如何使 git 存储库只读?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1662205/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to make a git repository read-only?
提问by Steve Folly
I have some git repositories accessed remotely through SSH and I want to make some of them read-only to prevent more pushes. Some people have remotes pointing to these repositories.
我有一些通过 SSH 远程访问的 git 存储库,我想将其中一些设置为只读以防止更多推送。有些人有指向这些存储库的遥控器。
These bare repositories were initialised --shared=group, so is setting file permissions to 660 for all files good enough to still allow SSH access, but disallow writes? Or is there an easier way?
这些裸存储库已初始化--shared=group,因此将所有文件的文件权限设置为 660 是否足以仍然允许 SSH 访问,但不允许写入?或者有更简单的方法吗?
Cheers.
干杯。
采纳答案by Jakub Nar?bski
There is more than one possible way to do this.
有不止一种可能的方法来做到这一点。
If your users each have a shell account (perhaps limited), and each of them accessing git repositories via their own account, you can use filesystem permissionsto control SSH access to git repositories. On Unix those would be write permissions on directories, perhaps with the help of creating a group and specific permissions for a group (with "sticky group ID" set).
Pushing requires
git-receive-packto be in $PATH of user, and be executable for them... although I am not sure how feasible this approach would be.You can use
updateorpre-receivehookto do access control to repository, for example using update-paranoidexample hook fromcontrib/hooksin git sources.With larger number of users you could be better with using a tool to manage access to git repositories, like Gitosis(in Python, requires setuptools) or Gitolite(in Perl).
For read only access you can setup git daemonto provide read-only anonymous (and unauthenticated) access via
git://protocol, instead of access via SSH protocol.See documentation for
url.<base>.insteadOfconfig variable for a way to ease the transition from SSH to GIT protocol.
如果您的用户每个人都有一个 shell 帐户(可能有限),并且每个人都通过自己的帐户访问 git 存储库,则您可以使用文件系统权限来控制对 git 存储库的 SSH 访问。在 Unix 上,这些将是对目录的写权限,也许在创建组和组的特定权限(设置“粘性组 ID”)的帮助下。
推送需要
git-receive-pack在用户的 $PATH 中,并且对他们来说是可执行的......尽管我不确定这种方法有多可行。您可以使用
update或pre-receive钩子对存储库进行访问控制,例如使用来自git 源代码的update-paranoid示例钩子contrib/hooks。对于大量用户,您可以更好地使用工具来管理对 git 存储库的访问,例如Gitosis(在 Python 中,需要 setuptools)或Gitolite(在 Perl 中)。
对于只读访问,您可以设置git daemon以通过
git://协议提供只读匿名(和未经身份验证)访问,而不是通过 SSH 协议访问。请参阅
url.<base>.insteadOf配置变量的文档,了解一种简化从 SSH 到 GIT 协议的过渡的方法。
See also Chapter 4. "Git on the Server" of Pro Gitbook by Scott Chacon (CC-BY-NC-SA licensed).
回答by Dale Anderson
A pre-receivehook that simply prints an informative message and exits with a non zero status does the job.
一个pre-receive简单地打印一条信息性消息并以非零状态退出的钩子可以完成这项工作。
Assuming you put some meaningful information in your message, it also cuts down on the queries from frustrated users asking why they can't push:
假设你在你的消息中加入了一些有意义的信息,它也会减少沮丧用户询问他们为什么不能推送的查询:
#!/bin/bash
echo "=================================================="
echo "This repository is no longer available for pushes."
echo "Please visit blah blah yadda yadda ...."
echo "=================================================="
exit 1
Remember to set the executable permission for the script and to make sure is owned by the right user and/or group, or else it will not execute and will not give any warning.
请记住为脚本设置可执行权限并确保由正确的用户和/或组拥有,否则它不会执行并且不会发出任何警告。
回答by Pat Notz
chmod -R a-w /path/to/repo.git
回答by jheddings
Since git relies primarily on the filesystem for access control, that will work. Note that in your permissions, the world has no access to the file, but the user and group have read/write access. If you want world-readable, your permissions should be 0444.
由于 git 主要依赖于文件系统进行访问控制,所以这会起作用。请注意,在您的权限中,世界无法访问该文件,但用户和组具有读/写访问权限。如果你想要世界可读,你的权限应该是0444.
You could do further fine-grained control by setting the repo permissions as 0664where the user is nobodyand the group is something like gitdevs. Then, only people in the gitdevsgroup will have the ability to write to the repo, but the world can read from it.
您可以通过将 repo 权限设置为0664用户所在的位置nobody和组类似于gitdevs. 然后,只有gitdevs组中的人才能写入 repo,但世界可以从中读取。
Follow-upHere is a linkthat covers various ways to share your repo and covers come pro's & cons and access control features.
跟进这是一个链接,涵盖了分享您的回购的各种方式,并涵盖了优点和缺点以及访问控制功能。
回答by Per Lundberg
Inspired by this comment:
受此评论启发:
Update your
hooks/pre-receivefile with the following content:#!/bin/sh echo "Closed for all pushes" ; exit 1
hooks/pre-receive使用以下内容更新您的文件:#!/bin/sh echo "Closed for all pushes" ; exit 1
This way, all users trying to push changes to this repo will receive the message above and the push will be rejected.
这样,所有尝试将更改推送到此 repo 的用户都会收到上面的消息,推送将被拒绝。
回答by Makis
回答by Ikke
Another possibility is the git protocol, but it requires the git daemon to be running.
另一种可能性是 git 协议,但它需要运行 git 守护进程。
回答by Nicolas
As I am just a user of our GitLab (and I didn't wanted to bother the admins in the first step), I searched for another way and found one:
由于我只是我们 GitLab 的用户(并且我不想在第一步中打扰管理员),因此我搜索了另一种方法并找到了一个:
- Open the GitLab webinterface and go to the repository you want to set to read-only
- Choose Settings > Repository
- Expand Protected Branches
- Add the master branch and set Allowed to mergeand Allowed to pushto No one
- If the master branch is protected already, you can set these values in the list below
- 打开 GitLab 网页界面并转到您要设置为只读的存储库
- 选择设置 > 存储库
- 扩展受保护的分支
- 添加 master 分支,设置Allowed to merge和Allowed to push为No one
- 如果 master 分支已经受到保护,您可以在下面的列表中设置这些值
回答by keypress
Recently I used limiting access to path "/repo.git/git-receive-pack" to achive result that the repository is read-write for some users and read-only for some others. In httpd config it looks like this:
最近我使用限制对路径“/repo.git/git-receive-pack”的访问来实现存储库对于某些用户是读写的而对于其他用户是只读的。在 httpd 配置中,它看起来像这样:
<Location /repo.git/>
Require group developers developers-ro
</Location>
<Location /repo.git/git-receive-pack>
Require group developers
</Location>
