How to block HTTP access to a Git repository? - security

I'm playing around with the idea of using Git for deployment and updates of my web applications, but the problem is that by doing it the way I'm doing it, the .git directory (and therefore all my source code) would be accessible via HTTP. This is what is holding me back from really implementing this idea.
How do I prevent HTTP access to my Git repository?!

Probably the best way is to not make the Git repo itself your web root, but rather a copy of it (made, perhaps, with git archive). You could also place the .git directory somewhere else in your file system, and then set the core.worktree option to your web root, so when you check out the files they will be written there (but not the .git directory itself).

You can also use a htaccess directive to forbid access to .git from the web.

Related

Where can I find for the location of the repos managed by Gitosis in Linux

We are using Gitosis in our Linux OS server to manage our projects. One time, I mistakenly pushed the config file which contains errors and then I wasn't able to push changes or clone copies of other projects from the server anymore, including gitosis-admin itself. Now, I need to login to the server using the root user and edit the config file there.
So, when I logged on to the server I saw these files:
Then I cd into gitosis-admin:
Then I cd again into gitosis-admin:
Then I vim the config file. This is what I see:
The content is obviously not what I am expecting, because I should have other repos listed in this config file.
I also double checked with git reflog to see the commit history:
Then I thought there might be another gitosis-admin located somewhere else so I search using the command: find / -type d -name 'gitosis-admin'
This is what I got:
The two directories are the ones that I checked. And they do not match the one I have in my local computer.
I tried searching for one of our projects but still I got no result at all.
Then I thought that the root might not have access to the repo files so I switched to the git user by executing the following command:
sudo git
But still, I can't find the directory of the repos.
So now, I need to know where are the repos located so that I might find the "real" gitosis-admin there.
You might be wondering am I checking on the wrong server here. So to prove that I am not mistaken, this is a screenshot of the host address that I am connected to:
This is the remote address of the gitosis-admin git repo shown in source tree:
A typical directory would be the repositories sub-directory of the git user's $HOME directory, that is
~git/repositories
It is possible to change this location using the repositories key of the gitosis section in the configuration file, which typically is a file named .gitosis.conf in the git user's home directory.
To answer the implied question (namely which file to fix to restore gitosis access), that would be ~git/.gitosis.conf as well.
(This is all documented in the gitosis repository's readme file.)

git - "ignore" or avoid versioning subdirectories

I want to have all my configuration files versioned using Git in a remote repository at Github. I'm using Debian 7 testing, and all my configuration files are under the /home/user_name/ directory.
I created the usual .gitignore with all the files that I want to ignore and the files and directories that I want to allow versioning. My problem begins when I go to Documents, for example, and I see in zsh that folder is under the same versioning as the home directory.
I understand that Git works that way, but I need to know if it's possible to avoid that.
One classic way to version configuration files is to create a subdirectory like ~/etc/ and let your ~/.something files be symbolic links to ~/etc/something. Then, you can version ~/etc/ normally.
You can manage to ignore everything but your configuration files, but you'll always have little glitches like: the day you run git clean -fdx in the wrong place, you delete all your data.
Write */ in your .gitignore to ignore directories. Make exceptions with !foodir. Consider prefixing with slashes (see documentation for details).

Set SVNs working copy to public_html on cPanel server with external repos

When I do php programming, I tend to edit in-place on the (development) server (cpanel VPS, not local) via a text editor that has built in sFTP. I like this because there isn't 100 thinkgs you have to do to "publish" the changes, you save (via FTP) and reload the page.
I want to get the source into SVN mostly so I can track other people's edits.
I currently use tortoiseSVN on my windows machine to access hosted SVN repos (csvdude/codison) for non web projects so I'm familiar with that. Linux SVN, not so much.
My thought here (open to other ideas) is that I want the public_html folder on the server to be the working copy (Is there a problem with this?). People can make edits as they would via sFTP and then the working copy would be committed to the external SVN repo, possibly on a late night cron..hoping I can set it up to auto-add and commit.
So aside from thoughts on the idea, I'm curious how to set up the linux svn client to commit to external repos a la tortoiseSVN. It seems all the tutorials I see set up a local repo.
Additionally I'm worried when I check out with public_html dir as the working copy that it will overwrite everything. (yes I have backups...)
Any input or suggestions would be awesome.. Thanks.
I created a new repo on my hosted SVN service.
I manually created a public_html folder using the repo browser.
On the cPanel server:
cd /home/[account]/
svn checkout https://svnservice.com/my_repo/public_html
I set up an ignore list for directories in public_html I didn't want in the repo.
Then you can add files and directories to the repo
cd public_html
svn add [directory] // adds directory for commit
svn add --force . // adds all new files without ignoring the ignore list
In hindsight, I think the import command would have done something similar, I just didn't quite understand it enough.
This is a useful command as well:
svn status | grep '^\!' | sed 's/! *//' | xargs -I% svn rm % // removes files from repo that no longer exist in the working copy
EDIT: One thing I should mention is to make sure your .htaccess blocks access to .svn directories or it could expose source code.

How could I recover my git-daemon repositories

I had a Gitorious install that got old and it is clear now that it is not coming back. I want to recover the repos (mainly the wiki repos) from the repository. I do not want to repeat the long and painful process of setting up Gitorious again, just to get some wiki back out of it...in fact I'd like to clean up the old install soon (remove it). Although, when it was running it was awesome!
I still have the database for gitorious, so I know which .git files I want and where to find them.
I was attempting to setup git-daemon (I'm on a Linux (ubuntu) setup), but I am not having much luck. I was hopeful that maybe I could just copy the 'foo.git' file somewhere and clone it.
Currently my .git files are in user git's home folder. No problem moving them though, but I'm not sure how to go about this.
I have git daemon running, but it 'hangs up unexpectedly' if I try to connect via 'localhost', all the repos also have my 'export-ok' file in them too. I can connect accross my LAN and clone any other git initialized directory via ssh, could that help me?
Can I just copy the foo.git (more like a f13f9ed412591ce72f7b3cb793605e93ce.git) file to maybe a git initialized repo and work with it there? Is there a git tool that I could use to expand the .git file? <-- I'm sure Git would be the tool right?
The .git is a folder and not a file and git repos are lightweight in that it is just files and folders. You can copy your repo to wherever you want.
Since you said localhost, if you want you can even clone the repos with git clone /path/to/repo.git and work on the cloned repo. You do not need the daemon or anything else to be running.

Exporting files from hook in bare git repository

So, my situation is the following: I want to maintain my website using emacs-muse mode. For transferring the website (and version control), I want to use git. So I would create a hook in the remote (bare) repository that automatically copies the HTML subdir to the web directory. How can I do that from a hook? Also note that the whole directory contains a lot of files, so I can't export the whole directory.
Any help welcome.
You can use git archive, as it takes a path command. So, in your post-update hook you can do something like
git archive $SHA HTML | (cd dir/where/html/should/go && tar x)
this first creates a tarball of the subdir, and pipes that tarball to a tar command to untar it in the specified directory
(just a suggestion, as it may not be applicable in your exact configuration)
You might consider adopting this Web-Focused Git Workflow which, instead of copying, does push your repo directly on the web directory.
(From Joe MALLER)
Less complicated: Using Git to maintain your website (Daniel MIESSLER):
Daniel MIESSLER has an updated version of that same process:
Other suggestions are available at this SO question, like this post-update script mentioned in the Git FAQ.

Resources