Skip to content

redming_git_hosting under hardened gentoo profile #657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
matthid opened this issue Feb 28, 2017 · 1 comment
Closed

redming_git_hosting under hardened gentoo profile #657

matthid opened this issue Feb 28, 2017 · 1 comment
Assignees
@n-rodriguez
Labels
enhancement to study

Comments

@matthid
Copy link

matthid commented Feb 28, 2017

After the latest world update my redmine_git_hosting stopped working:

The log says:

2017-02-27 21:04:15 +0100 [ERROR] Error while testing can_redmine_sudo_to_gitolite_user
2017-02-27 21:04:16 +0100 [ERROR] Can't retrieve Gitolite param : Non-zero exit code pid 31397 exit 1 for `sudo -n -u git -i gitolite query-rc GL_BINDIR`, stderr: sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
, stdout:

On the other hand everything was working in a shell

git@localhost ~ $ sudo -n -u git -i gitolite query-rc GL_BINDIR && echo exit $?
/usr/libexec/gitolite
exit 0

After going throw a whole lot of release notes and new features I thought it might be related to no_new_privs.

And finally I noticed that

NoNewPrivileges=true

was added in https://gitweb.gentoo.org/repo/gentoo.git/commit/www-servers/apache?id=4a99c7205e6f7af2d7ecb37fb0ea36cd73a6fbf7
After disabling the feature and restarting apache (almost) everything started working again.

There was another error:
[ERROR] Can't retrieve Gitolite param : Non-zero exit code pid 7463 exit 1 for `sudo -n -u git -i gitolite query-rc LOCAL_CODE`, stderr: , stdout:

Which was solved by enabling
LOCAL_CODE => "$ENV{HOME}/local",
in .gitolite.rc (which is already documented, but was lost after the update)

I have two questions to this incident:

  • Can we (long term) make redmine_git_hosting working with this hardened setup?
  • Can we improve the logging for this situation?
    I used the following (very naive) patches to get a hint to the root cause (you can see the result in my report above):
redmine@localhost ~/plugins/redmine_git_hosting $ git diff
diff --git a/lib/redmine_git_hosting/commands/gitolite.rb b/lib/redmine_git_hosting/commands/gitolite.rb
index 897b938..ac2116f 100644
--- a/lib/redmine_git_hosting/commands/gitolite.rb
+++ b/lib/redmine_git_hosting/commands/gitolite.rb
@@ -83,6 +83,9 @@ module RedmineGitHosting
           RedmineGitHosting::Config.gitolite_home_dir
         end

+        def logger
+          RedmineGitHosting.logger
+        end
     end
   end
 end
diff --git a/lib/redmine_git_hosting/config/gitolite_config_tests.rb b/lib/redmine_git_hosting/config/gitolite_config_tests.rb
index c0b9405..ededdc4 100644
--- a/lib/redmine_git_hosting/config/gitolite_config_tests.rb
+++ b/lib/redmine_git_hosting/config/gitolite_config_tests.rb
@@ -80,9 +80,11 @@ module RedmineGitHosting
         begin
           test = yield if block_given?
         rescue RedmineGitHosting::Error::GitoliteCommandException => e
+          logger.error("GitoliteCommendException : #{e.output}, ENV: #{ENV.to_h.to_yaml}")
           return false
         else
           if test.match(/#{user}/)
+            logger.error("test.match was false")
             return true
           else
             return false
@@ -90,6 +92,10 @@ module RedmineGitHosting
         end
       end

+      private
+        def logger
+          RedmineGitHosting.logger
+        end
     end
   end
 end
diff --git a/lib/redmine_git_hosting/utils/exec.rb b/lib/redmine_git_hosting/utils/exec.rb
index e5193f4..d073785 100644
--- a/lib/redmine_git_hosting/utils/exec.rb
+++ b/lib/redmine_git_hosting/utils/exec.rb
@@ -14,7 +14,7 @@ module RedmineGitHosting
         merge_output = opts.delete(:merge_output) { false }
         stdout, stderr, code = execute(command, args, opts, &block)
         if code != 0
-          error_msg = "Non-zero exit code #{code} for `#{command} #{args.join(" ")}`"
+          error_msg = "Non-zero exit code #{code} for `#{command} #{args.join(" ")}`, stderr: #{stderr}, stdout: #{stdout}"
           RedmineGitHosting.logger.debug(error_msg)
           raise RedmineGitHosting::Error::GitoliteCommandException.new(command, error_msg)
         end

Thanks for providing this awesome plugin :)
@n-rodriguez n-rodriguez self-assigned this Mar 15, 2017
@PowerKiKi
Copy link
Collaborator

As discussed in #732 (comment), issues related to Redmine < 4.0 or severely outdated issues are being closed to help clean up the issue tracker.

If this issue is still relevant to you and you are running Redmine >= 4.0, please open a new issue including all new relevant information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@n-rodriguez n-rodriguez

Labels
enhancement to study
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PowerKiKi @matthid @n-rodriguez