tags:

views:

1111

answers:

5

I have some git repositories accessed remotely through SSH and I want to make some of them read-only to prevent more pushes. Some people have remotes pointing to these repositories.

These bare repositories were initialised --shared=group, so is setting file permissions to 660 for all files good enough to still allow SSH access, but disallow writes? Or is there an easier way?

Cheers.

+2  A: 

Since git relies primarily on the filesystem for access control, that will work. Note that in your permissions, the world has no access to the file, but the user and group have read/write access. If you want world-readable, your permissions should be 0444.

You could do further fine-grained control by setting the repo permissions as 0664 where the user is nobody and the group is something like gitdevs. Then, only people in the gitdevs group will have the ability to write to the repo, but the world can read from it.

Follow-up Here is a link that covers various ways to share your repo and covers come pro's & cons and access control features.

jheddings
666 is world readable and writable files. 776 is world and group readable, writable and executable and other users read and write. Not sure where you got the numbers you're recommending, but they're generally dangerous.
Dustin
Thanks, corrected my answer. Too much typing, not enough thinking.
jheddings
A: 

Another possibility is the git protocol, but it requires the git daemon to be running.

Ikke
A: 

If you need access control as well, check out gitosis. Pretty easy to set-up and you can use a simple script to control who can do what.

Makis
Or gitolite: http://github.com/sitaramc/gitolite
Jakub Narębski
+1  A: 
chmod -R a-w /path/to/repo.git
Pat Notz
+8  A: 

There is more than one possible way to do this.

  • If your users each have a shell account (perhaps limited), and each of them accessing git repositories via their own account, you can use filesystem permissions to control SSH access to git repositories. On Unix those would be write permissions on directories, perhaps with the help of creating a group and specific permissions for a group (with "sticky group ID" set).

  • Pushing requires git-receive-pack to be in $PATH of user, and be executable for them... although I am not sure how feasible this approach would be.

  • You can use update or pre-receive hook to do access control to repository, for example using update-paranoid example hook from contrib/hooks in git sources.

  • With larger number of users you could be better with using a tool to manage access to git repositories, like Gitosis (in Python, requires setuptools) or Gitolite (in Perl).

  • For read only access you can setup git daemon to provide read-only anonymous (and unauthenticated) access via git:// protocol, instead of access via SSH protocol.

    See documentation for url.<base>.insteadOf config variable for a way to ease the transition from SSH to GIT protocol.


See also Chapter 4. "Git on the Server" of Pro Git book by Scott Chacon (CC-BY-NC-SA licensed).

Jakub Narębski
Should note that for filesystem permissions, you can use chmod, as suggested by Pat Notz.
Emil
Thanks for the ideas (everyone). Inspired by the update-paranoid example hook, I now have a hook in my repos which simply does `echo "Closed for all pushes" ; exit 1`
Steve Folly