Confirmed: htaccess method of http auth broken in 1.0.2

Mon Sep 8 00:13:36 CDT 2008

On Sun, Aug 17, 2008 at 1:20 PM, Henryk Gerlach <hgerlach at gmx.de> wrote:
> then try to push with
> allow_push=patrick
> in .hgrc on server
>
> does it work?

Question:  Is the file named (as you said) .hgrc, or just hgrc??
Also, this file is the one located in the actual repos correct?

> Next try:
> add
>
> import os,sys
> print "Content-Type: text/plain"
> print ""
> print os.environ.get("REMOTE_USER","NO_REMOTE_USER")
> print os.environ
> sys.exit(0)
>
> after the line
> #!/usr/bin/env python
>
> to your hgwebdir.cgi
> tell us you see, if you visit you repo. You can remove it again afterwards.

This is what I get:

NO_REMOTE_USER
{'HTTP_COOKIE': 'bbsessionhash=98ce297e051f4b72b8516cda94d8f67d',
'REDIRECT_STATUS': '200', 'SERVER_SOFTWARE': 'Apache/1.3.37 (Unix)
mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4
FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
PHP-CGI/0.4mm', 'SCRIPT_NAME': '/hg/hgweb.cgi', 'REQUEST_METHOD':
'GET', 'HTTP_KEEP_ALIVE': '300', 'REDIRECT_URL': '/hg/',
'SERVER_PROTOCOL': 'HTTP/1.1', 'QUERY_STRING': '', 'PATH':
'/usr/bin:/bin', 'HTTP_ACCEPT_CHARSET':
'ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'HTTP_USER_AGENT': 'Mozilla/5.0
(X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820
Firefox/3.0.1', 'HTTP_CONNECTION': 'keep-alive', 'SERVER_NAME':
'berrysoft.net', 'REMOTE_ADDR': '98.211.63.103', 'SERVER_PORT': '80',
'SERVER_ADDR': '75.125.59.2', 'DOCUMENT_ROOT':
'/home/berrysof/public_html', 'SCRIPT_FILENAME':
'/home/berrysof/public_html/hg/hgweb.cgi', 'SERVER_ADMIN':
'webmaster at berrysoft.net', 'HTTP_HOST': 'berrysoft.net',
'REQUEST_URI': '/hg/', 'HTTP_ACCEPT':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'GATEWAY_INTERFACE': 'CGI/1.1', 'REMOTE_PORT': '40640',
'HTTP_ACCEPT_LANGUAGE': 'en-us,en;q=0.5', 'HTTP_ACCEPT_ENCODING':
'gzip,deflate'}

> <LimitExcept GET POST>
>     require valid-user
> </LimitExcept>

wouldn't that be equivilent to:

> <Limit PUT>
>     require valid-user
> </Limit>

On Tue, Aug 19, 2008 at 6:00 AM, Ted Pavlic <ted at tedpavlic.com> wrote:
> Additionally, have you tried limiting *everything* and visiting your repo
> server with a web browser? Do you get HTTP authentication?

Good suggestion.  Now we are getting somewhere perhaps.  If I limit
them all, I don't get an auth attempt, I get a "Page not found" page
in the browser.

If I limit all except GET, I can go to the hgweb page, as I'm supposed too.

> Have you looked at your error logs? Try doing a "tail -f access_log
> error_log" while you're visiting the site -- see what log lines get
> generated by your auth requests during the hg push.

No errors in the error logs.

> Are you sure your password file is readable?

Yes permissions are correct, and the file was verified as working (in
other words, the encrypted password is correct).

>I know you say you use it on
> another part of the site, but it would be nice to know authentication
> *could* work here. Try forcing authentication and then *FAILING*
> authentication long enough (e.g., three tries) so that your web browser
> gives you the authentication denied code. Do you see it complaining about
> error documents not being present?

If I: touch ~/public_html/hg/failed_auth.htm using phpshell, auth
works, and the file is created!  So, auth is working.

> Note that you do NOT need to pass /dev/null to AuthGroupFile. If your server
> administrator has hidden /dev/null from you (for some strange reason), then
> Apache might be choking on that.

Yeah, I eliminated that unnecessary line early on.

So, the above represents the current state.  I believe the problem is
that there is no remote user, which is probably because of the way it
was installed.  Because I'm on a shared server, I used VMWare to
install to a virtual RHEL locally, and then ftp'ed it all up to the
shared server.  As I do not have shell access, I'm guessing that
.bash_rc and .bash_profile never get run, and so the EXPORTS never get
made as well.

As I have no idea how to get a "REMOTE_USER", and basically the
htpasswd method is really not secure anyway, I think what I'll do
instead is just keep the real repos's on my local Ubuntu box, and then
setup a cron job to ftp up the repos periodically so they are visible
to those I want to make them visible to.  I'll just think of them as a
backup.

I've spent far to much time on this, and it really isn't needed as you
guys have pointed out.  Just bugs me when I can't get something to
work.

The more I read this list, the more I realize hg is far more than it
first appears.

Thanks for all the input.  If I ever figure out what I did wrong on
the shared server I'll post about it.

Patrick