Cannot clone repo hosted on Phabricator via HTTP
OpenPublic
Actions

Asked by • YouyiDev on Jan 5 2016, 9:00 AM.

Details

I created a git repo on Phabricator and intended to clone via HTTP.

However, GIT_CURL_VERBOSE=1 git clone http://phabricator.youyiii.com/diffusion/DEMO/demo.git always gave me the same error:

< HTTP/1.1 500 Error 1: sudo: a password is required
< Server: nginx/1.0.15
< Date: Sun, 03 Jan 2016 14:55:40 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/5.3.3
<

Connection #1 to host phabricator.youyiii.com left intact
fatal: unable to access 'http://phabricator.youyiii.com/diffusion/DEMO/demo.git/': The requested URL returned error: 500

Please see comments for more details. Big thanks in advance!

Event Timeline

My server system is CentOS and my webserver is nginx.

I followed https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/ and set daemon-user to root and www-user to nginx.

Here is my /etc/nginx/conf.d/default.conf file

#
# The default server
#

server {
  server_name  phabricator.youyiii.com;
  root         /usr/share/nginx/phabricator/webroot;

  access_log  /var/log/nginx/phd/phabricator.access.log  main;
  error_log   /var/log/nginx/phd/phabricator.error.log;

  location / {
    index index.php;
    rewrite ^/(.*)$ /index.php?__path__=/$1 last;
  }

  location = /favicon.ico {
    try_files $uri =204;
  }

  location /index.php {
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index   index.php;

    #required if PHP was built with --enable-force-cgi-redirect
    fastcgi_param  REDIRECT_STATUS    200;

    #variables to make the $_SERVER populate in PHP
    fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
    fastcgi_param  QUERY_STRING       $query_string;
    fastcgi_param  REQUEST_METHOD     $request_method;
    fastcgi_param  CONTENT_TYPE       $content_type;
    fastcgi_param  CONTENT_LENGTH     $content_length;

    fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;

    fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
    fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

    fastcgi_param  REMOTE_ADDR        $remote_addr;
  }
}

server {
    listen       80;
    server_name  youyiii.com www.youyiii.com;

    #charset koi8-r;

    #access_log  logs/host.access.log  main;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
        root   /usr/share/nginx/demo;
        index  index.html index.htm;
    }

    location ~* \.(?:css|js|png|jpg)$ {
        root   /usr/share/nginx/demo;
        if_modified_since before;
        expires -1;
    }

    error_page  404              /404.html;
    location = /404.html {
        root   /usr/share/nginx/html;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

My /etc/sudoers file

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
# Defaults    requiretty

#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## 	user	MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root	ALL=(ALL) 	ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
# %wheel	ALL=(ALL)	ALL

## Same thing without a password
# %wheel	ALL=(ALL)	NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

git ALL=(root) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/hg, /usr/bin/svnserve
nginx ALL=(root) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/libexec/git-core/git-http-backend, /usr/bin/git-http-backend, /usr/bin/hg

Screen Shot 2016-01-05 at 5.24.38 PM.png (1×2 px, 254 KB)

I had a similar error when initially trying to clone via ssh, "sudo: a password is required". For us, our repos hosted by phabricator were owned by root instead of the phabricator daemon. A chown of those repos on the server provided a quick bandaid. I can't remeber what the actual solution was, though. I'll ask around.

I have the exact same problem, did you make it work?

I have same problem with http

My webserver is apache, first i have same problem, when i disable SELinux, i clone the repo, 500 error is gone, but always "not found"……

Here is error 500 in phab.quadas.com-access_log:
10.0.252.217 - - [20/Jun/2017:16:02:36 +0800] "GET /source/localrepo.git/info/refs?service=git-upload-pack HTTP/1.1" 401 63
10.0.252.217 - xxname [20/Jun/2017:16:02:36 +0800] "GET /source/localrepo.git/info/refs?service=git-upload-pack HTTP/1.0" 500 62

And this fixed my problem by adding apache (www-user) in sudo file as below and restart the phd service:

...
git ALL=(root) SETENV: NOPASSWD: /usr/bin/git, /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/ssh, /usr/libexec/git-core/git-http-backend
apache ALL=(root) SETENV: NOPASSWD: /usr/bin/git, /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/ssh, /usr/libexec/git-core/git-http-backend, /var/www/html/phabricator/phabricator/support/bin/git-http-backend

Cannot clone repo hosted on Phabricator via HTTP
OpenPublic
Actions

Details

Event Timeline

New Answer

Answer

	F1054555: Screen Shot 2016-01-05 at 5.24.38 PM.png
	Jan 5 2016, 9:26 AM

Cannot clone repo hosted on Phabricator via HTTPOpenPublicActions

Details

Event Timeline

New Answer

Answer

Cannot clone repo hosted on Phabricator via HTTP
OpenPublic
Actions