使用git-shell并限制开发人员提交他们自己的项目

时间:2010-01-18 03:52:51

标签: git

我们正在使用git-shell来确保git帐户仅用于git操作。这很有效。

然而,在我们开始使用git full time之前,我们如何设置它类似于github,根据你的公钥,你可能只会提交到你自己的存储库?

据我所知,github可能会推出自己的git-shellsource code appears to be very simple to hack

3 个答案:

答案 0 :(得分:14)

我使用更简单的东西,您只需要设置三个文件,authorized_keys文件,gitsecurity.rb文件和权限文件gitpermissions。为简单起见,他们都可以进入git accounts .ssh文件夹。 (此处需要了解基本的unix管理技能)

gitpermissions文件看起来像这样,应该是相当自我解释的:

repo1.git|jane|rw
repo1.git|james|r
repo2.git|bob|rw

autorized_keys文件看起来像这样:

command="/Users/git/.ssh/gitsecurity.rb jacob",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa rFaivBw.....5Rws jacob
command="/Users/git/.ssh/gitsecurity.rb bob",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa rFaivBw.....5Rws bob

最后是gitsecurity.rb脚本,只需复制并粘贴它:

#!/usr/bin/ruby

class GitPermission
    attr_accessor :username;
    attr_accessor :repository;
    attr_accessor :read;
    attr_accessor :write;

def initialize(line)
    bits = line.split('|');
    if(bits.length!=3)
        $stderr.puts "Invalid configuration file"
        Process.exit(4)
    end
    @repository = bits[0]
    @username = bits[1]
    @read = bits[2].include?("r")
    @write = bits[2].include?("w")
end

end

if(!ENV.has_key?("SSH_ORIGINAL_COMMAND"))
    $stderr.puts "SSH not allowed to the git account."
    Process.exit(1);
end
command = ENV["SSH_ORIGINAL_COMMAND"];

if(!ARGV.length == 1)
    $stderr.puts "Authorised keys file misconfigured, username not specified correctly."
    Process.exit(1);
end

if(!ARGV[0].match(/^[A-Za-z0-9]+$/))
    $stderr.puts "Authorised keys file misconfigured, username contains invalid characters: "+ARGV[0];
    Process.exit(1);
end
username = ARGV[0]

if(!command.match(/^git[ -]upload-pack /) && !command.match(/^git[ -]receive-pack /))
    $stderr.puts "Only git commands are allowed."
    Process.exit(2);
end

repository = command[(command.index(' ')+1)..-1]

if(!repository.match(/'.*'/))
    $stderr.puts "Repository parameter incorrect."
    Process.exit(2);
end
repository = repository[1,repository.length-2]

begin
    file = File.new("/Users/git/.ssh/gitpermissions", "r")
    while (line = file.gets)
        p = GitPermission.new(line);
        if(p.repository == repository && p.username == username)
            if((p.write == true || (p.read == true && command.match(/^git[ -]upload-pack/))) )
                exec "/usr/local/git/bin/" + command
                Process.exit(0);
            end
        end
    end
    file.close
rescue => err
    $stderr.puts "Problem with server configuration: #{err}"
    Process.exit(4)
end

$stderr.puts "You do not have permission to complete this operation"
Process.exit(5)

答案 1 :(得分:2)

选项可以是gitosis。 (好的写作here

答案 2 :(得分:2)

此脚本允许经过身份验证的用户可以在git用户下运行任意代码。

示例漏洞:https://gist.github.com/ranmrdrakono/4959641
建议的解决方法:https://gist.github.com/ranmrdrakono/4959672

请注意,exec有两个参数。第一个是要执行的命令(常量),第二个是参数(不会被shell解释)。

相关问题
最新问题