Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to make a git repository read-only?

Tags:

git

readonly

I have some git repositories accessed remotely through SSH and I want to make some of them read-only to prevent more pushes. Some people have remotes pointing to these repositories.

These bare repositories were initialised --shared=group, so is setting file permissions to 660 for all files good enough to still allow SSH access, but disallow writes? Or is there an easier way?

Cheers.

like image 315
Steve Folly Avatar asked Nov 02 '09 16:11

Steve Folly


People also ask

How do I lock a git repository?

Lock the branch by selecting the ... icon next to the branch name and then selecting Lock from the menu. A lock icon will appear next to the branch name. Unlock a locked branch by selecting Unlock from the same menu.

Can you clone a repo with read-only access?

You can 'clone' the Repository with either Read+Write or Read-Only access: To look at the code and build individual branches, but if you don't need to upload to the repository, choose Read-Only access.


2 Answers

There is more than one possible way to do this.

  • If your users each have a shell account (perhaps limited), and each of them accessing git repositories via their own account, you can use filesystem permissions to control SSH access to git repositories. On Unix those would be write permissions on directories, perhaps with the help of creating a group and specific permissions for a group (with "sticky group ID" set).

  • Pushing requires git-receive-pack to be in $PATH of user, and be executable for them... although I am not sure how feasible this approach would be.

  • You can use update or pre-receive hook to do access control to repository, for example using update-paranoid example hook from contrib/hooks in git sources.

  • With larger number of users you could be better with using a tool to manage access to git repositories, like Gitosis (in Python, requires setuptools) or Gitolite (in Perl).

  • For read only access you can setup git daemon to provide read-only anonymous (and unauthenticated) access via git:// protocol, instead of access via SSH protocol.

    See documentation for url.<base>.insteadOf config variable for a way to ease the transition from SSH to GIT protocol.


See also Chapter 4. "Git on the Server" of Pro Git book by Scott Chacon (CC-BY-NC-SA licensed).

like image 118
Jakub Narębski Avatar answered Sep 20 '22 15:09

Jakub Narębski


A pre-receive hook that simply prints an informative message and exits with a non zero status does the job.

Assuming you put some meaningful information in your message, it also cuts down on the queries from frustrated users asking why they can't push:

#!/bin/bash echo "==================================================" echo "This repository is no longer available for pushes." echo "Please visit blah blah yadda yadda ...." echo "==================================================" exit 1 

Remember to set the executable permission for the script and to make sure is owned by the right user and/or group, or else it will not execute and will not give any warning.

like image 44
Dale Anderson Avatar answered Sep 18 '22 15:09

Dale Anderson