xaizek / rocketgit (License: AGPLv3+) (since 2018-12-09)
Light and fast Git hosting solution suitable to serve both as a hub or as a personal code storage with its tickets, pull requests, API and much more.
Commit 57269df7b88cd6cbb0c2569c6e14d94887c6ca40

Several changes. Bump version to 0.18
Author: Catalin(ux) M. BOIE
Author date (UTC): 2013-02-17 10:10
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2013-02-17 10:10
Parent(s): 753abba3b1f6caac8f96d801e5a5d1786023aa2f
Signing key:
Tree: ee44cc44b0f665cafa1c9789dec460f9c807e601
File Lines added Lines deleted
README 1 2
TODO 16 1
duilder.conf 1 1
inc/admin/users/add.php 1 1
inc/admin/users/edit.php 1 1
inc/keys.inc.php 2 1
inc/repo.inc.php 3 2
inc/repo/repo.php 17 12
inc/user/repo-page.php 23 10
inc/user/repo/admin/edit/edit.php 1 1
inc/user/repo/admin/rights/rights.php 13 1
inc/util.inc.php 6 13
root/index.php 1 1
root/themes/default/repo/main.html 1 1
root/themes/default/user/keys/list/header.html 1 1
samples/rg 1 2
samples/rg.conf 2 1
scripts/cron.sh 2 11
scripts/events.sh 1 1
scripts/q.sh 2 2
scripts/remote.php 3 0
scripts/remote.sh 3 0
selinux/build.sh 17 1
selinux/rocketgit.te 30 19
File README changed (mode: 100644) (index ce94995..98557b0)
61 61 . Mail . Mail
62 62 To be able to generate e-mails as other user, you have to: To be able to generate e-mails as other user, you have to:
63 63 For sendmail: For sendmail:
64 - Edit /etc/mail/trusted-users and add 'rocketgit'.
65 - Run 'make -C /etc/mail'.
64 - Edit /etc/mail/trusted-users and add 'rocketgit' and 'apache'.
66 65 - Restart daemon: 'systemctl restart sendmail.service' (Fedora) - Restart daemon: 'systemctl restart sendmail.service' (Fedora)
67 66
68 67 . Run instalation script . Run instalation script
File TODO changed (mode: 100644) (index f81b7b3..a4f9b6d)
1 1 == BEFORE NEXT RELEASE == == BEFORE NEXT RELEASE ==
2 2
3 3 == BEFORE FIRST RELEASE! == == BEFORE FIRST RELEASE! ==
4 [ ] Increment usage on keys should be done by events, with a predefined interval
5 to not kill the database.
6 [ ] Uploading/deleting a key will generate an event.
7 [ ] Add first usage of ssh keys.
8 [ ] Add count of usage for ssh keys.
9 [ ] Reorder ssh keys by usage to speed up ssh login.
10 [ ] In documentation, because of SELinux, we may want to restart some services.
11 At least: xinetd, cron etc. Probably not, but I must test this.
4 12 [ ] Check if adding/editing a bug generates notifications correctly. [ ] Check if adding/editing a bug generates notifications correctly.
5 13 Maybe use a global function for notify_one. Maybe use a global function for notify_one.
6 14 [ ] When we cannot process an event, mark it as failed and do not touch it again. [ ] When we cannot process an event, mark it as failed and do not touch it again.
 
8 16 and it may have admin rights! Audit everything (rg_ui/login_ui/$uid). and it may have admin rights! Audit everything (rg_ui/login_ui/$uid).
9 17 [ ] Checking mtime of event.php is not enough. Maybe checking version. [ ] Checking mtime of event.php is not enough. Maybe checking version.
10 18 Think of includes that may change. Think of includes that may change.
11 [ ] Fix this shit: isset($_REQUEST['rights']) ? rg_rights_a2s(rg_var_str("rights")) : $rg
12 19 [ ] Checking for "rg_ui['uid'] == 0" may not be enough. [ ] Checking for "rg_ui['uid'] == 0" may not be enough.
13 20 Maybe rg_ui[['uid'] = repo['uid']? Maybe rg_ui[['uid'] = repo['uid']?
14 21 Or, everywhere add 'uid = ?' in queries. Or, everywhere add 'uid = ?' in queries.
 
18 25 rights! rights!
19 26
20 27 == Medium == == Medium ==
28 [ ] Add groups.
29 [ ] We should warn the user if some users have lower rights than the default!
30 [ ] Auto-create repos at clonse phase, not only at push phase.
21 31 [ ] The link to a note should have an anchor to be able to go directly to the note. [ ] The link to a note should have an anchor to be able to go directly to the note.
22 32 [ ] bug tracker is private? If the repo is, it should be also. [ ] bug tracker is private? If the repo is, it should be also.
23 33 [ ] When you watch a project, a note add to a bug will notify that watcher? [ ] When you watch a project, a note add to a bug will notify that watcher?
 
... ... them after processing is done.
391 401 [ ] Team suports [ ] Team suports
392 402 [ ] Bulk add users/teams/repos/bugs/etc. [ ] Bulk add users/teams/repos/bugs/etc.
393 403
404 == Low priority ==
405 [ ] If a user has no push access and creates merge request, but the owner pushed
406 nothing, ssh cloning gives erros about HEAD not found.
407
408
394 409 == Graphics == == Graphics ==
395 410 [ ] http://static.phpcloud.com/images/banner/phpcloudcom-spaceship-banner-970x404px.jpg [ ] http://static.phpcloud.com/images/banner/phpcloudcom-spaceship-banner-970x404px.jpg
396 411 [ ] [ ]
File duilder.conf changed (mode: 100644) (index 439b1c5..9e1e58c)
1 1 PRJ="rocketgit" PRJ="rocketgit"
2 VER="0.17"
2 VER="0.18"
3 3 REV="1" REV="1"
4 4 EXCLUDE=".exclude" EXCLUDE=".exclude"
5 5 EXPORT_PATH="/data/www/umbrella/kernel/us/rocketgit" EXPORT_PATH="/data/www/umbrella/kernel/us/rocketgit"
File inc/admin/users/add.php changed (mode: 100644) (index 38b35c0..57dfea0)
... ... if ($doit == 1) {
17 17 $xpass = rg_var_str("xpass"); $xpass = rg_var_str("xpass");
18 18 $is_admin = rg_var_uint("is_admin"); $is_admin = rg_var_uint("is_admin");
19 19 $disk_quota_mb = rg_var_uint("disk_quota_mb"); $disk_quota_mb = rg_var_uint("disk_quota_mb");
20 $rights = @rg_rights_a2s($_REQUEST['rights']);
20 $rights = rg_rights_a2s(rg_var_str("rights"));
21 21 $session_time = rg_var_uint("session_time"); $session_time = rg_var_uint("session_time");
22 22
23 23 do { do {
File inc/admin/users/edit.php changed (mode: 100644) (index f2b3e99..92dc201)
... ... if ($doit == 1) {
20 20 $xpass = rg_var_str("xpass"); $xpass = rg_var_str("xpass");
21 21 $is_admin = rg_var_uint("is_admin"); $is_admin = rg_var_uint("is_admin");
22 22 $disk_quota_mb = rg_var_uint("disk_quota_mb"); $disk_quota_mb = rg_var_uint("disk_quota_mb");
23 $rights = @rg_rights_a2s($_REQUEST['rights']);
23 $rights = rg_rights_a2s(rg_var_str("rights"));
24 24 $session_time = rg_var_uint("session_time"); $session_time = rg_var_uint("session_time");
25 25
26 26 do { do {
File inc/keys.inc.php changed (mode: 100644) (index 00a5127..6265587)
... ... function rg_keys_regen($db)
406 406 } }
407 407 while (($row = rg_sql_fetch_array($res))) { while (($row = rg_sql_fetch_array($res))) {
408 408 rg_log("Writing key [" . $row['key'] . "] for uid " . $row['uid']); rg_log("Writing key [" . $row['key'] . "] for uid " . $row['uid']);
409 $buf = "command=\"/usr/bin/php " . $rg_scripts . "/scripts/remote.php"
409 $buf = "command=\""
410 . $rg_scripts . "/scripts/remote.sh"
410 411 . " " . $row['uid'] . " " . $row['uid']
411 412 . " " . $row['key_id'] . "\"" . " " . $row['key_id'] . "\""
412 413 . "," . $rg_ssh_paras . "," . $rg_ssh_paras
File inc/repo.inc.php changed (mode: 100644) (index 91b720b..8ace9f0)
... ... function rg_repo_update($db, $login_ui, &$new)
828 828 $event = rg_array_merge($event, "ri", $new); $event = rg_array_merge($event, "ri", $new);
829 829 $event['ri.old.description_md5'] = md5($ri['description']); $event['ri.old.description_md5'] = md5($ri['description']);
830 830 $event['ri.description_md5'] = md5($new['description']); $event['ri.description_md5'] = md5($new['description']);
831 $event['ri.rights_text'] = implode("\n", rg_rights_text("repo", $new['default_rights']));
831 $event['ri.rights_text'] = rg_implode("\t", rg_rights_text("repo", $new['default_rights']), "\n");
832 832 $r = rg_event_add($db, $event); $r = rg_event_add($db, $event);
833 833 if ($r !== TRUE) { if ($r !== TRUE) {
834 834 rg_repo_set_error("cannot add event" rg_repo_set_error("cannot add event"
 
... ... function rg_repo_search($db, $ui, $q)
942 942 $sql = "SELECT * FROM repos" $sql = "SELECT * FROM repos"
943 943 . " WHERE deleted = 0" . " WHERE deleted = 0"
944 944 . " AND (name ILIKE '%$e_q%' OR description ILIKE '%$e_q%')" . " AND (name ILIKE '%$e_q%' OR description ILIKE '%$e_q%')"
945 . " AND (uid = " . $ui['uid'] . " OR default_rights LIKE '%F%')"
945 . " AND (uid = " . $ui['uid'] . " OR default_rights LIKE '%F%'"
946 . " OR " . $ui['admin'] . " = 1)"
946 947 . " ORDER BY master, name" . " ORDER BY master, name"
947 948 . " LIMIT 10"; . " LIMIT 10";
948 949
File inc/repo/repo.php changed (mode: 100644) (index 1197706..1edc485)
... ... $max_commit_size = rg_var_uint("max_commit_size");
14 14 $max_users = rg_var_uint("max_users"); $max_users = rg_var_uint("max_users");
15 15 $description = rg_var_str("description"); $description = rg_var_str("description");
16 16 $master_repo_id = rg_var_uint("master_repo_id"); $master_repo_id = rg_var_uint("master_repo_id");
17 $rights = isset($_REQUEST['rights']) ? rg_rights_a2s(rg_var_str("rights")) : $rg_repo_rights_default;
18 17 $repo_id = rg_var_uint("repo_id"); $repo_id = rg_var_uint("repo_id");
19 18
20 19 $errmsg = array(); $errmsg = array();
 
... ... case 'list':
44 43 break; break;
45 44
46 45 case 'create': case 'create':
47 while ($doit == 1) {
48 $_r = rg_repo_create($db, $master_repo_id, $login_ui, $name,
49 $max_commit_size, $description, $rights, $max_users);
50 if ($_r === FALSE) {
51 $errmsg[] = rg_repo_error();
52 break;
53 }
54
55 // redirect to repo page
56 $url = rg_re_repopage($login_ui, $name);
57 rg_redirect($url);
46 if ($doit == 1) {
47 $rights = rg_rights_a2s(rg_var_str("rights"));
48
49 do {
50 $_r = rg_repo_create($db, $master_repo_id, $login_ui, $name,
51 $max_commit_size, $description, $rights, $max_users);
52 if ($_r === FALSE) {
53 $errmsg[] = rg_repo_error();
54 break;
55 }
56
57 // redirect to repo page
58 $url = rg_re_repopage($login_ui, $name);
59 rg_redirect($url);
60 } while (0);
61 } else { // load defaults
62 $rights = $rg_repo_rights_default;
58 63 } }
59 64
60 65 if ($master_repo_id > 0) { if ($master_repo_id > 0) {
File inc/user/repo-page.php changed (mode: 100644) (index 3231d1c..5fdecc5)
... ... if (rg_user_ok($user) !== TRUE) {
10 10 return; return;
11 11 } }
12 12
13 $page_ui = rg_user_info($db, 0, $user, "");
14 if ($page_ui === FALSE) {
15 $_repo_page .= rg_warning("Invalid user!");
16 return;
17 }
18
13 19 if (rg_repo_ok($repo) !== TRUE) { if (rg_repo_ok($repo) !== TRUE) {
14 20 $_repo_page .= rg_warning("Invalid repo!"); $_repo_page .= rg_warning("Invalid repo!");
15 21 return; return;
16 22 } }
17 23
18 $ri = rg_repo_info($db, 0, $login_ui['uid'], $repo);
24 $ri = rg_repo_info($db, 0, $page_ui['uid'], $repo);
19 25 if ($ri['ok'] != 1) { if ($ri['ok'] != 1) {
20 26 $_repo_page .= rg_warning("Internal error!"); $_repo_page .= rg_warning("Internal error!");
21 27 return; return;
 
... ... if (strcmp($_subop, "history") == 0) {
141 147 "HTML:content" => rg_template_list($c) "HTML:content" => rg_template_list($c)
142 148 ); );
143 149 $blob = array_merge($blob, $_content); $blob = array_merge($blob, $_content);
144 $_repo_body .= rg_template("repo/blob.html",
145 array_merge($blob, $repo_more));
150 $blob = array_merge($blob, $repo_more);
151 $_repo_body .= rg_template("repo/blob.html", $blob);
146 152 } }
147 153 } else if (strcmp($type, "tree") == 0) { } else if (strcmp($type, "tree") == 0) {
148 154 // find treeish of dir // find treeish of dir
 
... ... if (strcmp($_subop, "history") == 0) {
154 160 } else { } else {
155 161 $_hash = $_tree[0]['ref']; $_hash = $_tree[0]['ref'];
156 162 $_tree = rg_git_ls_tree($_hash, ""); $_tree = rg_git_ls_tree($_hash, "");
157 $_repo_body .= rg_template_table("repo/tree", $_tree, $repo_more);
163 $_repo_body .= rg_template_table("repo/tree",
164 $_tree, $repo_more);
158 165 } }
159 166 } else { // default is to show root tree } else { // default is to show root tree
160 167 $repo_more['path'] = ""; $repo_more['path'] = "";
161 168 $_tree = rg_git_ls_tree($ref, ""); $_tree = rg_git_ls_tree($ref, "");
162 $_repo_body .= rg_template_table("repo/tree", $_tree, $repo_more);
169 $_repo_body .= rg_template_table("repo/tree", $_tree,
170 $repo_more);
163 171 } }
164 172 } else { // log is default } else { // log is default
165 173 // show the log // show the log
 
... ... if (strcmp($_subop, "history") == 0) {
169 177 $_repo_body .= rg_warning("Error generating log!"); $_repo_body .= rg_warning("Error generating log!");
170 178 // TODO: rg_internal_error? // TODO: rg_internal_error?
171 179 } else if (empty($log)) { } else if (empty($log)) {
172 $_repo_body .= rg_template("repo/not_init.html", $repo_more);
180 $_repo_body .= rg_template("repo/not_init.html",
181 $repo_more);
173 182 } else { } else {
174 183 //rg_log("DEBUG: log: " . print_r($log, TRUE)); //rg_log("DEBUG: log: " . print_r($log, TRUE));
175 184 $_repo_body .= rg_git_log_template($log, $_repo_body .= rg_git_log_template($log,
 
... ... if (strcmp($_subop, "history") == 0) {
234 243 $_repo_body .= "Error getting merge request list (" $_repo_body .= "Error getting merge request list ("
235 244 . rg_mr_error() . ")."; . rg_mr_error() . ").";
236 245 } else { } else {
237 $_repo_body .= rg_template_table("repo/mr/list", $r, $repo_more);
246 $_repo_body .= rg_template_table("repo/mr/list", $r,
247 $repo_more);
238 248 } }
239 249 } else { } else {
240 250 $mr = preg_replace('/[^0-9a-zA-Z_]/', '', array_shift($paras)); $mr = preg_replace('/[^0-9a-zA-Z_]/', '', array_shift($paras));
 
... ... if (strcmp($_subop, "history") == 0) {
245 255 break; break;
246 256 } }
247 257
248 $_log = rg_git_log($repo_path, 0, $mri['old_rev'], $mri['new_rev'], TRUE);
258 $_log = rg_git_log($repo_path, 0, $mri['old_rev'],
259 $mri['new_rev'], TRUE);
249 260 if ($_log === FALSE) { if ($_log === FALSE) {
250 261 $_repo_body .= rg_warning("Error generating patch."); $_repo_body .= rg_warning("Error generating patch.");
251 262 break; break;
252 263 } }
253 264
254 $mri['HTML:diff'] = rg_git_log_template($_log, "repo/log", $repo_more);
255 $_repo_body .= rg_template("repo/mr/page.html", $mri, $repo_more);
265 $mri['HTML:diff'] = rg_git_log_template($_log,
266 "repo/log", $repo_more);
267 $_repo_body .= rg_template("repo/mr/page.html", $mri,
268 $repo_more);
256 269 } while (0); } while (0);
257 270 } }
258 271 } }
File inc/user/repo/admin/edit/edit.php changed (mode: 100644) (index 57ead1a..ebece50)
... ... if (strcmp($_op, "rename_done") == 0) {
17 17 $repo_id = rg_var_uint("repo_id"); $repo_id = rg_var_uint("repo_id");
18 18 $master_repo_id = 0; $master_repo_id = 0;
19 19 $name = rg_var_str("name"); $name = rg_var_str("name");
20 $rights = rg_rights_a2s(rg_var_str("rights"));
20 21 $max_commit_size = rg_var_uint("max_commit_size"); $max_commit_size = rg_var_uint("max_commit_size");
21 22 $max_users = rg_var_uint("max_users"); $max_users = rg_var_uint("max_users");
22 23 $description = rg_var_str("description"); $description = rg_var_str("description");
23 $rights = isset($_REQUEST['rights']) ? rg_rights_a2s($_REQUEST['rights']) : "";
24 24
25 25 do { do {
26 26 if (!rg_token_valid($db, $sid, $token)) { if (!rg_token_valid($db, $sid, $token)) {
File inc/user/repo/admin/rights/rights.php changed (mode: 100644) (index dc884e9..9b2d729)
... ... $repo_rights_more = $repo_admin_more;
5 5 $_rights = ""; $_rights = "";
6 6
7 7 $target_user = rg_var_str("target_user"); $target_user = rg_var_str("target_user");
8 $rights = isset($_REQUEST['rights']) ? rg_rights_a2s(rg_var_str("rights")) : $rg_repo_rights_default;
8 $rights = rg_rights_a2s(rg_var_str("rights"));
9 9 $delete = rg_var_uint("delete"); $delete = rg_var_uint("delete");
10 10 $edit_uid = rg_var_uint("edit_uid"); $edit_uid = rg_var_uint("edit_uid");
11 11 $grant = rg_var_uint("grant"); $grant = rg_var_uint("grant");
 
... ... $del_errmsg = array();
20 20 $repo_rights_more['target_user'] = $target_user; $repo_rights_more['target_user'] = $target_user;
21 21 $repo_rights_more['rights'] = $rights; $repo_rights_more['rights'] = $rights;
22 22
23 $load_defaults = 1;
24
23 25 while ($delete == 1) { while ($delete == 1) {
26 $load_defaults = 0;
27
24 28 if (!rg_token_valid($db, $sid, $token)) { if (!rg_token_valid($db, $sid, $token)) {
25 29 $del_errmsg[] = "invalid token; try again"; $del_errmsg[] = "invalid token; try again";
26 30 break; break;
 
... ... while ($delete == 1) {
43 47 } }
44 48
45 49 while ($edit_uid > 0) { while ($edit_uid > 0) {
50 $load_defaults = 0;
51
46 52 $r = rg_repo_rights_get($db, $ri, $edit_uid, 0); $r = rg_repo_rights_get($db, $ri, $edit_uid, 0);
47 53 if ($r['ok'] != 1) { if ($r['ok'] != 1) {
48 54 $errmsg[] = "User does not exists"; $errmsg[] = "User does not exists";
 
... ... while ($edit_uid > 0) {
64 70
65 71 // Adding // Adding
66 72 while ($grant == 1) { while ($grant == 1) {
73 $load_defaults = 0;
74
67 75 if (!rg_token_valid($db, $sid, $token)) { if (!rg_token_valid($db, $sid, $token)) {
68 76 $errmsg[] = "invalid token; try again"; $errmsg[] = "invalid token; try again";
69 77 break; break;
 
... ... while ($grant == 1) {
89 97 break; break;
90 98 } }
91 99
100 if ($load_defaults == 1) {
101 $rights = $rg_repo_rights_default;
102 }
103
92 104 $repo_rights_more['rg_form_token'] = rg_token_get($db, $sid); $repo_rights_more['rg_form_token'] = rg_token_get($db, $sid);
93 105 $repo_rights_more['HTML:errmsg'] = rg_template_errmsg($errmsg); $repo_rights_more['HTML:errmsg'] = rg_template_errmsg($errmsg);
94 106 $repo_rights_more['HTML:del_errmsg'] = rg_template_errmsg($del_errmsg); $repo_rights_more['HTML:del_errmsg'] = rg_template_errmsg($del_errmsg);
File inc/util.inc.php changed (mode: 100644) (index 78afc63..474f101)
... ... function rg_re_repopage($ui, $repo_name)
179 179
180 180 function rg_re_bugpage($ui, $repo_name, $bug_id) function rg_re_bugpage($ui, $repo_name, $bug_id)
181 181 { {
182 if (!isset($ui['organization'])) {
183 rg_internal_error("rg_re_repopage called with wrong ui (no org)!");
184 exit(1);
185 }
186
187 182 $s = rg_re_repopage($ui, $repo_name) . "/bug/" . $bug_id; $s = rg_re_repopage($ui, $repo_name) . "/bug/" . $bug_id;
188 183
189 184 if (isset($_REQUEST['rwe'])) if (isset($_REQUEST['rwe']))
 
... ... function rg_re_repo_ssh($organization, $user, $repo)
218 213 else else
219 214 $port = ":" . $rg_ssh_port; $port = ":" . $rg_ssh_port;
220 215
221 if ($organization == 1)
222 $prefix = "/org";
223 else
224 $prefix = "";
216 $prefix = "";
217 if ($organization == 0)
218 $prefix = "/user";
225 219
226 220 return "ssh://rocketgit@" . $rg_ssh_host . $port return "ssh://rocketgit@" . $rg_ssh_host . $port
227 221 . $prefix . "/" . $user . "/" . $repo; . $prefix . "/" . $user . "/" . $repo;
 
... ... function rg_re_repo_git($organization, $user, $repo)
236 230 else else
237 231 $port = ":" . $rg_git_port; $port = ":" . $rg_git_port;
238 232
239 if ($organization == 1)
240 $prefix = "/org";
241 else
242 $prefix = "";
233 $prefix = "";
234 if ($organization == 0)
235 $prefix = "/user";
243 236
244 237 return "git://" . $_SERVER['SERVER_NAME'] . $port return "git://" . $_SERVER['SERVER_NAME'] . $port
245 238 . $prefix . "/" . $user . "/" . $repo; . $prefix . "/" . $user . "/" . $repo;
File root/index.php changed (mode: 100644) (index 179d76d..c857640)
... ... while (1) {
68 68 } }
69 69
70 70 rg_log("Schema/fixes is not up-to-date! Sleep 1 second..."); rg_log("Schema/fixes is not up-to-date! Sleep 1 second...");
71 sleep(1);
71 sleep(5);
72 72 } }
73 73
74 74 rg_user_login_by_sid($db, $sid, $login_ui); rg_user_login_by_sid($db, $sid, $login_ui);
File root/themes/default/repo/main.html changed (mode: 100644) (index 66b827b..435c61f)
13 13
14 14 <div class="menu submenu"> <div class="menu submenu">
15 15 <ul> <ul>
16 <li><a href="@@url_repo@@/history">History</a></li>
16 <li><a href="@@url_repo@@/history">Last events</a></li>
17 17 <li><a href="@@url_repo@@/source">Source</a></li> <li><a href="@@url_repo@@/source">Source</a></li>
18 18 <li><a href="@@url_repo@@/mr">Merge requests</a></li> <li><a href="@@url_repo@@/mr">Merge requests</a></li>
19 19 <li><a href="@@url_repo@@/bug">Bugs</a></li> <li><a href="@@url_repo@@/bug">Bugs</a></li>
File root/themes/default/user/keys/list/header.html changed (mode: 100644) (index 8fe9fa7..3b78fc1)
9 9 <table> <table>
10 10 <tr> <tr>
11 11 <th>Select</th> <th>Select</th>
12 <th>Date (UTC)</th>
12 <th>Upload date (UTC)</th>
13 13 <th>Fingerprint</th> <th>Fingerprint</th>
14 14 <th>Comment</th> <th>Comment</th>
15 15 <th>Last use (UTC)</th> <th>Last use (UTC)</th>
File samples/rg changed (mode: 100644) (index 3d45693..af4b039)
... ... service git
9 9 socket_type = stream socket_type = stream
10 10 wait = no wait = no
11 11 user = rocketgit user = rocketgit
12 server = /usr/bin/php
13 server_args = /usr/share/rocketgit/scripts/remote.php
12 server = /usr/share/rocketgit/scripts/remote.sh
14 13 log_on_failure += USERID log_on_failure += USERID
15 14 } }
File samples/rg.conf changed (mode: 100644) (index 9401ad7..7e032cc)
18 18 #RewriteLogLevel 3 #RewriteLogLevel 3
19 19
20 20 # Allow .ico, 'themes' folder and any txt file (think robots.txt) # Allow .ico, 'themes' folder and any txt file (think robots.txt)
21 RewriteCond %{REQUEST_URI} ^/(favicon\.ico|themes|.*\.txt)
21 # Also, avoid scripts that are looking for exploits
22 RewriteCond %{REQUEST_URI} ^/(favicon\.ico|themes|.*\.txt|.*\.php)
22 23 RewriteRule .* - [L] RewriteRule .* - [L]
23 24
24 25 # index.php is special # index.php is special
File scripts/cron.sh changed (mode: 100755) (index 14e2433..d321beb)
1 1 #!/bin/bash #!/bin/bash
2 2
3 # This is a wrapper for cron.php, to not wait a lot after it exits
3 # This is a wrapper just to correctly transition to rocketgit_t domain
4 4
5 exec 100<>/var/lib/rocketgit/locks/cron.lock
6
7 flock --exclusive --nonblock 100
8 if [ "${?}" != "0" ]; then
9 exit 0
10 fi
11
12 php /usr/share/rocketgit/scripts/cron.php
13
14 flock --unlock 100
5 exec php /usr/share/rocketgit/scripts/cron.php
File scripts/events.sh changed (mode: 100755) (index a131a71..baf408c)
2 2
3 3 # This is a wrapper for events.php, to not wait a lot after it exits # This is a wrapper for events.php, to not wait a lot after it exits
4 4
5 exec 100<>/var/lib/rocketgit/locks/events.lock
5 exec 100<>/var/lib/rocketgit/locks/events.sh.lock
6 6
7 7 flock --exclusive --nonblock 100 flock --exclusive --nonblock 100
8 8 if [ "${?}" != "0" ]; then if [ "${?}" != "0" ]; then
File scripts/q.sh changed (mode: 100755) (index 95705f8..66b2766)
1 1 #!/bin/bash #!/bin/bash
2 2
3 # This is a wrapper for q.php, to not wait a lot after it exits
3 # This is a wrapper just to correctly transition to rocketgit_t
4 4
5 exec 100<>/var/lib/rocketgit/locks/q.lock
5 exec 100<>/var/lib/rocketgit/locks/q.sh.lock
6 6
7 7 flock --exclusive --nonblock 100 flock --exclusive --nonblock 100
8 8 if [ "${?}" != "0" ]; then if [ "${?}" != "0" ]; then
File scripts/remote.php changed (mode: 100644) (index fd6ea17..981e57a)
... ... umask(0022);
47 47
48 48 rg_log("Start..."); rg_log("Start...");
49 49 rg_log("_SERVER: " . rg_array2string($_SERVER)); rg_log("_SERVER: " . rg_array2string($_SERVER));
50 // DEBUG SELinux
51 $label = @file_get_contents("/proc/self/attr/current");
52 rg_log("SELINUX: " . $label);
50 53
51 54 $db = rg_sql_open($rg_sql); $db = rg_sql_open($rg_sql);
52 55 if ($db === FALSE) if ($db === FALSE)
File scripts/remote.sh added (mode: 100755) (index 0000000..039c732)
1 #!/bin/bash
2
3 exec php /usr/share/rocketgit/scripts/remote.php "${@}"
File selinux/build.sh changed (mode: 100755) (index 6d3b1a8..63e1b87)
... ... if [ -z "${PRJ}" ]; then
9 9 exit 1 exit 1
10 10 fi fi
11 11
12 # test if we need to rebuild the policy
13 last_mod=`stat --format=%Y ${PRJ}.{te,if,fc} | sort -r -n | head -n 1`
14
15 if [ -r "out/done" ]; then
16 last_done=`stat --format=%Y out/done`
17 else
18 last_done="0"
19 fi
20
21 if [ "${last_done}" -gt ${last_mod} ]; then
22 echo "No need to rebuild SELinux policy."
23 exit 0
24 fi
25
12 26 for type in ${selinux_variants}; do for type in ${selinux_variants}; do
13 27 make NAME=${type} -f /usr/share/selinux/devel/Makefile make NAME=${type} -f /usr/share/selinux/devel/Makefile
14 28 mkdir -p out mkdir -p out
 
... ... for type in ${selinux_variants}; do
17 31 done done
18 32
19 33 # Hard link identical policies (thanks, crossfire) # Hard link identical policies (thanks, crossfire)
20 /usr/sbin/hardlink -cv out
34 /usr/sbin/hardlink -cv out
35
36 touch out/done
File selinux/rocketgit.te changed (mode: 100644) (index b6afa0c..52dccae)
1 policy_module(rocketgit,1.0.51)
1 policy_module(rocketgit,1.0.69)
2 2
3 3 ######################################## ########################################
4 4 # #
 
... ... gen_require(`
9 9 # really needed httpd_log_t? # really needed httpd_log_t?
10 10 type httpd_t; type httpd_t;
11 11 type httpd_log_t; type httpd_log_t;
12 type system_mail_t;
13 type unconfined_t;
12 14 ') ')
13 15
14 16 type rocketgit_t; type rocketgit_t;
15 17 domain_type(rocketgit_t) domain_type(rocketgit_t)
16 18
17 19 apache_content_template(rocketgit) apache_content_template(rocketgit)
18 # Allow httpd to access php scripts:
19 read_files_pattern(httpd_t, rocketgit_usr_t, rocketgit_usr_t)
20 # Allow crons to search in /var/lib - not clear why
21 files_search_var_lib(rocketgit_t)
20 22
21 23 type rocketgit_exec_t; type rocketgit_exec_t;
22 24 domain_entry_file(rocketgit_t, rocketgit_exec_t) domain_entry_file(rocketgit_t, rocketgit_exec_t)
 
... ... domain_entry_file(rocketgit_t, rocketgit_exec_t)
24 26 # When cron executes rocketgit_exec_t, we transition to rocketgit_t # When cron executes rocketgit_exec_t, we transition to rocketgit_t
25 27 cron_system_entry(rocketgit_t, rocketgit_exec_t) cron_system_entry(rocketgit_t, rocketgit_exec_t)
26 28
29 # When running from inetd, transit to rocketgit_t. Seems that rocketgit_exec_t is
30 # not enough. Why?!
31 optional_policy(`
32 inetd_tcp_service_domain(rocketgit_t, rocketgit_exec_t)
33 ')
34
35 # Force ssh to transition to rocketgit_t
36 domain_auto_trans(unconfined_t, rocketgit_exec_t, rocketgit_t)
37
27 38 # Allow event.sh to access /home/rocketgit # Allow event.sh to access /home/rocketgit
28 39 userdom_list_user_home_content(rocketgit_t) userdom_list_user_home_content(rocketgit_t)
29 40
 
... ... application_exec_all(rocketgit_t)
40 51 # Allow rocketgit_t to use tcp sockets # Allow rocketgit_t to use tcp sockets
41 52 allow rocketgit_t self:tcp_socket { connect getopt getattr create setopt }; allow rocketgit_t self:tcp_socket { connect getopt getattr create setopt };
42 53
54 # Allow basic access to net
55 sysnet_read_config(rocketgit_t)
56 sysnet_dns_name_resolve(rocketgit_t)
57
58 # Probably to list owner of files
59 auth_read_passwd(rocketgit_t)
60
43 61
44 62 # php files # php files
45 63 type rocketgit_usr_t; type rocketgit_usr_t;
46 64 files_type(rocketgit_usr_t) files_type(rocketgit_usr_t)
47 65 read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t) read_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
66 exec_files_pattern(rocketgit_t, rocketgit_usr_t, rocketgit_usr_t)
67 read_files_pattern(httpd_t, rocketgit_usr_t, rocketgit_usr_t)
48 68
49 69
50 70 # log files # log files
 
... ... type rocketgit_var_t;
59 79 files_type(rocketgit_var_t) files_type(rocketgit_var_t)
60 80 admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t) admin_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t)
61 81 filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir }) filetrans_pattern(rocketgit_t, rocketgit_var_t, rocketgit_var_t, { file dir })
82 read_files_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t)
83 list_dirs_pattern(httpd_t, rocketgit_var_t, rocketgit_var_t)
62 84
63 85
64 86 # sockets # sockets
 
... ... optional_policy(`
96 118 postgresql_tcp_connect(rocketgit_t) postgresql_tcp_connect(rocketgit_t)
97 119 postgresql_stream_connect(rocketgit_t) postgresql_stream_connect(rocketgit_t)
98 120
99 # httpd
100 # Allow apache to read the conf file
101 #allow httpd_t rocketgit_t:dir { getattr search };
102 #allow httpd_t rocketgit_t:file { getattr read open };
103 #allow httpd_t rocketgit_t:sock_file { write };
104 #allow httpd_t rocketgit_t:unix_stream_socket { connectto };
105
106 121 # mail # mail
107 sendmail_domtrans(rocketgit_t)
122 mta_send_mail(rocketgit_t)
108 123
109 124 # self # self
110 125 allow rocketgit_t self:unix_stream_socket { connectto }; allow rocketgit_t self:unix_stream_socket { connectto };
 
... ... allow rocketgit_t self:process { setsched };
113 128 # PHP needs getattr to /var/lib # PHP needs getattr to /var/lib
114 129 files_getattr_var_lib_dirs(rocketgit_t) files_getattr_var_lib_dirs(rocketgit_t)
115 130
116 # Some common macros (you might be able to remove some)
117 #files_read_etc_files(rocketgit_t)
118 ## internal communication is often done using fifo and unix sockets.
119 #allow rocketgit_t self:fifo_file { read write };
120 #allow rocketgit_t self:unix_stream_socket create_stream_socket_perms;
131 # We leak log and lock fds, ignore for now - not clear if 'dontaudit' = allow! TODO
132 dontaudit system_mail_t rocketgit_lock_t:file { read write };
133 dontaudit system_mail_t rocketgit_log_t:file append;
134 dontaudit system_mail_t rocketgit_usr_t:file read;
121 135
122 # We leak log and lock fds, ignore for now
123 allow sendmail_t rocketgit_lock_t:file { read write };
124 allow sendmail_t rocketgit_log_t:file append;
Hints

Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):
git clone https://code.reversed.top/user/xaizek/rocketgit

Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a pull request:
... clone the repository ...
... make some changes and some commits ...
git push origin master