Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can Gitlab/Gitolite enforce correct username/email

Tags:

git

gitlab

gitolite

Experimenting with git, I've setup Gitlab for a self hosted repository and it looks great.

The one thing bugging me is that it appears anyone can make commits as anyone else (ie: spoof a commit).

ie: I have my users setup in Gitlab with public key access

  • User1
  • User2

Now only those users may push - using their private SSH keys - but it seems there is nothing stopping User2 tweaking their gitconfig to commit under the name of User1 and pushing that up?

The history in gitlab and git -show shows the committer as whatever the User1's gitconfig text was. I want Gitlab to stamp the username associated with the pushing ssh key into the history instead so I know whose ssh key was used to push.

The scenario is the repo would be used in a team environment and it just seems prudent to not allow spoofed commits.

I've done some reading and understand that typically one might change the workflow to have a blessed repository and only have trusted committers that can push to that - but at this stage while learning git I want to stay in a more centralised/SVN type workflow.

Is this possible using hooks?

There is a similar question answered for gitosis but even that appears to only enforce the committer is from a range of users which doesn't stop User1 spoofing as User2 - as far as I can tell.

PS: Maybe I am asking the wrong question - is there a way in gitlab to discover which ssh key (and therefore real user) was used to push code into the repo? It doesn't appear so from what I can find.

like image 304
fiat Avatar asked Aug 22 '12 04:08

fiat

1 Answers

Update 2015

As this thread mention, GitLab Enterprise has among its git hooks associated to a project a way to control emails:

Go to project settings -> git hooks and check validation of author email.

Any email that doesn't match a known user is rejected.

Original answer (2012)

A partial way to achieve user id control is to make gitolite (which gitlab relies on) reject the push if at least one of the pushed commits isn't committed by the one pushing it.

When you push, you are authenticated (either based on the name of the public key registered by Gitolite, or by another way like an LDAP connection).
You can add a pre-receive hook which will check all the new commits, and look for at least one committed by the right name (ie the id of the user pushing said commits).
See this pre-receive hook as an example.

like image 151
VonC Avatar answered Nov 07 '22 10:11

VonC
Sign in to Comment

Related questions

How to checkout a commit's child?
git-flow: workflow for making "release candidates" / QA web artifacts
How should gitflow hotfixes work?
Jenkins Pipeline Submodule Authentication
Resolve merge conflict only for some files and commit to branch for other teams to resolve theirs
How does git log's ancestry path work with multiple negated commits?
Git and SVN on Windows
How can I attach multiple urls to a single git remote?
Github workflow for single developer
git checkout --patch by words?
How to achieve 'pre-checkout' hook in Git/bitbucket?
How to develop PHP packages in a team using composer?
How can I get Visual Studio to show merge conflicts under git?
How to stack a second pull request on top of an existing one before either are accepted?
ArtifactId is appended to SCM Url using Maven Release Plugin
GitHub: Make a private repository partially public
How can I install GitExtensions in Mac OS?
Tracking upstream svn changes with git-svn and github?
Git subdirectory filter with existing directory structure
Show the full command when executing a Git alias?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!