It seems that gitreceive cannot receive tags. Every time tag is pushed I get:

  ! [remote rejected] fix.1 -> fix.1 (pre-receive hook declined)

This seems to happen before receiver script is even called.

The URL for requestb.in seems to have expired - was this section for initial testing purposes and is it needed now?

If someone sets a custom GITUSER, shouldn't everything that uses $SELF use that $GITUSER as well?

The two cases that I see are KEY_PREFIX and when running hook.

I'm not sure if it'd be good to add to the core functionality, but do you think it may be useful to mention it in the docs?

I just source /etc/profile in the receive.sh to resolve this.

Hi!

How would you handle submodules then? I have submodules in my project, but on the server in the receive script I cannot checkout the submodules as this is a front-end server and should not have access to our git repositories.

Any idea on how to manage this?

I really like the idea of having repos created when pushed to -- nice work!

One thing that's hanging me up, though, is when I try to upload a key. The git user's authorized_keys file is writable only by git, as I understand is required by ssh. Therefore when I run

cat ~/.ssh/id_rsa.pub | sijk@server 'gitreceive upload-key sijk'

I get a permission denied error. From my understanding of ssh etc. I don't see how it could possibly work, but presumably it works for you...?

not sure if this is outside of the scope of gitreceive - but is there any way to save repositories when they're pushed to me to specific folders? so even if the remote is set up as:

git remote add demo [email protected]:example

... I can still save the repo in a folder besides /git/example ? maybe this would be some sort of processing done in a hook?

Somehow I forgot about this behavior - sshd will reject all logins to git due to a=rw on ~git/.ssh/authorized_keys:

Jul 4 13:40:32 du sshd[3742]: Authentication refused: bad ownership or modes for file /home/git/.ssh/authorized_keys

There are three ways one could go about this:

1. Revert the change, advocate sudo as the only method.
2. Revert the change, advocate user to add their public key or a password to the git user and use it to upload keys. Adding their key could conflict if the user uses the same key to push, but I dislike the idea of requiring password authentication only.
3. Tell OpenSSH to not enforce the file permissions by inserting StrictModes no in /etc/ssh/sshd_config

Thoughts?

When I use the mkdir -p /some/path && cat | tar -x -C /some/path command specified in the documentation I get an unexpected result. My code is in place, but at the root of my project I also get

drwxr-xr-x  2 git git  4096 2014-05-31 20:44 branches
-rw-r--r--  1 git git    66 2014-05-31 20:44 config
-rw-r--r--  1 git git    73 2014-05-31 20:44 description
-rw-r--r--  1 git git    23 2014-05-31 20:44 HEAD
drwxr-xr-x  2 git git  4096 2014-05-31 20:44 hooks
drwxr-xr-x  2 git git  4096 2014-05-31 20:44 info

...and a few more. i.e. some low-level git info that I'm not used to seeing in my repo.

Is this expected behavior or did I do something wrong? I don't see that it'll do any harm, but I'm always a bit spooked by the unexpected while coding.

Thanks, and great project!

Git receive places the receive pack in a quarantined directory.
It's not possible to update any refs in this directory. This breaks build scripts that fetches from other git repos.

More information about the changes is here:

https://git-scm.com/docs/git-receive-pack#_quarantine_environment
git/git@722ff7f

From build 14:

# fatal: 'test-2' does not appear to be a git repository
# fatal: The remote end hung up unexpectedly

The test failed but was perceived as a success

Good afternoon,

I am very new to git, cloud and deployment. Is it possible to easily create a tunnel between local computer and a coreOs machine (hosted by digital ocean), and remotely push golang source code to the cloud, automatically build the binary at reception, start a docker container running this binary (webapp) and delete source code to secure the app?

Hey,
I've followed the README and have this setup as instructed however whenever I try to push to it I end up getting the following error.

$ git push demo master

Counting objects: 3, done.
Writing objects: 100% (3/3), 225 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To [email protected]:hello_world
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to '[email protected]:hello_world'

So I've checked the remotes (and they look fine)

$ git remote -v     
demo    [email protected]:hello_world (fetch)
demo    [email protected]:hello_world (push)

The weirdest thing though is that the repository is created where it should be.

$ pwd
/home/git

$ ls -la
total 36
drwxr-xr-x 8 git  root 4096 Jan 21 08:43 .
drwxr-xr-x 5 root root 4096 Jan 21 08:13 ..
drwx------ 2 git  git  4096 Jan 21 08:19 .cache
drwxr-xr-x 2 git  root 4096 Jan 21 08:36 .ssh
drwxrwxr-x 7 git  git  4096 Jan 21 08:38 hello_world
-rwxr-xr-x 1 git  root  232 Jan 21 08:13 receiver

So I am a little stumped as to what to be the cause here? Here is my authorized_keys file incase it helps.

$ cat /home/git/.ssh/authorized_keys 
command="GITUSER=git /usr/bin/gitreceive run jacob cc:a8:cc:d5:87:02:42:1b:19:25:36:d5:75:ec:f2:dc",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1<redacted>sagHzeOkAX4BztXEQBhLCTRixlVaWH [email protected]

Would it be possible to get gitreceive to run on a Mac?
If yes, can you maybe point out some of the things that would have to be changed?

Thanks

This is a security-related bug

Problem & POC

The name of the repos can contain sequences such as ../, which allows the repositories to be stored outside the $GITHOME directory.

For example, the command git clone [email protected]:../../tmp/foo creates the repo in the directory /tmp/foo (with default configuration).

Also, one could create a repo named foo, then someone else a repo named foo/bar, which will completely hides the existence of the second repo. Also, replace bar for refs and you have an other error.

Solution

The solution is to filter the allowed repository name and/or to escape them.

The following code is to be changed:

parse_repo_from_ssh_command() {
  awk '{print $2}' | perl -pe 's/(?<!\\)'\''//g' | sed 's/\\'\''/'\''/g' | strip_root_slash
}

However, I don't have the perl knowledge to be sure to understand the code already, so I leave the fix to others.

Here is my suggestion:

• Make sure that there is no / in the repo name. Exit right away with an error message if there is.
• Also, it may be a good idea to check that the repo name does not start with a dot, so that a simple ls $GITHOME will show all repos.

Edit: Not allowing / in the repo name may be asking for too much (e.g. can not use user/something as repo names a la GitHub). Alternatively, we could replace / for some character (-? _? a space?), but this may lead to conflicts (e.g. user/something and user-something would be the same repo).

I will happily review commits aiming at fixing this flaw, provided they don't use any perl (as I don't have any knowledge in the area).

Great job on gitreceive, Jeff.

I'm trying to run it on CoreOS and have trouble with this line: https://github.com/progrium/gitreceive/blob/master/gitreceive#L47 because it uses perl, which isn't installed on CoreOS out of the box.

Of course you needn't support every OS under the sun, but if you could explain what this perl regex is doing then I could find another way of doing it. It's beyond my regex skills!

For now, locally, I've replaced the whole line with simply:

    export RECEIVE_REPO="$(echo $SSH_ORIGINAL_COMMAND | awk '{print $2}' | sed s/\'//g)"

...but I'm sure you have your reasons for writing what you did.

Git now supports push-to-deploy without the need for a bare repo, update script?

I get
sudo: no tty present and no askpass program specified
when I try to
cat ~/.ssh/id_rsa.pub | ssh [user]@[domainname] "sudo gitreceive upload-key myname"

I'm trying to put together a simple "gitreceive" docker service, that when pushed a repo will build the docker image and publish it to a docker repository.

I'm just currently trying to get gitreceive to accept a pushed git repo.

https://github.com/NigelThorne/dockerfiles/tree/master/gitreceive-dockerbuilder

I'm getting the following error..

tzm-mac:xxx nwt$ git push gr master
Counting objects: 3, done.
Writing objects: 100% (3/3), 208 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To ssh://[email protected]:34567/xxx
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://[email protected]:34567/xxx'

To recreate this...

I build and ran my docker project

docker build -t gitreceive .
docker run -p 34567:22 -d --name gitreceive gitreceive

push ssh key to server

chmod 600 sshkey
cat ~/.ssh/id_rsa.pub | ssh -i sshkey [email protected] -p 34567 "gitreceive upload-key nwt"

Then make a repo

mkdir xxx
cd xxx
git init .
echo test > test.txt
git add .
git commit -m "initial commit"
git remote add gr ssh://[email protected]:32768/xxx
git push gr master

ERROR

Thanks for your time and guidance.