Re: How to prevent changes to repository by root

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pete Harlan <pgit@pcharlan.com>
To: Nazri Ramliy <ayiehere@gmail.com>
Cc: Aneurin Price <aneurin.price@gmail.com>,
	Git Mailing List <git@vger.kernel.org>
Subject: Re: How to prevent changes to repository by root
Date: Fri, 18 Jun 2010 13:45:33 -0700	[thread overview]
Message-ID: <4C1BDAED.3030809@pcharlan.com> (raw)
In-Reply-To: <AANLkTimjIraq-qDaifACixJ4cCOYuvkf1v-hVpeaVt3u@mail.gmail.com>

On 06/16/2010 07:28 PM, Nazri Ramliy wrote:
> On Thu, Jun 17, 2010 at 12:09 AM, Aneurin Price <aneurin.price@gmail.com> wrote:
>> How are they becoming root? If they are using sudo you could forbid
>> running git as root. If they are using su or logging in directly maybe
>> you can get away with some trivial thing like putting 'alias
>> git=/bin/false' in /root/.bashrc - or some wrapper which does
>> something helpful rather than silently fail :-).
> 
> Thanks for dropping the hint on wrapper.
> 
> I've implemented one that give the user a friendly reminder
> that they are running git as root and ask whether to continue.

When I needed this I wrote a hook that refused a commit by root unless the commit message said something to the effect of:

Root commit performed by <person or script name>.

It's not that I minded so much that root was doing commits, it's the anonymity that was the problem.  So automated scripts that ran as root could perform commits too, they just had to include this note in the commit message so we knew which script was doing it.  It was all the honor-system, but it did what we wanted and prevented committing as root by accident.

--Pete

     prev parent reply	other threads:[~2010-06-18 20:46 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-14  3:12 How to prevent changes to repository by root Nazri Ramliy
2010-06-16 15:09 ` Nicolas Sebrecht
2010-06-16 16:09 ` Aneurin Price
2010-06-17  2:28   ` Nazri Ramliy
2010-06-18 20:45     ` Pete Harlan [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C1BDAED.3030809@pcharlan.com \
    --to=pgit@pcharlan.com \
    --cc=aneurin.price@gmail.com \
    --cc=ayiehere@gmail.com \
    --cc=git@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.