October 15, 2019 by derak - 0 comments

GOGS/Gitea Fix Critical API Auth By-Pass

I subscribe to updates from the forums and wasn’t alerted to this critical issue.

Manasseh Zhou reported a critical session bypass issue in the go-marcaron framework which impacts Gogs 0.11.86 @ 2019-01-30 and Gitea < 1.5.4.
Because of missing access checks; an attacker can log into any account and run arbitrary commands on an effected server.

This was reported as CVE-2018-18926 and CVE-2018-18925
Manasseh provides a detailed breakdown of the issue on his site.

Gogs and Gitea users should update immediately to the latest release.

On a side note; I’m concerned about the timeline here. This issue was first reported to the Gogs project in late 2018 and opened as a github issue in Aug. of 2019 which finally got the attention of unknwon and was resolved two days later. Gitea fixed this issue in Oct. of 2018.
I will be looking into other tools to internally host our git repositories.

May 29, 2019 by derak - 0 comments

Using php composer with RedHat Software Collections

Software Collections make running more than one version of php on the same server pretty painless. It does take some getting use to.

PHP has lots of command line tools which assume that php is available in the environment; which isn’t the case in an SCL environment.

Assumptions

Your using RedHat or CentOS 7.
php 7.2 is installed via software collections. (rh-php72)
PHP Composer’s “composer.phar” is downloaded in “/opt/php-composer/”

Here is a little bash script to work around this quirk of using SCL packages.

#! /bin/bash

#choose which scl package we want to use.
source scl_source enable rh-php72

#pass all shell args to composer.
php /opt/php-composer/composer.phar "[email protected]"

Save this as “composer” and make it executable (chmod +x composer) and moved it into the “/usr/local/bin/” folder.

This trick also works for cron jobs which need a specific version of php to run.

May 14, 2019 by derak

PHP Warning: PHP Startup: Unable to load dynamic library ‘sodium.so’

When installing php 7.2 on CentOS using RedHat Software Collections; your getting an error from php like:

PHP Warning:  PHP Startup: Unable to load dynamic library 'sodium.so' (tried: /opt/rh/rh-php72/root/usr/lib64/php/modules/sodium.so (libsodium.so.23: cannot open shared object file: No such file or directory), /opt/rh/rh-php72/root/usr/lib64/php/modules/sodium.so.so (/opt/rh/rh-php72/root/usr/lib64/php/modules/sodium.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0

This is a library conflict. Yum installed the wrong thing.
Lets have a look at this package:

(rh-mysql56,httpd24,rh-php72) [[email protected]]# yum deplist sclo-php72-php-sodium.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.jaleco.com
 * epel: mirror.compevo.com
 * extras: centos-distro.1gservers.com
 * updates: repos.dfw.quadranet.com
package: sclo-php72-php-sodium.x86_64 7.2.12-1.el7
  dependency: libc.so.6(GLIBC_2.4)(64bit)
   provider: glibc.x86_64 2.17-260.el7_6.5
  dependency: libsodium.so.23()(64bit)
   provider: sclo-cassandra3-libsodium.x86_64 1.0.15-2.el7
   provider: libsodium.x86_64 1.0.17-1.el7
  dependency: rh-php72-php(api) = 20170718-64
   provider: rh-php72-php-common.x86_64 7.2.10-3.el7
  dependency: rh-php72-php(zend-abi) = 20170718-64
   provider: rh-php72-php-common.x86_64 7.2.10-3.el7
  dependency: rh-php72-runtime
   provider: rh-php72-runtime.x86_64 1-2.el7
  dependency: rtld(GNU_HASH)
   provider: glibc.x86_64 2.17-260.el7_6.5
   provider: glibc.i686 2.17-260.el7_6.5

Notice the libsodium library has two providers. This means that yum thinks either of these can satisfy the requirements; and in this case; it didn’t choose a compatible library. We’ll need to remove the sclo-cassandra3-libsodium library and manually install the one we want.

[[email protected]]# yum remove sclo-cassandra3-libsodium.x86_64
Loaded plugins: fastestmirror
Resolving Dependencies
--> Running transaction check
---> Package sclo-cassandra3-libsodium.x86_64 0:1.0.15-2.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================
 Package                                       Arch                       Version                           Repository                             Size
========================================================================================================================================================
Removing:
 sclo-cassandra3-libsodium                     x86_64                     1.0.15-2.el7                      @centos-sclo-sclo                     348 k

Transaction Summary
========================================================================================================================================================
Remove  1 Package

Installed size: 348 k
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : sclo-cassandra3-libsodium-1.0.15-2.el7.x86_64                                                                                        1/1
  Verifying  : sclo-cassandra3-libsodium-1.0.15-2.el7.x86_64                                                                                        1/1

Removed:
  sclo-cassandra3-libsodium.x86_64 0:1.0.15-2.el7

Complete!

Now install the correct library

[[email protected]]# yum install libsodium.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.jaleco.com
 * epel: mirror.compevo.com
 * extras: centos-distro.1gservers.com
 * updates: repos.dfw.quadranet.com
Resolving Dependencies
--> Running transaction check
---> Package libsodium.x86_64 0:1.0.17-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================
 Package                              Arch                              Version                                   Repository                       Size
========================================================================================================================================================
Installing:
 libsodium                            x86_64                            1.0.17-1.el7                              epel                            144 k

Transaction Summary
========================================================================================================================================================
Install  1 Package

Total download size: 144 k
Installed size: 344 k
Is this ok [y/d/N]: y
Downloading packages:
libsodium-1.0.17-1.el7.x86_64.rpm                                                                                                | 144 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : libsodium-1.0.17-1.el7.x86_64                                                                                                        1/1
  Verifying  : libsodium-1.0.17-1.el7.x86_64                                                                                                        1/1

Installed:
  libsodium.x86_64 0:1.0.17-1.el7

Complete!

Now lets test our install

[[email protected]]# php -i | grep sodium
/etc/opt/rh/rh-php72/php.d/20-sodium.ini,
sodium
sodium support => enabled
libsodium headers version => 1.0.17
libsodium library version => 1.0.17

Success!

June 13, 2018 by derak

Phantom changes in git

I recently switched back to windows as my primary development system and encountered some weirdness with git.

My projects were showing lots of changed files but after inspecting the files for changes, there were none.

Git status on windows is sensitive to changes in file mode (permissions) and line endings (CR/LF).

Like most things in git, this behavior is configurable.

git config core.fileMode false

This lets git ignore those file mode changes and will let you get back to work.

November 30, 2017 by derak

Moving from gitolite to gogs

Problem: You have a ton of git repositories in gitolite and you’d like to switch to the github-esq gui provided by gogs.

Gogs is super easy to get setup and has thoughtfully added tools which make it useful for a private intranet type setup. It has not however come up with a great way of mass-importing git repositories from another tool.

The web interface include a “migration” tool which can be completed one at a time. I had 150 git repos to migrate so I added a repo and then polked at the database

Gogs also uses bare repositories just like gitolite. Loading them into gogs is as easy as rsync’ing them into the gogs-repo directory and adding some rows to the gogs database so gogs knows how to administer them.

I made a script to help me with that task. Note I’m using mysql as my database and my repos default to private.

With this, it took about a second to import all these repos. I did find one other person who had batch imported repos and chose to do it with curl but I couldn’t get it to work. All in all, it took about 4 days to figure out how to get gogs setup and get all the repos into it. Hopefully this script makes that process much quicker for you.

I sketch in code

Author Archives: derak