Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

linux - Prevent other git authors

I have setup my own private git server, and have a team of 5 members. I have their user accounts all setup, but how do I prevent commits to the remote being done by random weird accounts. Because some of my team also use github and wouldn't want their usernames appearing in the log, but rather their username I assign them.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

To prevent people committing using "random weird accounts", you could set up a git pre-receive hook to validate the commiter/author names on incoming commits against a list of valid names. But this doesn't provide the authentication component.

To prevent impersonation, you could simply required that all commmits are gpg-signed (git commit -S ...), and have you pre-receive hook validate the signatures against a gpg keyring on the server.

Depending on how people are connecting to your remote server, you could also explicitly match the commiter/author name against the username used for the connection, if you have access to that.

Update 1

If your committers are pushing to your server over ssh, then the third option above is probably the easiest. In your .ssh/authorized_keys file, set an environment variable for each key that identifies the user:

environment="SSH_USER=lars" ssh-rsa ...

And then in your pre-receive hook, you can use that environment variable to look up valid committer names/emails against some table. You can read about pre-receive hooks in the githooks(5) man page, they receive on stdin a lines of the form:

<oldrev> <newrev> <refname>

You can get the commit name from <newrev> like this:

commiter_name=$(git show -s --format='format:%cn' <newrev>)

And the mail using %ce instead of %cn.

Update 2

Or heck, just forget table lookups. In your .ssh/authorized_keys file:

environment="ALLOWED_NAME=Bob Jones",environment="ALLOWED_EMAIL=bob@example.com" ssh-rsa ...

And then in your pre-receive hook:

#!/bin/sh

while read oldrev newrev refname; do
  cn=$(git show -s --format='format:%cn' $newrev)
  ce=$(git show -s --format='format:%ce' $newrev)

  [ "$cn" = "$ALLOWED_NAME" ] || {
    echo "*** Inalid committer name"
    exit 1
  }

  [ "$ce" = "$ALLOWED_EMAIL" ] || {
    echo "*** Inalid committer email"
    exit 1
  }

done

And I think you have what you want.

Update 3

You could probably accomplish something similar using http authentication, because within your pre-receive script you would have access to the REMOTE_USER environment variable, which contains the name of the authenticated remote user. You would probably need to go with some sort of table lookup to get value of approved names and email addresses.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...