From: Bruno Cesar Ribas <ribas@c3sl.ufpr.br>
To: "Shawn O. Pearce" <spearce@spearce.org>
Cc: "Jakub Narebski" <jnareb@gmail.com>,
"Gonzalo Garramuño" <ggarra@advancedsl.com.ar>,
"David Symonds" <dsymonds@gmail.com>,
git@vger.kernel.org
Subject: Re: Git and securing a repository
Date: Thu, 3 Jan 2008 02:30:09 -0200 [thread overview]
Message-ID: <20080103043009.GA365@c3sl.ufpr.br> (raw)
In-Reply-To: <20080103035838.GA24004@spearce.org>
I lost ohter mails, so replying here =)
I wrote sometime ago i wrote[1] a bunch of BASH scripts to manage SSH_ACL and "internal"
plugin is to manage GIT repositories.
It is simple and you can grant access to a user for R or W. And there is NO
need to create more users just a "git" user is nice.
I'm re-writing it to become more flexible about configuration and to add more
plugins.
We are using it at C3SL[2] to manage our projects and Write permissions are
set because we don't want some developers pushing to anothers projects.
bruno
[1]http://www.inf.ufpr.br/ribas/ssh_acl/
[2]http://www.c3sl.ufpr.br
On Wed, Jan 02, 2008 at 10:58:38PM -0500, Shawn O. Pearce wrote:
> Jakub Narebski <jnareb@gmail.com> wrote:
> > Gonzalo Garramuño <ggarra@advancedsl.com.ar> writes:
> > > David Symonds wrote:
> > >>
> > >> You can do arbitrarily-fine-grained authentication via the
> > >> pre-receive hook.
> > >
> > > Can you provide some more info? Looking at the kernel.org git docs,
> > > the pre-receive hook seems very limited as no parameters are allowed.
> > > So I'm not sure how an authentication system could be created.
>
> If you read the documentation carefully you will note that the
> pre-receive hook receives input on stdin; 1 line of data per ref
> that is being pushed with the old/new SHA-1 values and the ref
> name. The hook exits 0 to allow all changes to take place and
> can exit > 0 to abort and disallow all updates.
>
> This is a "batch" form of the update hook.
>
> > > It also seems to be a push hook only (not invoked on pulls).
> >
> > Some of read-only (fetch only) access protocols do not support
> > authentication: http, ftp, rsync, git. Authentication is provided only
> > for access via ssh and for push via https (WebDAV).
>
> Authentication could be supported for http, ftp, or ssh based fetch,
> but there you are relying on the server that provides access to do
> the authentication and authorization for you; typically that will
> boil down to UNIX filesystem read permission. Though with HTTP
> and a fancy Apache config it doesn't have to be.
>
> > There is example update hook in contrib/hooks, named update-paranoid,
> > which could be base of what you want. Note that you probably rather
> > use newer pre-receive hook instead of older update hook.
>
> update-paranoid uses the update hook rather than pre-receive to
> allow it to allow/deny on a per-ref basis. One of the flaws of
> the pre-receive hook "API" is it is an all-or-nothing proposition.
>
> So by using the "older" update hook update-paranoid can make its
> decision on a per-ref basis and allow some refs to change in this
> push but abort/deny others. I find that useful but not everyone
> might.
>
> > AFAIK both update and pre-receive hooks are invoked also on fetch...
> > but I might be mistaken.
>
> No, they are *not* invoked on fetch. Currently no hooks execute
> during fetch; either on the server *or* on the client side of
> the connection.
>
> --
> Shawn.
> -
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Bruno Ribas - ribas@c3sl.ufpr.br
http://web.inf.ufpr.br/ribas
C3SL: http://www.c3sl.ufpr.br
next prev parent reply other threads:[~2008-01-03 4:56 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-02 7:13 Git and securing a repository Gonzalo Garramuño
2008-01-02 6:34 ` Felipe Balbi
2008-01-02 10:04 ` Gonzalo Garramuño
2008-01-02 9:26 ` David Symonds
2008-01-02 10:39 ` Gonzalo Garramuño
2008-01-02 10:51 ` Jakub Narebski
2008-01-03 3:58 ` Shawn O. Pearce
2008-01-03 4:30 ` Bruno Cesar Ribas [this message]
2008-01-03 5:36 ` Gonzalo Garramuño
2008-01-03 4:45 ` Shawn O. Pearce
2008-01-03 6:08 ` Gonzalo Garramuño
2008-01-03 5:19 ` Shawn O. Pearce
2008-01-03 9:11 ` Jakub Narebski
2008-01-03 9:36 ` Junio C Hamano
2008-01-02 19:31 ` Jan Hudec
2008-01-02 19:41 ` Gregory Jefferis
2008-01-02 22:17 ` Linus Torvalds
2008-01-02 16:18 ` Daniel Barkalow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080103043009.GA365@c3sl.ufpr.br \
--to=ribas@c3sl.ufpr.br \
--cc=dsymonds@gmail.com \
--cc=ggarra@advancedsl.com.ar \
--cc=git@vger.kernel.org \
--cc=jnareb@gmail.com \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).