(address . guix-patches@gnu.org)
87sevpehco.fsf@pisemsky.site
[PATCH] services: gitile: Allow to set user and group.
- Open
Details
- 2 participants
- Evgeny Pisemsky
- Nguy?n Gia Phong
- Owner
- unassigned
- Submitted by
- Evgeny Pisemsky
- Severity
- normal
E
N
(address . 72400@debbugs.gnu.org)(address . julien@lepiller.eu)
cbf724453a33a16165dc78ce80ccbf5c@disroot.org
Hi, does the default gitile user work for you out of the box?
I'm asking as I'm speculating you have the git user own the
repositories.
I sent out https://issues.guix.gnu.org/71143#1a while ago to fix it.
E
(address . 72400@debbugs.gnu.org)
87frroeinc.fsf@pisemsky.site
Hello! It does not work, and that is the reason for this patch.
At this point group access is not enough, I have to run gitile from
git user (of gitolite) who owns repositories. Same for fcgiwrap.
This problem is related to the change in libgit2, and for a long time
I just kept it downgraded, but this cannot be forever.
I also tried to play with safe-directory option without any success,
but even if it worked setting config for every service that works with
git seems like a huge overhead.
Changing default user to git may be quite radical, but since the
documentation states this:
Toggle quote (3 lines)
> Gitile works best in collaboration with Gitolite, and will serve the
> public repositories from Gitolite by default.
I think it is sane.
N
(address . julien@lepiller.eu)
D35K5Z1Y8NE5.WSFOEXAOJOA@disroot.org
On 2024-08-01 at 11:45+03:00, Evgeny Pisemsky wrote:
Toggle quote (13 lines)
> Hello! It does not work, and that is the reason for this patch.
>
> At this point group access is not enough, I have to run gitile from
> git user (of gitolite) who owns repositories. Same for fcgiwrap.
>
> Changing default user to git may be quite radical, but since the
> documentation states this:
>
> > Gitile works best in collaboration with Gitolite, and will serve the
> > public repositories from Gitolite by default.
>
> I think it is sane.
Seconded, and IMHO the Guix service documentation should mention
that the default user for gitile is to match the owner
of the repositories:
On 2024-07-31 at 18:00+03:00, Evgeny Pisemsky wrote:
+@item @code{user} (default: @code{"git"})
+Owner of the @code{gitile} process.
-----BEGIN PGP SIGNATURE-----
iQHIBAABCAAyFiEE6Q4RuASTNDthMuOUJxSLLAaiIksFAmatBhcUHG1jc2lueXhA
ZGlzcm9vdC5vcmcACgkQJxSLLAaiIkvXQAv/eK6YlzjBpk1uPM24Q6ILq6ylWI7Y
V8HvJPDWdxvj/YZq3OjuxOJNtcidHxIaEWyKpjvl3LY4bxILyxIwq4slqor0HbYv
IvU5KiV92EpKCgCiGrSDiG8SSR1H0c1oz78z2nIo65mwubGhziBEHGgNPvGcUg97
4dC+shtSIpsA2VPKvYxztjX5F0suJZZ2Ypq8PNnOiIc/U3Eqree1bfQ0+5UMOPI7
86tvYdh0Fp+58H0ZXWdUUgw1hsbiuBfB0ZKZZSiAFBa6mmnLKytJLUH4UXdLEPJY
8hNYgb/Vr5omc2NmNwdTdil5bjpvuKHmBUrKt2/76gNINKoj5p5N6twAn9QzIukj
8P3woaXzuvaoRgUdehu+ytUfnvqYlGz5JO6YrEfOh7P3iwRbad+bZrYigmwXyHJa
fFgCnHn9FfImXdeLTeslNNIdP+kaDMW0WSaaPBLxTfTnTFlnih8Mwt6wYzzQt1T3
4q8jenVH6p7J/AHqRTYe6eASU472vAM7Y9wJ
=I39M
-----END PGP SIGNATURE-----
E
(name . Nguy?n Gia Phong)(address . mcsinyx@disroot.org)
87ikwfffa7.fsf@pisemsky.site
Nguy?n Gia Phong <mcsinyx@disroot.org> writes:
Toggle quote (4 lines)
> Seconded, and IMHO the Guix service documentation should mention
> that the default user for gitile is to match the owner
> of the repositories:
As I understand running from git is not secure as it gives gitile
write access to the repos with possibility to corrupt them on error.
I've commented at #71143 about fixing group access for gitile. TLDR:
Toggle quote (4 lines)
> (use-modules (git settings))
> (set-owner-validation! #f)
> (run-server ...)
I agree that documentation update is needed. IMO the following, while
being a breaking change, can make the service more sane and flexible:
1. Allow to change user and group as proposed in the initial patch.
2. Set default user and group to "gitile" and document that if they
changed to other values, they expected to exist on a system, to
avoid warnings like "the following groups appear more than once".
3. Remove the default value of the "repositories" field to enforce
users to specify what they want to serve. Document that gitile's
user/group must have at least read access to this directory.
4. Provide configuration for gitolite as an example, not as default.
5. Remove unnecessary fields like "database" from configuration.
I'm interested what authors and maintainers think about all of this.
?