Re: Git Server Repository Security?

[Kevin Daudt <me@ikke.info>]

On Mon, May 18, 2015 at 04:07:49PM +0100, John McIntyre wrote:
> 2015-05-18 13:39 GMT+01:00 Heiko Voigt <hvoigt@hvoigt.net>:
> > On Mon, May 18, 2015 at 01:32:07PM +0100, John McIntyre wrote:
> >
> > I do not know, because I always used /home/git. In case not: How about
> > just using a symlink? And there is a lot of information on google ;-)
> 
> 
> I'm confused.   If I run the gitolite command again, in the /opt/git
> directory, will that set it up correctly?

It's recommended to put it inside /home/git/, but if you want, you can
set $REPO_BASE inside /home/git/.gitolite.rc

> 
> And I thought that access was via key?  In the example config files
> I've seen, there is no mention of different keys in the config file.

Yes, but these keys are managed through a special repository called
gitolite-admin.git. You can add the keys to this repository and change
the config to give people access. When you commit and push this
repository, those changes come into effect.

> 
> Our users can currently ssh into the box.  I want to stop that, but
> since they all ssh in as the use 'git', if I change the shell of that
> user to /sbin/nologin or something similar, I'm effectively locking
> out the git user.

gitolite itself cares for that through the mechanism mentioned earlier.
When you try to log in, gitolite takes over, lists the repositories you
have access to, and then closes the connection, so no need to set login
to /sbin/nologin.

Note that there is also git-shell, which is a shell which can only be
used for git commands.