git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Shawn O. Pearce" <spearce@spearce.org>
To: Jakub Narebski <jnareb@gmail.com>
Cc: "Gonzalo Garramuño" <ggarra@advancedsl.com.ar>,
	"David Symonds" <dsymonds@gmail.com>,
	git@vger.kernel.org
Subject: Re: Git and securing a repository
Date: Wed, 2 Jan 2008 22:58:38 -0500	[thread overview]
Message-ID: <20080103035838.GA24004@spearce.org> (raw)
In-Reply-To: <m3ir2co5s4.fsf@roke.D-201>

Jakub Narebski <jnareb@gmail.com> wrote:
> Gonzalo Garramuño <ggarra@advancedsl.com.ar> writes:
> > David Symonds wrote:
> >>
> >> You can do arbitrarily-fine-grained authentication via the
> >> pre-receive hook.
> > 
> > Can you provide some more info?  Looking at the kernel.org git docs,
> > the pre-receive hook seems very limited as no parameters are allowed.
> > So I'm not sure how an authentication system could be created.

If you read the documentation carefully you will note that the
pre-receive hook receives input on stdin; 1 line of data per ref
that is being pushed with the old/new SHA-1 values and the ref
name.  The hook exits 0 to allow all changes to take place and
can exit > 0 to abort and disallow all updates.

This is a "batch" form of the update hook.

> > It also seems to be a push hook only (not invoked on pulls).
> 
> Some of read-only (fetch only) access protocols do not support
> authentication: http, ftp, rsync, git. Authentication is provided only
> for access via ssh and for push via https (WebDAV).

Authentication could be supported for http, ftp, or ssh based fetch,
but there you are relying on the server that provides access to do
the authentication and authorization for you; typically that will
boil down to UNIX filesystem read permission.  Though with HTTP
and a fancy Apache config it doesn't have to be.
 
> There is example update hook in contrib/hooks, named update-paranoid,
> which could be base of what you want. Note that you probably rather
> use newer pre-receive hook instead of older update hook.

update-paranoid uses the update hook rather than pre-receive to
allow it to allow/deny on a per-ref basis.  One of the flaws of
the pre-receive hook "API" is it is an all-or-nothing proposition.

So by using the "older" update hook update-paranoid can make its
decision on a per-ref basis and allow some refs to change in this
push but abort/deny others.  I find that useful but not everyone
might.
 
> AFAIK both update and pre-receive hooks are invoked also on fetch...
> but I might be mistaken.

No, they are *not* invoked on fetch.  Currently no hooks execute
during fetch; either on the server *or* on the client side of
the connection.

-- 
Shawn.

  reply	other threads:[~2008-01-03  3:59 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-01-02  7:13 Git and securing a repository Gonzalo Garramuño
2008-01-02  6:34 ` Felipe Balbi
2008-01-02 10:04   ` Gonzalo Garramuño
2008-01-02  9:26     ` David Symonds
2008-01-02 10:39       ` Gonzalo Garramuño
2008-01-02 10:51         ` Jakub Narebski
2008-01-03  3:58           ` Shawn O. Pearce [this message]
2008-01-03  4:30             ` Bruno Cesar Ribas
2008-01-03  5:36             ` Gonzalo Garramuño
2008-01-03  4:45               ` Shawn O. Pearce
2008-01-03  6:08                 ` Gonzalo Garramuño
2008-01-03  5:19                   ` Shawn O. Pearce
2008-01-03  9:11             ` Jakub Narebski
2008-01-03  9:36               ` Junio C Hamano
2008-01-02 19:31     ` Jan Hudec
2008-01-02 19:41       ` Gregory Jefferis
2008-01-02 22:17     ` Linus Torvalds
2008-01-02 16:18 ` Daniel Barkalow

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080103035838.GA24004@spearce.org \
    --to=spearce@spearce.org \
    --cc=dsymonds@gmail.com \
    --cc=ggarra@advancedsl.com.ar \
    --cc=git@vger.kernel.org \
    --cc=jnareb@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).