We are having a local repository which is accessible to a large number of people. We have to set up a Git repository there such that only certain users have checkout as well as commit privileges. How can we do that.
P.S. : This is a part of our homework assignment in which we have to develop a game and update it using a Git repository. So, if anyone feels like we should not be asking this question here, please do tell.
I'd recommend gitolite to manage user access to the repository.
Edit after comments:
gitolite is installed via git too.
I'm guessing that your teacher probably also meant to teach you – besides using git – to configure git protocols, ssh access (keys etc.).
You already got best advices: gitolite, gitosis, Pro git, adding to this man ssh, man ssh-keygen, man scp and git manual your homework should be easily solved.
Since it is homework I will try to give hints.
What files and directories do other users need to read to access (or write to commit/push into) a repository?
What methods can you use to control the permission on these files and directories?
Does your application have any configuration options that might help?
Related
I have a remote linux machine with only one user.
I just set up git repos on it without a git user. But all the tutorials suggest me to use the git user. So right now I am using
git clone user#hostname:/path/to/git/directory/your_project.git
rather than :
git clone git#hostname:/path/to/git/directory/your_project.git
And it works fine.
If I use the git account, for each project I have to change permission for that project and change the config to share the directory.
Does using the setting up and using a git user have any advantage over using your user account on linux?
Not much, maybe convention - git automation tools and APIs might expect a git user, but I've never come across such a situation.
Sources: https://git-scm.com/book/en/v1/Git-on-the-Server-The-Protocols and https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-git-server-on-a-vps
The second one describes the creation of a git user, and then you get the URLs (over SSH, using a SCP-like syntax, as referenced in the first article's second method) to be git#server:.
You've essentially done the same thing but with whatever user instead of a user named git, so you get user#server:
I am new to Git and after I lots of searching I found that I must have set Linux permissions in my Git server.
But I want to know, is it possible to set permissions in Git?
I am working on a team about six people and I don't like to everyone on the team can access all the project for security reasons.
For example, If somebody in my team works on UI in my Store section I want to he/she have it's own branch but when he/she PULL the project with Git just have access to files and folders I let.
I have to add that I have my own Git server on a local network using Linux Debian and I'm using "SourceTree" as my GUI for Git and I have few experience on Git command line, so I need do it from GUI if possible.
Edited:
Does Git lab support permission like this: I have a repository that uses Laravel framework and I'd like to set permission for UI developers that only access views and PHP developers access some controllers not all the part of the controller in the project.
You can checkout GitLab: https://about.gitlab.com/ for this. Out of the box git does not support what you need/want.
No, Git doesn't manage this directly. Anyone with authentication credentials to the repository has access to the entire repository.
Traditionally, this is managed with third-party solutions, such as Gitolite, GitHub private repositories, and other systems.
In addition to other answers: if you want only certain parts of project to be accessible to each developer, you can use git submodules.
This is also preferable if project has logically and functionally separate parts. (Like front-end and back-end. )
Is it possible to have multiple git users logged as the same Linux user?
What I would like is that multiple admins can login as root, make a git pull to a directory assigned to them, and then git push, but so we still can see who made which changes in the git log?
Each one of your users can clone the repo for his own. That repository would have his config.user and config.email according to the person using it, and they all pull and push to the same "central" repo.
Anyway, they are all root, so there's not much to do about preventing one of this admins to commit as another one. But if they aren't evil, you can do this.
gitosis can surely help to access control the repository, too, if needed.
Personally I would say that the correct mechanism to make sure that you can track changes in this sort of case would be not to have root as a permitted username for your repository. They would all have to commit with their individual user names by logging in as themselves.
In general nobody should be logged in as root other than very briefly while performing a specific task such as installing a new package - not all of the time while developing so anything you do to make such practices unrewarding is good.
It would be safer to manage that kind of access control with an authorization layer like gitolite, instead of relying on system account.
That way, you are controlling who can pull what.
Although that wouldn't control the "where" part (where the users would pull those repos to)
I searched through Google, forums and JGit user guide but couldn't find how to connect to a distant repository with the API.
Anyone has an example or just an idea on how to do that?
Thanks for your help.
Currently, JGit 2.0.0-SNAPSHOT does only offer
org.eclipse.jgit.storage.file.FileRepository
org.eclipse.jgit.storage.dfs.InMemoryRepository
concrete Repository classes, meaning that since org.eclipse.jgit.api.Git takes a Repository, it is not possible to work remotely. Since Git by itself is not designed to operate remotely in the way I think you mean, I doubt we will see such a feature any time soon.
MORE ON THAT:
Consequently, you will need to clone locally. You do that by issuing
Git.cloneRepository()
.setURI(myRemoteURIString)
.setDirectory(new File(myLocalPathString))
.call();
However, for reasons of consistency in Git you should clone a bare repository only, so a non-bare repository in a remote location, while not technically, is practically inaccessible.
I am not sure I understand the question since Git is made for accessing other repositories, this is what is meant by "Git is distributed".
If you want to connect to ONE distant repository, then yeah you should clone it.
I don't know if that is what you are looking for, but you can also use multiple remotes. Adding one more is done with Git using git remote add <remote_name> <remote_uri>. As for Jgit, I unfortunately can't remember the code to do it simply, but you can figure this out.
At least it's possible by modifying the configuration, calling getConfig() from a Repository object and then calling setString(...) on it - don't forget to save the configuration in the end. But before modifying the configuration, I think you should first get to know more about Git and JGit.
I recommend you to read more about it, and play a bit with your repository. Take a look at this article : http://caiustheory.com/adding-a-remote-to-existing-git-repo .
Another one that will help you down the road is How do I do the equivalent of “git remote update” with jgit?
Maybe someone else knows exactly which commands to run and can help.
I have an application using some template files and some developers wich are producing them.
The best way I found to mantain templates is to install git over gitolite and creates an hook to automatically checkout templates on update, in the right folders.
Well, everything on setup is up and running fine, but I have a security question.
Templates are used by a small application running with a user called runtime, with runtime group.
Gitolite uses another user/group usually git:git to manage repositories.
In the hook I must check out files into a runtime user folder and obviously it does not work.
I think about changing git group to the same of runtime, but I really don't know if there are security troubles in this solutions or there are no reasons to worry.
I'm not a security experts, but I know here is full :)
Thank's a lot, David.
It sounds to me like you don't actually want to run the checkout of the files from the hook, you just want the hook to trigger them. The checkout really wants to be run as the runtime user?
I can think of a couple of ways to do this, none of them sound amazing:
Set-up a passwordless ssh key for the git user, so it can run ssh runtime#localhost ~runtime/doUpdates.sh, and said script does the fetch and checkout.
Set-up limited sudo for the git user so it can run sudo -u runtime ~runtime/doUpdates.sh.
Set-up limited sudo for the git user so it can chown runtime:runtime -R the result of its checkout actions.
And a couple of even worse ones. :)