.x.x.x:35876] AH01626: authorization result of <RequireAny>: granted [Sun Aug 18 09:22:48.119012 2019] [cgi:error] [pid 30167] [client x.x.x.x:x] AH01215: Request not supported: '/export/gitrepos/ABC [Sun Aug 18 09:22:48.119069 2019] [headers:debug] [pid 30167] mod_headers.c(823): AH01502: headers: ap_headers_output_filter() [Sun Aug 18 09:22:53.124599 2019] [ssl:info] [pid 30167] (70007)The timeout specified has expired: [client x.x.x.x:35876] AH01991: SSL input filter read failed.
> [Sun Aug 18 09:22:53.124723 2019] [ssl:debug] [pid 30167] ssl_engine_io.c(993): [client x.x.x.x:35876] AH02001: Connection closed to child 1 with standard shutdown (#
> 

If this only breaks on upgrade from an older version of Git on CentOS,
I'd file a bug with the CentOS (or Red Hat) folks.  I expect that this
is due to a patch that Red Hat applied, and not really a limitation in
Git.

As you might be aware, Git 1.8.3.1 is rather old; we've just released
2.23.0.  You could try using a version of Git from Software Collections
(2.18 is available) and see if that works better for you, but I suspect
most folks on the list don't pay much attention to versions before 2.0.

Be aware that it may be Apache that's the problem here and not Git if it
was also upgraded.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]