-2

I'd like to create a couple user accounts on my server such that the users can check out a specific git repository. Ideally, the user would not be able to gain access to a shell or copy any files other than the git repo.

And ideally this doesn't take more than about 3 minutes, either :)

I'm running an old-ish Gentoo install.

notlesh
  • 125
  • 2
  • 8
  • Almost every common ftp daemon supports a chroot, all you have to do is spend a few minutes reading the docs. There is also lots of good coverage on how to secure git. IMO, your question seems to show a lack of research effort on your part. Of course you could also have included details like what ftp daemon you are using so someone could have pointed you at the correct manual. – Zoredache Jan 09 '13 at 23:18
  • Forget ftp. I figured the approach would be the same, hence the "etc." I really just care about git. I've done enough research to know that this question hasn't been adequately answered on stack exchange and the first couple pages of google results don't turn up anything as simple as I expect. – notlesh Jan 09 '13 at 23:22
  • 2
    so you read this: http://stackoverflow.com/questions/3116508/securing-git-server then ? – Sirex Jan 09 '13 at 23:24
  • Nope, that's perfect. That didn't turn up in my search results, maybe some extra tags would help. – notlesh Jan 09 '13 at 23:26

2 Answers2

3

It could done in multiple ways.

  1. If this is only specific to git, you can install gitolite and you could do all ACL stuff from the gitolite-admin repo.

  2. Setup a SFTP jailed root setup using SSH. You can control each and every binary that you could like users to use.

    groupadd sftpusers
useradd -g sftpusers -d /jailed netusers

    Modify SSHD file: /etc/ssh/sshd_config

    Subsystem       sftp    internal-sftp
Match Group sftpusers
   ChrootDirectory /sftp/%u
   ForceCommand internal-sftp

    And then

    mkdir /jailed/netusers
chown netusers.sftpusers /jailed/netusers
service sshd restart

  3. Create a Virtual machine dedicated for such users and mount the git repo as RO to ensure nobody could change anything.

Last but not the least, non of them could be possibly done in 3 minutes. I guess it would take you 2-3 minutes to read :-)

Community
  • 1
chandank
  • 847
  • 3
  • 14
  • 31
  • +1 because you took more time to post a proper answer than the OP took to search and ask the question – Alex Jan 09 '13 at 23:32
  • 1
    According to my browser history, I spent a whole 15 minutes searching! – notlesh Jan 09 '13 at 23:40
  • 2
    Jail root will be a quick fix solution. Gitolite will be a better solution as it will allow you to control the permission on per repo and you could integrate it with gitlabhq to have a nice GUI interface for code merge and other stuff – chandank Jan 09 '13 at 23:49
2

I'm going to suggest an alternate thing since you're focused on authentication and pull: git served over HTTPS with basic authentication. By restricting to HTTPS, you're preventing plaintext disclosure of passwords.

See http://maymay.net/blog/2008/08/08/how-to-use-http-basic-authentication-with-git/ for more, and just add basic SSL setup from any other tutorial.

Jeff Ferland
  • 20,547
  • 2
  • 62
  • 85