The challenge is as follows. I have a GIT server with many repositories. My goal is to give access to GIT server for new created user, but set priveleges to access only one repository, not all of them.
Is it possible?
Thanks.
Asked
Active
Viewed 1,971 times
1
-
1How do users access the server? SSH? HTTPS? – phd Dec 20 '17 at 12:42
-
@phd, Users access the server via ssh. – Mozartos Dec 20 '17 at 13:28
-
@phd, we can consider also Https too for scientific purposes. – Mozartos Dec 20 '17 at 13:55
2 Answers
1
git doesn't have builtin authentication, you need additional tools. For SSH the tool is gitolite. You can configure fine-grained access control.
You can also install web-based development environments, see a partial list at Free GIT Server with Web GUI a la BitBucket/GitHub.
phd
- 82,685
- 13
- 120
- 165
-
Thanks for the suggestion. Now I'm a little bit worried, how to do it. I want to migrate my existing repositories. What about existing users (ssh keys specified) – Mozartos Dec 21 '17 at 09:05
-
-
`gitolite` can protect existing repositories. Web-based git servers can be pushed to; exitsing ssh keys must be imported manually. – phd Dec 21 '17 at 10:19
-
-
you are depending on the security of a third party application over the security layer of ssh and the file system, that is not good. – e-info128 Jun 14 '20 at 22:57
1
Steps on the server:
- Create a new user.
- Add group to new user (goup of git path, by example: git-projects)
- Add permision for access from new user to repository using
chmod g+rx. - Create a new user group for the new access (by example: developers2).
- Add new group to new user.
- change the group of the git directory to new group created.
- Other repositories need different user groups.
You need manage the specific permisions from ssh, user system and file system.
e-info128
- 3,727
- 10
- 40
- 57
-
Are you trying to reimplement `gitolite` using just `sshd` and group permissions? That will work for a limited number of repositories but the approach doesn't scale. In unix you can add a user to a limited number of group, let's say 32. If a user needs access to 50 repos your system fails. – phd Jun 14 '20 at 23:57
-
Unfortunately git does not have its own or delegated authorization system, if you use git, the official recommendation is to use the permissions that git uses, which are the system permissions, regardless of whether it is lacking or not. Using other third-party apps adds a layer that git was not designed for, adding third-party apps can pose an additional security risk to be aware of. Remember that git its design uses secure shell as the authoritative base, so authorization should be handled through that provider. – e-info128 Jun 15 '20 at 20:45
-
But that approach works. Unlike yours which works only for a small environment and doesn't scale. Also you approach requires a sysadmin with a lot of spare time. – phd Jun 15 '20 at 21:32
-
You are partly right, Linux Kernel >= 2.6.3 supports up to 65535 user groups, enough for local administration of repository access privileges, but in cases like github or gitlab you need an additional system due to the number of users, but I don't think that is the case of the user who asked the question. For example bitbucket uses a service under the git protocol created in java, it does not use git in its binary format because the git application only works under the same system permissions, something similar happens with add-ons for nodejs and some apps made in node to manage repositories. – e-info128 Jun 15 '20 at 23:27