Put Bazaar behind a password

John Arbash Meinel john at arbash-meinel.com
Wed Jun 13 23:50:17 BST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason Merrill wrote:
>> The file 'doc/http_smart_server.txt' describes how to do this.
> 
> Thanks a lot John.  This definitely clears up some points of confusion.  I
> thought that "smart server" was only used to describe what happens when you use
> bzr serve, and didn't realize that you could also use modules on apache to do a
> similar thing.  I was also indeed confused about the usage of bzr+ssh: I thought
> you could use that protocol to access another machine that had just run bzr
> serve, but now I understand that you actually use it to access another machine
> that is running an ssh server.

Right, the 'smart server' is mostly a protocol, which can be tunneled over
several different methods (TCP is the raw bzr:// protocol, bzr+ssh:// is over
an ssh connection, and bzr+http:// is over HTTP requests).

> 
> On my mac box, I used macports to install bazaar, and though it has installed
> bazaar 0.16, it seems not to have installed some of the documentation.  There
> was no http_smart_server.txt in my doc folder.  I was, however, able to just
> download the source and read it there.  

It might be installing them into /opt/local/share/doc
Or it might just be a macports issue that it isn't installing them at all.


> I'm a little puzzled about the note at
> the beginning saying that using the http smart server will allow access to
> arbitrary files on the server.  How?  Why?  

It is the note of a very security conscious person, who has not done a thorough
security audit of every possible code path.

It isn't *intended* to expose that much of your filesystem, just that it might
be possible to break out of the chroot because we haven't done a full audit.

Now, my guess is that some of that audit has actually been done. Which is why
it asks you to use a "chroot+" path, which should prevent anyone from being
able to get to arbitrary files on your filesystem.

Also note that bzr itself will not try to do anything of the sort. It is just
that once you have a service which allows access to files, you have to make
sure that nobody can create a custom request that would expose something the
user didn't want to be exposed.

So mostly, it is a disclaimer. We think it is safe, and are even using it in
places, but we want to be clear that we aren't claiming infallibility (yet).


> I also don't get the following
> instruction.  Both arguments to Alias seem to be the same.  What does this mean?
> 
> # bzr-smart.fcgi isn't under the DocumentRoot, so Alias it into the URL
>     # namespace so it can be executed.
>     Alias /srv/example.com/scripts/bzr-smart.fcgi
> /srv/example.com/scripts/bzr-smart.fcgi

As I understand it, it is Apache voodoo. In order for Apache to find
'bzr-smart.fcgi' you have to map it into the URL namespace. I guess Apache
thinks of some files by their local paths, and other files by their public
paths, and you have to map one into the other, even though the final path is
the same.

> 
>> b) Path issues. I've started using www.MacPorts.org to install stuff, because
>> it makes my life easier. However it seems that it puts python2.4 in
>> /opt/local/bin/ which is not on the default search path. So doing "ssh
>> localhost bzr log /test/" was failing with not being able to find python2.4
>> (the python in the search path is Mac's default 2.3).
>> To get it to work I did:
> 
> Yeah, the macports folks encourage you to add /opt/local/bin to your path using
> .bash_rc or .profile or whatever.  The idea is that everything run through
> macports is in the opt folder, so if it all somehow gets totally borked you can
> just dump the whole opt folder and start over without worrying about messing any
> non macports things up.

Sure, and I've done so. The problem is that when doing "ssh host command" which
runs the command on the host, it doesn't seem to be loading my ~/.bashrc or
~/.zshrc. To give a specific example, I use 'zsh' as my default shell:

$ ssh localhost 'zsh -i --login -c "echo $PATH"'
Starting a new gpg-agent
/usr/bin:/bin:/usr/sbin:/sbin

The 'Starting' line is being executed in my .zshrc file, but notice that the
PATH has not been updated. Why????

Oh and if I do:

$ ssh localhost 'zsh -c "echo $PATH"'
/usr/bin:/bin:/usr/sbin:/sbin

It isn't even loading .zshrc.

But if I
$ ssh localhost
% echo $PATH
/Users/jameinel/bin:/usr/local/bin:/opt/local/bin:...

> 
> I think I may just take another stab at getting OpenSSH working on the windows
> machine.  Mucking around with the experimental apache smart server seems a bit
> beyond what I'd like to get into at this point.
> 
> Cheers,
> 
> Jason

It took a little bit for me to get working, but I think it is pretty much just
follow the steps at this point. Some bits are a little bit voodoo (like the
Alias you noticed). But I think you can just go through it. And at the end
you'll have Apache running the smart server.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGcHSpJdeBCYSNAAMRApT0AJ9EZl77zZdnFHe7qW2JdxhHE6n11gCgo6Y1
m/+EOdGOGfC29vzQn+XLzFs=
=99P+
-----END PGP SIGNATURE-----

More information about the bazaar mailing list