On Fri, Jan 10, 2014 at 10:26:09AM +0100, Steinar H. Gunderson wrote: > I have to say this is odd. From your logs, it looks like it tries to > initgroups() using the group name instead of the user name -- is that's > what's going on?
Let me provide you with a testcase. I can't quite get it to hang in the same way, but I definitely get the same error message, so hopefully this will help. I'll try to get all the steps right here, but I may have forgotten some. Feel free to substitute bmc for some other user. * Install apache2, apache2-utils, git, and libapache2-mpm-itk on a test box. * sudo a2enmod cgi * sudo a2enmod rewrite * Drop the attached file into /etc/apache2/sites-available/000-default.conf. * Replace any instances of bmc in 000-default.conf if necessary. * mkdir -p /tmp/git/bmc/foo.git * cd /tmp/git/bmc/foo.git && git init --bare * sudo ln -s /tmp/git /var/www/html/git * sudo htpasswd -c /etc/apache2/passwords bmc * Enter whatever password you like. * sudo chown www-data: /etc/apache2/passwords * sudo service apache2 restart * Go into some git repository on that machine and create some data. * git push http://bmc@localhost/git/bmc/foo.git master * Watch it fail. * Look at the error.log. * Notice: [Fri Jan 10 21:50:17.362387 2014] [mpm_itk:warn] [pid 48030] (itkmpm: pid=48030 uid=1000, gid=33) itk_post_perdir_config(): initgroups(www-data, 33): Operation not permitted [Fri Jan 10 21:50:17.362463 2014] [mpm_itk:warn] [pid 48030] Couldn't set uid/gid/priority, closing connection. * Downgrade apache2 to 2.4.6-3. * Fix up the fact that both mpm_prefork and mpm_itk are enabled. * Notice that pushing now works. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port
that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
RewriteEngine On
RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
RewriteCond %{REQUEST_URI} /git-receive-pack$
RewriteRule ^/git/ - [E=AUTHREQUIRED:yes]
RewriteRule /git/([a-z0-9]+)/ - [E=ITKUID:$1]
SetEnv GIT_PROJECT_ROOT /tmp/git
SetEnv GIT_HTTP_EXPORT_ALL 1
<LocationMatch "^/git/">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride None
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /etc/apache2/passwords
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
<RequireAny>
<RequireAll>
Require valid-user
Require expr %{REMOTE_USER} == %{reqenv:ITKUID}
</RequireAll>
Require expr %{reqenv:AUTHREQUIRED} == ''
</RequireAny>
</LocationMatch>
<LocationMatch "^/git/.*/git-receive-pack$">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride None
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /etc/apache2/passwords
AssignUserID bmc www-data
SetEnv REMOTE_USER $REDIRECT_REMOTE_USER
<RequireAll>
Require user bmc
</RequireAll>
</LocationMatch>
AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /tmp/git/$1
AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /tmp/git/$1
ScriptAliasMatch \
"(?x)^/git/(.*/(HEAD | \
info/refs | \
objects/info/[^/]+ | \
git-(upload|receive)-pack))$" \
/usr/lib/git-core/git-http-backend/$1
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
signature.asc
Description: Digital signature
