Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Git Logs and Control per user

I am investigating the possibility of using Git for code management for my Company. I have 2 questions in this regard:

  1. We want extensive logs on each "clone" or "code access" per user. There has been past incidents where the 3rd party consultants tried to access the company's I.P., but there activities were logged. As of now, when I clone a Git repository, there is no log showing access of any such code.

    • Where must I get logs for this information?

    • More than that, if Git repository is cloned by some engineer, can we still get logs of further "cloning", if someone tries to clone from them?

  2. Within same Git repository, is there a way to control access of certain parts of code? For example, consider a repository named TOP_DIR with two subdirectories, TOP_DIR/DIR_GLOBAL and TOP_DIR/DIR_SECURE. I want to give read/write access on DIR_SECURE to only few team members, but full read/write to almost everyone for DIR_GLOBAL.

Any pointers in these regards will be highly appreciated.


2 Answers

git itself has no permission management at all.

You have to use a wrapper. Common is gitolite, which is based on ssh and uses private key authentication to authenticate users. You can give permissions based on the keys (i.e. the users) for each repository separately.

It would be easy to extend gitolite (triggers?) to log all unauthorized access attempts, by modifying the executable which is called as soon as ssh hands over to gitolite after authentication. Access by people who're not registered with gitolite at all would be logged by sshd/pam, as permission denied upon login.

As said, git doesn't do any authentication or authorization, so if you need directory based access control, you'd have to use submodules, which can behave itchy sometimes, but they'll do what you need.

like image 191
Jonas Schäfer Avatar answered Jul 18 '26 19:07

Jonas Schäfer


You can use Git hooks to implement logging on a central server. Gitolite is good for user management and will make sure any hooks get called. With gitolite you can control who has access to what repos and with hooks can log user events.

You will ALWAYS have an issue with someone cloning a repo from another user's copy of the repo. Git is decentralized so this is not a fool proof solution, but if no user lets anyone copy their repo, and you can make sure everyone uses the central server its a start.

If hooks are insufficient, check out http://sitaramc.github.com/gitolite/triggers.html Gitolite does support "Triggers" that will give you a lot more info about what is going on that you can log.

like image 44
jeremy Avatar answered Jul 18 '26 19:07

jeremy



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!