Skip to content

Instantly share code, notes, and snippets.

@codeopensrc

codeopensrc/git.MD

Last active January 28, 2017 01:12
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save codeopensrc/97bce00627587b9f66d56ed3512bc943 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save codeopensrc/97bce00627587b9f66d56ed3512bc943 to your computer and use it in GitHub Desktop.
Download ZIP
Quick notes on Setting up git:// and git user
Raw
git.MD

Note:

This is my personal preference which may be different from yours. I'm choosing to do the following:

  • Let any user within the git group that is NOT the git user, full access to do what they wish with the repositories, including rename, delete, and move.
    • It is possible to only allow the git group to only modify items within the repositories, but I chose not to at this time (its only me anyway). I'll append how to do this at the end at a later time.
  • Let the git user have only enough access to push/pull repositories, list the repositories, and add their public ssh key to git users .ssh/authorized_keys directory.
  • Allow only the repo/root/sys admin to place repos in the location to serve them publically.
  • Allow only specific repo's to be served publically in a seperate folder.
  • Have the shortest url using scp syntax git@serverip:repo.git and git://serverip:repo.git.
  • Make sure all permissions we set perfectly so from inception of creating the repo, to pushing for the 100th time, no conflicts arise, and people have the least amount of permissions needed.
  • Make it easier to administrate the repositories, so accidental sudo mkdir's aren't needed, screwing permissions and causing chaos.
  • Im sure theres more

Add git and git-ro user:

https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server

  • Be sure to add SSH keys for users that should be able to push to the repos to /home/git/.ssh/authorized_keys
  • Be sure to change the shell of the git AND git-ro user

Git-shell

https://git-scm.com/docs/git-shell.html

  • Enable the git-shell for the git and git-ro user

    • Get the git-shell location: type git-shell
    • sudo chsh git -s /usr/bin/git-shell
    • sudo chsh git-ro -s /usr/bin/git-shell

  • Create a git-shell-commands directory in both git and git-ro home directories (unless shell disabled for git-ro)

  • Place a help file inside the git-shell-commands directory displaying any info you wish

  • I've created sample templates of a help and ls file HERE (link to be provided)

help: When run interactively, git-shell will automatically run 'help' on startup, provided it exists.

If a ~/git-shell-commands directory is present, git shell will also handle other, custom commands by running git-shell-commands/<command> <arguments> from the user’s home directory.

If a no-interactive-login command exists, then it is run and the interactive shell is aborted.

Get git daemon running:

https://git-scm.com/book/en/v2/Git-on-the-Server-Git-Daemon

Self note: Ensure git-daemon can run as git-ro and disable shell access altogether for git-ro user

  • Run git daemon as git-ro user
  • Be sure git-daemon-export-ok is in the repos you wish to serve
    • cd /home/git/myrepo.git && touch git-daemon-export-ok

Link to / Change permissions on repos:

Standard permissions for a repo

http://serverfault.com/questions/26954/how-do-i-share-a-git-repository-with-multiple-users-on-a-machine#27040
http://stackoverflow.com/questions/4832346/how-to-use-group-file-permissions-correctly-on-a-git-repository#4832402
#### Single/git User Permissions
Change the /home/git directory to rwx rws rx (or rwx rs rx, depending on your permission preference)

  • sudo chmod 2775 /home/git
    • Note how we aren't doing it recursively
    • With this method, you will need to set StrictModes in your /etc/ssh/sshd_config file to no
      • If your home directory is writable by group, you cannot use pub key to access it (pw auth still fine)
      • People consider this bad practice, use at your own risk (if you chose rwx rs rx, you should be fine with yes

You can change the ownership of the /home/git directory if you wish, it will be needed if you wish to do rwx rs rx, as you won't be able to create new repositories without ownership or sudo

  • sudo chown $USER:git /home/git

Create the repository

  • mkdir /home/git/repo.git
    • Note with our gid bit, it will have git group permissions, exactly what we want

Init a bare repo with the shared flag

  • cd /home/git/repo.git && git --bare init --shared
    • This sets a few things that help administer a remote repo
    • It will auto set the gid bit on any new dirs (we already did that), and deny fast forward pushes

If you're planning on configuring a lot of repositories, it'll be easier to set --shared on all new repos by default.

  • sudo git config --global core.sharedRepository group (Im not sure if sudo is needed to be honest, shouldn't be)
    • With this, you can omit the --shared flag, as it will now be the default

Following git:// section should be fine, hasn't been re-reviewed however

git:// Access

  • Best to have a public vs private location
    • All repos in /home/git while read-only/git:// repos in /opt/git
  • Link repos intended for public use/download into the folder the git daemon is serving from
    • sudo mkdir /opt/git && sudo chown $USER:git /opt/git && sudo chmod 755 /opt/git
    • cd /opt/git && ln -s /home/git/reponame.git
    • Ownership of links doesn't matter, obeys the linked folder's permissions
    • Again, have the git-daemon-export-ok blank file in the repos you want to serve over the git:// protocol

This ensures only the main (or root) user can move or rename the repos, while still allowing anyone from git group to view/copy/clone/push/pull to the repo.

At the same time, anyone copying from the git:// protocol, only has clone/pull access, and can only view those served from the /opt/git folder, with the git-daemon-export-ok file inside it (which has to be placed via main/root user).

Open up access

Open port 9418 to allow the git:// protocol through
If using ufw:

  • sudo ufw allow to any port 9418 proto tcp

Below this point hasn't been reviewed for the 2nd draft

It still contains useful info, but with more research comes more precautions etc, and should be used at your own risk.

Notes

Its also worthy to note, placing repos in the git user's home directory allows repos to be cloned with git@gitserverip:repo.git which is extremely convenient, so I would advise placing your repos there.

If supporting multiple users and depending on the level of access you are providing (git-shell vs bash for example) you have several options

Lowest risk to server

  • Have (trusted) users, use the git user to view/clone/push/pull to the main repo.

  • Placing them into the git group over having them use the git user and giving them git-shell access.

    • You can create custom commands to run in their ~/git-shell-commands directory. A few good ones would be:
      • ls to list them
      • clone to clone the repo into their home directoy, giving them a seperate remote copy (forking, if you will)
      • link in order to link their's directly to the main repo.
    • clone or link allows them to use user@gitserverip:repo.git instead of user@gitserverip:/home/git/repo.git.

Lowest risk to repos/server

  • Do not add them to the git group and give them git-shell access. Create custom commands to run in their ~/git-shell-commands directory. One being ls and the other clone, allowing them a remote copy (fork), but unable to push to the "main" repo.

Increased risk to server

  • Placing them into the git group over having them use the git user and giving them bash access. They'll be able to freely navigate and copy/link the repos into their home folder however they choose, but unable to rename, move, or change "key" files in the main repo (they can still mess it up by going inside and removing random writable files deeper inside).

Conclusion

For the git user,

  • Push/Pull using git@gitserverip:repo.git or ssh://git@gitserverip:/repo.git

For the users part of the git group

For repos in the folder the git daemon is running from, you should now be able to:

  • Pull using git://gitserverip:/repo.git

Push access is full access to the repo, no pull requests/restrictions of any sort.

Repo permissions (who can push/pull to master, branch, etc) is a whole other thing, possibly even outside of git altogether. That will hopefully be something for another day.

Leave a comment if this helped!

================================================================ My notes:

  • Create git user and add self to git group

  • Set git user's shell to git-shell and add a few commands

  • Permissions on git's home dir 2775

    • Note: You MUST set StrictModes no in your /etc/ssh/sshd_config or pubkey auth won't work due to group writable permissions
    • Try to use a MatchBlock so only the git user's directory can be as such

  • Permissions on .ssh 700

  • Permissions on .ssh/authorized_keys 600

  • Init remote repo with git --bare init --shared

    • Or set it globally sudo git config --global core.sharedRepository group

  • Init local repo and push to origin url

  • Either re-set up all repos this way (preferred) or change current repos using http://stackoverflow.com/questions/4832346/how-to-use-group-file-permissions-correctly-on-a-git-repository#4832402

chgrp -R GROUP /path/to/repo
find /path/to/repo -type d -print0 | xargs -0 chmod g+s

Under construction section

Repairing already created remote repos to default permissions

For single/git user configuration (strictly push/pull access to repos on remote server)

  • Change ownership of repos to: $USER:git

    • sudo chown $USER:git -R /home/git/reponame.git

  • Change mods of repos to: Owner RWX, Group RWX, ALL R_X

    • sudo chmod 775 -R /home/git/reponame.git

    If you're going to be having multiple users using the remote server for things other then strictly git access, here are some things to do to keep your repos safe.

  • Do not allow the user to move/rename the repo

    • Place repos into the /home/git directory which by default, does not allow you to write to it
    • Or place your repos into a directory that has the following permissions
      • sudo chown $USER:git -R /folder/containing/repos
      • sudo chmod 755 -R /folder/containing/repos

  • Do not allow the user to change the configuration of the repo

    • sudo chmod 755 /home/git/repo.git
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment