From c057bad3701682a208b72473b746de6bb5d89792 Mon Sep 17 00:00:00 2001 From: Sam Vilain Date: Sat, 15 May 2010 15:07:54 +0000 Subject: [PATCH] git-cvsserver: use a password file cvsserver pserver MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a git repository is shared via HTTP, the config file is typically visible. Use an external file instead. Signed-off-by: Ævar Arnfjörð Bjarmason Signed-off-by: Junio C Hamano --- Documentation/git-cvsserver.txt | 21 ++++++++++++++++----- git-cvsserver.perl | 33 +++++++++++++++++---------------- 2 files changed, 33 insertions(+), 21 deletions(-) diff --git a/Documentation/git-cvsserver.txt b/Documentation/git-cvsserver.txt index 031480b154..f414245b43 100644 --- a/Documentation/git-cvsserver.txt +++ b/Documentation/git-cvsserver.txt @@ -100,16 +100,27 @@ looks like ------ Only anonymous access is provided by pserve by default. To commit you -will have to create pserver accounts, simply add a [gitcvs.users] -section to the repositories you want to access, for example: +will have to create pserver accounts, simply add a gitcvs.authdb +setting in the config file of the repositories you want the cvsserver +to allow writes to, for example: ------ - [gitcvs.users] - someuser = somepassword - otheruser = otherpassword + [gitcvs] + authdb = /etc/cvsserver/passwd ------ +The format of these files is username followed by the crypted password, +for example: + +------ + myuser:$1Oyx5r9mdGZ2 + myuser:$1$BA)@$vbnMJMDym7tA32AamXrm./ +------ +You can use the 'htpasswd' facility that comes with Apache to make these +files, but Apache's MD5 crypt method differs from the one used by most C +library's crypt() function, so don't use the -m option. + Then provide your password via the pserver method, for example: ------ cvs -d:pserver:someuser:somepassword server/path/repo.git co diff --git a/git-cvsserver.perl b/git-cvsserver.perl index 709741920f..8b97fb80cf 100755 --- a/git-cvsserver.perl +++ b/git-cvsserver.perl @@ -189,24 +189,25 @@ unless ($user eq 'anonymous') { # Trying to authenticate a user - if (not exists $cfg->{gitcvs}->{users}) { - print "E the repo config file needs a [gitcvs.users] section with user/password key-value pairs\n"; + if (not exists $cfg->{gitcvs}->{authdb}) { + print "E the repo config file needs a [gitcvs.authdb] section with a filename\n"; print "I HATE YOU\n"; exit 1; - } elsif (exists $cfg->{gitcvs}->{users} and not exists $cfg->{gitcvs}->{users}->{$user}) { - #print "E the repo config file has a [gitcvs.users] section but the user $user is not defined in it\n"; - print "I HATE YOU\n"; - exit 1; - } else { - my $descrambled_password = descramble($password); - my $cleartext_password = $cfg->{gitcvs}->{users}->{$user}; - if ($descrambled_password ne $cleartext_password) { - #print "E The password supplied for user $user was incorrect\n"; - print "I HATE YOU\n"; - exit 1; - } - # else fall through to LOVE } + my $auth_ok; + open PASSWD, "<$cfg->{gitcvs}->{authdb}" or die $!; + while() { + if (m{^\Q$user\E:(.*)}) { + if (crypt($user, $1) eq $1) { + $auth_ok = 1; + } + }; + } + unless ($auth_ok) { + print "I HATE YOU\n"; + exit 1; + } + # else fall through to LOVE } # For checking whether the user is anonymous on commit @@ -337,7 +338,7 @@ sub req_Root } foreach my $line ( @gitvars ) { - next unless ( $line =~ /^(gitcvs)\.(?:(ext|pserver|users)\.)?([\w-]+)=(.*)$/ ); + next unless ( $line =~ /^(gitcvs)\.(?:(ext|pserver)\.)?([\w-]+)=(.*)$/ ); unless ($2) { $cfg->{$1}{$3} = $4; } else {