我们使用git-shell来确保git帐户仅用于git操作。这很管用。
然而,在我们开始全职使用git之前,我们如何将其设置为类似于github,从而根据您的公钥,您可以只提交给自己的存储库?
据我所知,github用户可能正在滚动他们自己的git-shell,而source code appears to be very simple to hack
最佳答案
我用的比较简单,您只需要设置三个文件,即authorized_keys文件、gitsecurity.rb文件和权限文件。为了简单起见,它们都可以放在git accounts.ssh文件夹中。(理解本文所需的基本Unix管理技能)gitpermissions文件看起来像这样,应该是相当自我解释的:
repo1.git|jane|rw
repo1.git|james|r
repo2.git|bob|rw
gitpermissions文件如下所示:command="/Users/git/.ssh/gitsecurity.rb jacob",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa rFaivBw.....5Rws jacob
command="/Users/git/.ssh/gitsecurity.rb bob",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa rFaivBw.....5Rws bob
最后,复制并粘贴
autorized_keys脚本:#!/usr/bin/ruby
class GitPermission
attr_accessor :username;
attr_accessor :repository;
attr_accessor :read;
attr_accessor :write;
def initialize(line)
bits = line.split('|');
if(bits.length!=3)
$stderr.puts "Invalid configuration file"
Process.exit(4)
end
@repository = bits[0]
@username = bits[1]
@read = bits[2].include?("r")
@write = bits[2].include?("w")
end
end
if(!ENV.has_key?("SSH_ORIGINAL_COMMAND"))
$stderr.puts "SSH not allowed to the git account."
Process.exit(1);
end
command = ENV["SSH_ORIGINAL_COMMAND"];
if(!ARGV.length == 1)
$stderr.puts "Authorised keys file misconfigured, username not specified correctly."
Process.exit(1);
end
if(!ARGV[0].match(/^[A-Za-z0-9]+$/))
$stderr.puts "Authorised keys file misconfigured, username contains invalid characters: "+ARGV[0];
Process.exit(1);
end
username = ARGV[0]
if(!command.match(/^git[ -]upload-pack /) && !command.match(/^git[ -]receive-pack /))
$stderr.puts "Only git commands are allowed."
Process.exit(2);
end
repository = command[(command.index(' ')+1)..-1]
if(!repository.match(/'.*'/))
$stderr.puts "Repository parameter incorrect."
Process.exit(2);
end
repository = repository[1,repository.length-2]
begin
file = File.new("/Users/git/.ssh/gitpermissions", "r")
while (line = file.gets)
p = GitPermission.new(line);
if(p.repository == repository && p.username == username)
if((p.write == true || (p.read == true && command.match(/^git[ -]upload-pack/))) )
exec "/usr/local/git/bin/" + command
Process.exit(0);
end
end
end
file.close
rescue => err
$stderr.puts "Problem with server configuration: #{err}"
Process.exit(4)
end
$stderr.puts "You do not have permission to complete this operation"
Process.exit(5)