Thanks for the reply.

On Thursday, October 3, 2013 6:29:16 AM UTC-4, Konstantin Khomoutov wrote:
> On Wed, 2 Oct 2013 13:36:42 -0700 (PDT) 
> <javascript:> wrote: 
> > I am trying to prevent users from attempting certain operations on my 
> > repository which is located on a Linux server by employing 
> > Server-Side hooks. The Git manual recommends creating a shell wrapper 
> > script to set a USER environment variable, which will then be used to 
> > restrict certain permissions. I looked for the better part of 
> > yesterday for a guide on how to do this (*as I'm new to both unix and 
> > git*), but was unable to find anything definitive. So I started 
> > piecing things together and trying different options. 
> First, can't you just install gitolite [1] and make it handle 
> everything for you automagically?  It supports virtual Git users (that 
> is, it requires only a single account in the system while individual 
> developers authenticate using their own SSH public keys, and are 
> distinguished based on this; by the way to implement this it uses the 
> same feature of the authorized_keys file you're attempting to exploit) 
> and provides for per repository- and per-branch access controls, 
> including groups of developers etc.  Both access rules and developers' 
> public keys are managed using a special administrative Git repository. 

>From what I read Gitolite license isn't commercial, and we're also trying 
to avoid using third party software for this implementation (even though it 
would make things easier).

> > After wasting 
> > close to two days now I am sitting at a solution I feel should work, 
> > but am unable to actually clone a directory at. 
> > 
> > I have defined the following bash script: 
> > #!/bin/bash 
> > export USER=$1 
> > /bin/bash 
> > 
> > In the authorized_keys file I call this script with a user parameter 
> > whom would be logging in. At this point, git would use the update 
> > script (which is not currently in place) and do whatever it needs to 
> > do. However I've been attempting a basic clone and I'm stuck at the 
> > command line after the .git folder has been created, and before any 
> > files have been brought down. Can you link me to a guide for this or 
> > explain what I'm doing wrong? 
> Well, could you explain this in a bit more detail? 
> Does the repository you're attempting to clone have any commits 
> recorded in it?  Does Git client errors out when cloning? 
> There are commits and I'm not receiving any errors while cloning, it just 
sits with a blinking cursor and no prompt.

> Next, I fail to see why Git would use the update script (do you mean 
> hook?) if you do cloning?  An update hook script, if present, is called 
> by Git which is receiving changes which are being *pushed* to the 
> repository by another Git process; when you clone, this does not happen 
> as you're *fetching* the changes. 

Yes, I suppose that the update hook wouldn't be run here. However I fail to 
see why setting an environment variable is causing the clone operation to 
hang. I suppose the process I'm going about isn't the appropriate one for 
this task, so I will go about trying to revert my changes.

> In the end, I suspect you're on a wrong track: hooks are there to 
> affect Git's behaviour but they do not implement the behaviour. 
> I mean, when you push commits to another repository via SSH, a special 
> process, git-receive-pack, is spawned on the remote machine, and then it 
> communicates with the git-send-pack process running on your local 
> machine; they communicate over the tunnel set up by SSH.  Hooks are 
> called at key points of git-receive-pack's transision through its 
> action sequence defined by the exchange protocol.  So if you want to 
> subvert git-receive-pack (that's what you're trying to do, as I 
> understand) then you should employ forced commands in your 
> authorized_keys file, and that forced command should be a script which 
> ultimately calls $SSH_ORIGINAL_COMMAND after performing the require 
> setup.  Refer to the authorized_keys manual page. 
> Ah I believe I'm starting to understand. By executing SSH_ORIGINAL_COMMAND 
the server will execute the process that I interrupted with my script? 
That's certainly helpful to know! 

> 1. 

As an aside, the ultimate purpose of this is to work in accordance with a 
program I'm developing using jgit that will update my clients software by 
keeping an up to date copy of the compiled code in their local repo. Is 
this something that people in the industry do, am I opening myself up to 
vulnerabilities, or is this overly complicated? This is why I'm trying to 
disable pushes by anyone except the compilation server using the update 
hook. I haven't done much research yet on this next bullet point, but is it 
possible to limit customer specific code? IE, If I have a repository with 
100 folders and 100 users, can I make it so that each user only has access 
to one of these folders on a clone or pull? 

You received this message because you are subscribed to the Google Groups "Git 
for human beings" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
For more options, visit

Reply via email to