Help with `Error: not authorized to clone` (I'm using SSH)
(1) By Stephen Weigand (weigand) on 2022-09-13 18:14:55 [link] [source]
Hello,
I'm hoping for help with my Error: not authorized to clone message.
I'll try to give (too many?) details below including what I've tried.
The system I'm on and information about the repository
I'm using Fossil version 2.19
I'm on a Linux system where I can log in to different machines (e.g.,
jupiterandsaturn)My username is
weigandWhether I login to
jupiterorsaturnI can cd into the directory with the fossils which is/projects/subprojects/fossilsThe repo I'm trying to clone is
/projects/subprojects/fossils/aaa.fossilThe results of
fossil user capabilities weigand -R aaa.fossilisasvThe Linux permissions for
aaa.fossilare-rwxrw---- 1 userx groupx 2195456 Sep 13 12:13 aaa.fossil*
SCP works for aaa.fossil
- I have SSH keys set up and password-less login and I'm a member of
groupxand SCP works for this same file:
scp weigand@jupiter:/projects/subprojects/fossils/aaa.fossil aaa.fossil
aaa.fossil 100% 2144KB 55.8MB/s 00:00
The error on trying to clone
- This is my command and results:
fossil clone -sshtrace ssh://weigand@jupiter//projects/subprojects/fossils/aaa.fossil aaa.fossil
RUN ssh -e none -T -- 'weigand@jupiter' fossil test-http /projects/subprojects/fossils/aaa.fossil
Got line: [Status: 200 OK]
Got line: [Cache-control: no-cache]
Got line: [X-Frame-Options: SAMEORIGIN]
Got line: [Content-Type: application/x-fossil; charset=utf-8]
Got line: [Content-Length: 137]
Got line: []
Reading 137 bytes with 0 on hand... Got 137 bytes
Got line: [Status: 200 OK] sent: 0 received: 0
Got line: [Cache-control: no-cache]
Got line: [X-Frame-Options: SAMEORIGIN]
Got line: [Content-Type: application/x-fossil; charset=utf-8]
Got line: [Content-Length: 137]
Got line: []
Reading 137 bytes with 0 on hand... Got 137 bytes
Round-trips: 2 Artifacts sent: 0 received: 0
Error: not authorized to clone
Round-trips: 2 Artifacts sent: 0 received: 0
Clone done, wire bytes sent: 700 received: 562 ip: x.y.z.a (jupiter)
server returned an error - clone aborted
/***** Subprocess 13784 exit(1) *****/
The person who is
userxwho owns the file is out of the country. In the past I successfully clonedaaa.fossiland I don't know what changedI got the same error before upgrading to Fossil 2.19
I get the same result whether I try using
weigand@jupiterorweigand@saturn
Success with a different repository file that "seems the same" to me
- If I try the same command with a different repo called
bbb.fossilfor which I also also haveasvcapabilities and which has the same Linux permissions, then I am successful.
fossil clone -sshtrace ssh://weigand@jupiter//projects/subprojects/fossils/bbb.fossil bbb.fossil
RUN ssh -e none -T -- 'weigand@jupiter' fossil test-http /projects/subprojects/fossils/bbb.fossil
Got line: [Status: 200 OK]
Got line: [Cache-control: no-cache]
Got line: [X-Frame-Options: SAMEORIGIN]
Got line: [Content-Type: application/x-fossil-uncompressed; charset=utf-8]
Got line: [Content-Length: 437286]
Got line: []
Reading 437286 bytes with 0 on hand... Got 437286 bytes
Got line: [Status: 200 OK] sent: 0 received: 147
Got line: [Cache-control: no-cache]
Got line: [X-Frame-Options: SAMEORIGIN]
Got line: [Content-Type: application/x-fossil; charset=utf-8]
Got line: [Content-Length: 647]
Got line: []
Reading 647 bytes with 0 on hand... Got 647 bytes
Round-trips: 2 Artifacts sent: 0 received: 154
Clone done, wire bytes sent: 706 received: 438237 ip: x.y.z.a (jupiter)
Rebuilding repository meta-data...
100.0% complete...
Extra delta compression...
Vacuuming the database...
project-id: 082c97caa0fc5b358c00f43daeb363bfed2a1b77
server-id: 1be8c4711cf02788da0a3d6024925d29717bacf8
admin-user: weigand (etc., etc.)
/***** Subprocess 30182 exit(0) *****/
I don't know what I don't know
I'm clearly in a situation of not knowing what I don't know. I don't know what to look for to determine where aaa.fossil and bbb.fossil are different.
Thank you for any suggestions. I really appreciate Fossil, the support on the forum, and how SSH access allows my small team to use Fossil securely without any additional infrastructure.
Sincerely and appreciatively,
Stephen
(2) By John Rouillard (rouilj) on 2022-09-13 19:12:58 in reply to 1 [link] [source]
What are the permissions on the parent directory of the fossil files?
Also is /projects/subprojects/fossils/aaa.fossil on a local disk or an NFS/SMB/other network mount?
(4) By Stephen Weigand (weigand) on 2022-09-13 20:37:52 in reply to 2 [link] [source]
Thank you very much for the response. The parent directories are drwxrws--x owned by userx or weigand with group being groupx.
I think the directory permissions are all OK (and bbb.fossil which works is in the same directory as aaa.fossil which I can't clone).
I don't know anything about network drives (unfortunately). My understanding is that the SSH is an OK way to deal with fossils on a networked filesystem.
Thank you again,
Stephen
(3) By hanche on 2022-09-13 19:35:11 in reply to 1 [link] [source]
One curious aspect of this is that I cannot find the text “not authorized to clone” in the source, other than as a substring of a longer text such as “You are not authorized to clone this repository.”
(5) By Stephen Weigand (weigand) on 2022-09-13 20:41:00 in reply to 3 [link] [source]
Thank you. I had searched the Forum and found this error in some postings:
https://fossil-scm.org/forum/forum?s=%22Error%3A+not+authorized+to+clone%22
(This is how I found out about the -sshtrace option.)
(6) By Stephen Weigand (weigand) on 2022-09-13 21:25:40 in reply to 5 [link] [source]
Postscript: For what it's worth I see something of a match on line 1443 of xfer.c:
https://fossil-scm.org/home/file?udc=1&ln=1437,1446&ci=trunk&name=src%2Fxfer.c
(7) By Brian Tiffin (btiffin) on 2022-09-14 16:02:25 in reply to 6 [link] [source]
I'm not qualified to answer, really, but you did find the source of the message.
The Clone permission is "g" in the user permission screens. Normally "nobody" (not logged in users) has the g capability set. Take a look at the Admin -> Users screen (from fossil ui if allowed or fossil user capabilities nobody) and see if you might be able to suss out a difference in aaa and bbb fossils with regards to the weigand user and the nobody user. Umm, maybe. ;-)
Have good
(8) By Warren Young (wyoung) on 2022-09-14 17:54:27 in reply to 7 [link] [source]
The Clone permission is "g"
Fossil ignores the RBAC over SSH unless you force it.
(9) By Stephen Weigand (weigand) on 2022-09-14 21:00:36 in reply to 8 [link] [source]
Thank you for both comments. I suppose it is moot because of Warren's point but aaa.fossil and bbb.fossil had the same user capabilities. I thought that could have been a problem.
I now see that the help for test-http says this command is used internally by the ssh sync protocol and test-http takes an argument named --usercap which defaults to sxy.
(By the way, this table of capabilities (i.e., cap reference) is really nice.)
Next step for me...
I suspect that there is some interaction between taking a repository completely private and cloning/syncing over SSH which I need to understand better.
(11) By Andy Bradford (andybradford) on 2022-09-15 03:58:44 in reply to 9 [link] [source]
> I suspect that there is some interaction between taking a repository > completely private and cloning/syncing over SSH which I need to > understand better. As I mentioned before, when using SSH with Fossil, by default the only thing that matters are Unix file/directory permissions. Because of the way it was designed, when using test-http, it simply assumes that the SSH client has full Fossil capabilities. The fact that you're getting an error about permission to clone suggests that this is not a typical SSH setup. Andy
(10) By Andy Bradford (andybradford) on 2022-09-15 03:56:19 in reply to 1 [link] [source]
You should not be getting any "not authorized to clone" errors when using SSH out of the box. The only way it is possible for Fossil to enforce user capabilities with SSH is if someone has gone out of the way to use ForceCommand to force the Fossil command to use http instead of test-http. In addition to the --sshtrace option which you used (and which isn't very useful in this particular case) you could try the --httptrace option. It will generate some files that will record the HTTP dialog that goes on between the fossil client and server. Keep in mind that Fossil just uses SSH as a secure transport for an HTTP session. Are you using SSH keys? What do you have in your ~weigand/.ssh directory on jupiter? Are there any Match blocks in /etc/ssh/sshd_config on jupiter that might be doing something with your commands that are being run? What do you have in your ~/.ssh directory on the client side? Do you have a "config" file? Some of your description doesn't quite make sense, however... if you were using SSH keys that were restricted with ForceCommand, you wouldn't likely be able to use the same key for SCP. Unless of course there is some kind of wrapper. Anyway, more details will help in unraveling the problem. Andy
(12) By Stephen Weigand (weigand) on 2022-09-15 17:19:37 in reply to 10 [source]
Thank you for helping! I hate to take up people's time unnecessarily and will take a hint if anybody says let it go. And I found a workaround and this isn't pressing but in case it's a mystery worth understanding, I've got some more details below.
I certainly know little about SSH but I think it's a typical setup. And success with bbb.fossil and other repositories using the same SSH command to and from the same hosts makes me think it's not SSH but rather I've misconfigured aaa.fossil.
Specifics of my system?
Success for other *.fossil files makes me think it's not my system but since I don't know what I don't know, perhaps the specifics of the system are complicating the issue. As a regular user, I can login to either jupiter or saturn and find the same /home/weigand directory with the same files, etc.
I have SSH keys set up and so am not using passwords for SSH or SCP
The directory
~weigand/.sshhas these four files:authorized_keys id_rsa id_rsa.pub known_hosts
I do not have a
~/.ssh/configfileI can't read
/etc/ssh/sshd_config
Whether I login to jupiter or saturn I can cd into /projects/subprojects/fossils and have the same cloning problem whether am logged into jupiter or saturn and whether I am using ssh://weigand@jupiter//... or ssh://weigand@saturn//....
Regarding:
The only way it is possible for Fossil to enforce user capabilities with SSH is if someone has gone out of the way to use ForceCommand to force the Fossil command to use http instead of test-http.
I didn't know about Forcing Use of Fossil’s RBAC over SSH before your post but we are not attempting anything like this.
Regarding:
you could try the
--httptraceoption.
Below are the results with the --httptrace option (with me adding line numbers) but first here are the results with only the -v option
bash> fossil clone -v ssh://weigand@jupiter//project/subproject/fossils/aaa.fossil aaa.fossil
Bytes Cards Artifacts Deltas
Sent: 97 1 0 0
Received: 152 3 0 0
Sent: 112 2 0 0
processed: 78%
Error: not authorized to clone
Received: 152 2 0 0
Clone done, wire bytes sent: 717 received: 562 ip: 129.176.213.180 (horse.mayo.edu)
Uncompressed payload sent: 209 received: 304
server returned an error - clone aborted
This is 'http-request-1.txt
1 POST /projects/subprojects/fossils/aaa.fossil HTTP/1.0
2 Host: snidely
3 User-Agent: Fossil/2.19 (2022-06-03 15:23:46 [e3e9544638])
4 X-Fossil-Transport: SSH
5 Content-Type: application/x-fossil-debug
6 Content-Length: 97
7
8 pragma client-version 21900 20220603 152346
9 clone 3 1
10 # 3642541DAFDB2B859263911EA47793C3261E59B2
This is 'http-reply-1.txt
1 Status: 200 OK
2 Cache-control: no-cache
3 X-Frame-Options: SAMEORIGIN
4 Content-Type: application/x-fossil-debug; charset=utf-8
5 Content-Length: 152
6
7 push df6f161370375d31bf4b185405afd7e9bb96ec21 f521b49a7333d06d0f9f24731ac11bef62b33fd4
8 error not\sauthorized\sto\sclone
9 # timestamp 2022-09-15T13:34:34
This is 'http-request-2.txt
1 POST /projects/subprojects/fossils/aaa.fossil HTTP/1.0
2 Host: snidely
3 User-Agent: Fossil/2.19 (2022-06-03 15:23:46 [e3e9544638])
4 X-Fossil-Transport: SSH
5 Content-Type: application/x-fossil-debug
6 Content-Length: 112
7
8 pragma client-version 21900 20220603 152346
9 clone 3 1
10 reqconfig /all
11 # 8B15C5A51425D95ADB6E041E6762078C5B3E0EB9
This is 'http-reply-2.txt
1 Status: 200 OK
2 Cache-control: no-cache
3 X-Frame-Options: SAMEORIGIN
4 Content-Type: application/x-fossil-debug; charset=utf-8
5 Content-Length: 152
6
7 push df6f161370375d31bf4b185405afd7e9bb96ec21 f521b49a7333d06d0f9f24731ac11bef62b33fd4
8 error not\sauthorized\sto\sclone
9 # timestamp 2022-09-15T13:34:34
User capability summary
This is the table from the security audit button obtained via fossil ui aaa.fossil:
| Code | Forum | Tickets | Wiki | Chat | Unversioned Content | |
| "nobody" | off | off | off | off | off | off |
| "anonymous" | off | off | off | off | off | off |
| "reader" | off | off | write | write | off | off |
| "developer" | write | off | off | off | off | read |
| New User Default | off | off | write | write | off | off |
| 7 Adminstrators | write | write | write | write | off | read |
I appreciate all the help. At this point I'm happy to let it go and say I've probably done something weird with capabilities (by accident) since the repository was created in Feb. 2020.
Thank you again,
Stephen
(13) By Stephan Beal (stephan) on 2022-09-15 17:32:53 in reply to 12 [link] [source]
Below are the results with the --httptrace option (with me adding line numbers) but first here are the results with only the -v option
i've unfortunately got nothing to add to what others have suggested (and Andy is very likely our foremost fossil-over-ssh expert), but...
8 error not\sauthorized\sto\sclone
That explains why that message couldn't be found in the sources earlier:
[stephan@nuc:~/f/fossil/src]$ grep -n 'not\\sauthorized\\sto' *.c
xfer.c:1090: @ error not\sauthorized\sto\ssync\sprivate\scontent
xfer.c:1269: @ error not\sauthorized\sto\swrite
xfer.c:1290: @ error not\sauthorized\sto\swrite
xfer.c:1413: @ error not\sauthorized\sto\sread
xfer.c:1422: @ error not\sauthorized\sto\swrite
xfer.c:1425: @ message pull\sonly\s-\snot\sauthorized\sto\spush
xfer.c:1443: @ error not\sauthorized\sto\sclone
xfer.c:1536: @ error not\sauthorized\sto\spush\sconfiguration
(14) By Warren Young (wyoung) on 2022-09-15 17:52:14 in reply to 12 [link] [source]
Does the localauth setting differ between the two?
(15) By Stephen Weigand (weigand) on 2022-09-15 18:17:03 in reply to 14 [link] [source]
Yes!!! Thank you, Warren! (And thank you to everyone who suggested other things to look into.)
I did a diff on the settings for aaa.fossil and bbb.fossil and entered these commands to make them match:
fossil settings localauth 0 -R aaa.fossil
fossil unset lock-timeout -R aaa.fossil
It worked. Nice! Thanks to all who helped.
(16) By Andy Bradford (andybradford) on 2022-09-15 19:12:07 in reply to 14 [link] [source]
Regarding localauth and SSH default behavior. This seems like a bug to me. Shouldn't the "test-http" command not be subject to the localauth setting precisely because of historical SSH behavior? Otherwise people get easily confused between SSH/shell permissions and Fossil privileges and capabilities (I submit this thread as evidence). Thoughts? Andy
(17) By Warren Young (wyoung) on 2022-09-15 20:16:59 in reply to 16 [link] [source]
It certainly fails the principle of least surprise. I only came up with that guess by RTFS.