Git literacy : How to make git bare repository respect group permissions

開発

2012/5/16

Git literacy : How to make git bare repository respect group permissions

bare, development, GIT, permissions, shared, SVN, version control

denvazh

この記事は1年以上前に書かれたもので、内容が古い可能性がありますのでご注意ください。

Background

In a group development one would usually need some system that allows not only to track all changes in the source-code, but also allows to see changes introduced by other member of the same project.
SVN repository by default allows this, because there is only one repository and everybody commit changes to it. In case of distributed version control system like git a bit more sophisticated setup is required.
Every project member has to have a local working copy of the project to which they make changes, and then at least one remote repository that acts as a shared one and used mainly for collaboration ( i.e. download or “push”
own changes, and get or “fetch” stuff done by others.

Local working copy can be created very easily:

$: git init

This will initialize git repository within given directory ( to simply put – create folder .git in it).
To create remote shared repository, one has to use specific option:

$: git init --bare

Roots of the issue

Suppose, we have a setup where we would like to allow users to push to the remore repository via ssh connection and suppose we had repository created by specific user to manage repositories, say “git”.
In this case, if we just use “–bare” option then we could end up with problem like this:

$: ls -la /home/git/repository/example.git
drwxrwxr-x 21 git git 4096 Nov  1  2011 .
drwxrwxr-x  7 git git 4096 Oct 31  2011 ..
drwxr-xr-x  2 git git 4096 Nov  1  2011 2b
drwxr-xr-x  2 git git 4096 Nov  1  2011 2c
drwxr-xr-x  2 git git 4096 Nov  1  2011 30
drwxr-xr-x  2 git git 4096 Nov  1  2011 32
drwxr-xr-x  2 git git 4096 Nov  1  2011 4b
drwxr-xr-x  2 git git 4096 Nov  1  2011 50
drwxr-xr-x  2 git git 4096 Nov  1  2011 65
drwxr-xr-x  2 git git 4096 Nov  1  2011 6e
drwxr-xr-x  2 git git 4096 Nov  1  2011 94
drwxr-xr-x  2 git git 4096 Nov  1  2011 a6
drwxr-xr-x  2 git git 4096 Nov  1  2011 cd
drwxr-xr-x  2 git git 4096 Nov  1  2011 d4
drwxr-xr-x  2 git git 4096 Nov  1  2011 df
drwxr-xr-x  2 git git 4096 Nov  1  2011 e2
drwxr-xr-x  2 git git 4096 Nov  1  2011 e3
drwxr-xr-x  2 git git 4096 Nov  1  2011 e5
drwxr-xr-x  2 git git 4096 Nov  1  2011 ff
drwxrwxr-x  2 git git 4096 Oct 31  2011 info
drwxrwxr-x  2 git git 4096 Oct 31  2011 pack

It won’t be a problem if you use only git user to push the code. However, if you would like to setup user-based access, then it won’t be possible,
because is pushed with rwxr-xr-x permissions, that allows full access to git user and read-only for git group members and other users.

How to fix it?

Git has native support for managing group permissions within bare repository. This can be achieved using “–shared=” option. For example,

$: git init --bare --shared=all

This would force permissions like: rwxrwxr-x, thus all members of certain group ( in this case git ) will be able to push code to this repository.
Note: –shared=all is not an ultimate solution, as it has a lot of settings, that can be used to tune git bare repository to specific needs.