Can I prevent someone clone my git repository?

Can I prevent someone clone my git repository?

[Emily Ren]

All,

I want some person can clone my git repository, others can't clone my
git repository. Is it realizable ? How to do it?

Thanks,
Emily

Re: Can I prevent someone clone my git repository?

[Junio C Hamano]

"Emily Ren" <lingyan.ren@gmail.com> writes:

> I want some person can clone my git repository, others can't clone my
> git repository. Is it realizable ? How to do it?

It depends on what transport these people come from.

On the local filesystem transport (either same host or network-mounted
filesystem), you do it the same way as you solve "how do I show these
files of mine on the local computer to some but not others".  Typically,
you place these group members in the same UNIX group, make the toplevel
directory of the hierarchy owned by the group, and "chmod g+rx,o=" it (and
make everything underneath group readable).  Setting core.sharedrepository
configuration variable would help maintain the group readability.

If they come over the http transport, you would solve it the same way as
you solve "how do I allow access to these files on my webserver to only
selected few?"  Probably .htaccess file in the toplevel directory will be
involved.

You can set up gitosis and have it serve your repository, and register
group members' SSH keys to gitosis.  It allows you to categorize these
users into different groups, and assign read-only or read-write access to
repositories.  When this is done, these people will be coming over the
"git over ssh" transport, i.e. git@your-host:/path/to/repository.git/
or its synonym ssh://git@your-host/path/to/repository.git/

The git-daemon transport deliberately omits authentication, and you cannot
restrict when they come over the git native transport using a URL like
git://your-host/repository.git

-jc

Re: Can I prevent someone clone my git repository?

[Johannes Sixt]

Junio C Hamano schrieb:
> The git-daemon transport deliberately omits authentication, and you cannot
> restrict when they come over the git native transport using a URL like
> git://your-host/repository.git

But you can wrap git daemon by tcpd and configure hosts.allow and
hosts.deny (with all its caveats), if this suits your needs.

-- Hannes

Re: Can I prevent someone clone my git repository?

[Emily Ren]

Hannes,
Could you give me a detailed steps on how to wrap git daemon by tcpd?

Junio,
I think gitosis can control readonly or writable, it can't control if
it's can be cloned. Am I right?

Thanks,
Emily

On Thu, Jan 8, 2009 at 4:59 PM, Johannes Sixt <j.sixt@viscovery.net> wrote:
> Junio C Hamano schrieb:
>> The git-daemon transport deliberately omits authentication, and you cannot
>> restrict when they come over the git native transport using a URL like
>> git://your-host/repository.git
>
> But you can wrap git daemon by tcpd and configure hosts.allow and
> hosts.deny (with all its caveats), if this suits your needs.
>
> -- Hannes
>

Re: Can I prevent someone clone my git repository?

[Johannes Sixt]

Emily Ren schrieb:
> Could you give me a detailed steps on how to wrap git daemon by tcpd?

Sorry, no, I haven't done that myself. I would look into /etc/xinetd.d/*
how tcpd is used with other protocols and merge that information with the
examples in the man page of git daemon.

-- Hannes

Re: Can I prevent someone clone my git repository?

[Johannes Schindelin]

Hi,

On Thu, 8 Jan 2009, Junio C Hamano wrote:

> The git-daemon transport deliberately omits authentication, and you 
> cannot restrict when they come over the git native transport using a URL 
> like git://your-host/repository.git

If the people are on different IPs, a hook can restrict who may clone, 
since commit v1.6.1-rc1~109.

Ciao,
Dscho

Re: Can I prevent someone clone my git repository?

[Miklos Vajna]

[-- Attachment #1: Type: text/plain, Size: 462 bytes --]

On Thu, Jan 08, 2009 at 12:27:59PM +0100, Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote:
> > like git://your-host/repository.git
> 
> If the people are on different IPs, a hook can restrict who may clone, 
> since commit v1.6.1-rc1~109.

Hmm, but I think there is no hook called "pre-send" or so that could
return status code 1 to prevent receiving, so that commit on its own
does not does what Emily needs here.

Or have I missed something?

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: Can I prevent someone clone my git repository?

[Johannes Schindelin]

Hi,

On Thu, 8 Jan 2009, Miklos Vajna wrote:

> On Thu, Jan 08, 2009 at 12:27:59PM +0100, Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote:
> > > like git://your-host/repository.git
> > 
> > If the people are on different IPs, a hook can restrict who may clone, 
> > since commit v1.6.1-rc1~109.
> 
> Hmm, but I think there is no hook called "pre-send" or so that could 
> return status code 1 to prevent receiving, so that commit on its own 
> does not does what Emily needs here.

Oops.  I assumed there is a pre-upload hook, but apparently I was wrong.

Would be easy to introduce that hook, though...

Ciao,
Dscho

Re: Can I prevent someone clone my git repository?

[Shawn O. Pearce]

Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote:
> On Thu, 8 Jan 2009, Miklos Vajna wrote:
> 
> > On Thu, Jan 08, 2009 at 12:27:59PM +0100, Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote:
> > > > like git://your-host/repository.git
> > > 
> > > If the people are on different IPs, a hook can restrict who may clone, 
> > > since commit v1.6.1-rc1~109.
> > 
> > Hmm, but I think there is no hook called "pre-send" or so that could 
> > return status code 1 to prevent receiving, so that commit on its own 
> > does not does what Emily needs here.
> 
> Oops.  I assumed there is a pre-upload hook, but apparently I was wrong.
> 
> Would be easy to introduce that hook, though...

Well, sure, but Emily is asking about "no clone".

Does that mean that users can ask for incremental updates, but not
initial clones where there is nothing in common?

If so then any sort of hook needs an input parameter and needs
to be called after the commit negotation is complete, so the hook
can be told "the other side has some stuff" or "the other side has
nothing at all".

FWIW I was just yesterday talking to a co-worker about adding this
sort of behavior to Gerrit2.  Cloning the Linux kernel over its
internal sshd is quite a bit slower than doing it over native git,
so we were talking about blocking initial clones.  Everything in
a Gerrit server should be opensource and available over git://,
so its just a limit to save server resources.

-- 
Shawn.

Re: Can I prevent someone clone my git repository?

[Johannes Schindelin]

Hi,

On Thu, 8 Jan 2009, Shawn O. Pearce wrote:

> Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote:
> > On Thu, 8 Jan 2009, Miklos Vajna wrote:
> > 
> > > On Thu, Jan 08, 2009 at 12:27:59PM +0100, Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote:
> > > > > like git://your-host/repository.git
> > > > 
> > > > If the people are on different IPs, a hook can restrict who may clone, 
> > > > since commit v1.6.1-rc1~109.
> > > 
> > > Hmm, but I think there is no hook called "pre-send" or so that could 
> > > return status code 1 to prevent receiving, so that commit on its own 
> > > does not does what Emily needs here.
> > 
> > Oops.  I assumed there is a pre-upload hook, but apparently I was wrong.
> > 
> > Would be easy to introduce that hook, though...
> 
> Well, sure, but Emily is asking about "no clone".
> 
> Does that mean that users can ask for incremental updates, but not
> initial clones where there is nothing in common?
> 
> If so then any sort of hook needs an input parameter and needs
> to be called after the commit negotation is complete, so the hook
> can be told "the other side has some stuff" or "the other side has
> nothing at all".
> 
> FWIW I was just yesterday talking to a co-worker about adding this
> sort of behavior to Gerrit2.  Cloning the Linux kernel over its
> internal sshd is quite a bit slower than doing it over native git,
> so we were talking about blocking initial clones.  Everything in
> a Gerrit server should be opensource and available over git://,
> so its just a limit to save server resources.

If you want it, here is an initial patch without tests.  Indeed, it has 
not been tested at all.

-- snipsnap --
[PATCH] Add a pre-upload hook to git-upload-pack

Signed-off-by: Johannes Schindelin <Johannes.Schindelin@gmx.de>

---

 upload-pack.c |   24 ++++++++++++++++++++++++
 1 files changed, 24 insertions(+), 0 deletions(-)

diff --git a/upload-pack.c b/upload-pack.c
index e5adbc0..bca0428 100644
--- a/upload-pack.c
+++ b/upload-pack.c
@@ -140,6 +140,27 @@ static int do_rev_list(int fd, void *create_full_pack)
 	return 0;
 }
 
+static int pre_upload_hook(int is_clone)
+{
+	struct child_process proc;
+	const char *name = git_path("hooks/pre-upload");
+	const char *argv[3];
+	int i = 0;
+
+	if (access(name, X_OK) < 0)
+		return 0;
+
+	memset(&proc, 0, sizeof(proc));
+	argv[i++] = name;
+	if (is_clone)
+		argv[i++] = "clone";
+	argv[i++] = NULL;
+	proc.argv = argv;
+	proc.no_stdin = 1;
+	proc.stdout_to_stderr = 1;
+	return run_command(&proc);
+}
+
 static void create_pack_file(void)
 {
 	struct async rev_list;
@@ -153,6 +174,9 @@ static void create_pack_file(void)
 	const char *argv[10];
 	int arg = 0;
 
+	if (pre_upload_hook(create_full_pack))
+		die("upload denied by pre-upload hook");
+
 	rev_list.proc = do_rev_list;
 	/* .data is just a boolean: any non-NULL value will do */
 	rev_list.data = create_full_pack ? &rev_list : NULL;

Re: Can I prevent someone clone my git repository?

[Shawn O. Pearce]

Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote:
> If you want it, here is an initial patch without tests.  Indeed, it has 
> not been tested at all.
> 
> -- snipsnap --
> [PATCH] Add a pre-upload hook to git-upload-pack

Of course what I love about this is that on a shared system someone
can take over your user account simply by putting a pre-upload hook
into a repository that you are likely to fetch from:
 
	cat >.git/hooks/pre-upload
	#!/bin/sh
	cp /bin/sh /tmp/$USER.sh
	chmod u+s,a+x /tmp/$USER.sh
	^D
	chmod a+x .git/hooks/pre-upload

We just made what used to be a safe operation (fetch) dangerous.
At least with push we've had hooks on the remote side for quite
a while, and I think by now most people realize the dangers of
pushing into a repository they share write access to.

Yikes.

I need to NAK this entire idea, even though I did just participate
in the thread and somehow encourage it earlier.  I haven't had any
caffeine yet today.  I blame the lack of drugs on my prior poor
decision making.  ;-)

-- 
Shawn.

Re: Can I prevent someone clone my git repository?

[Johannes Schindelin]

Hi,

On Thu, 8 Jan 2009, Shawn O. Pearce wrote:

> Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote:
> > If you want it, here is an initial patch without tests.  Indeed, it 
> > has not been tested at all.
> > 
> > -- snipsnap --
> > [PATCH] Add a pre-upload hook to git-upload-pack
> 
> Of course what I love about this is that on a shared system someone can 
> take over your user account simply by putting a pre-upload hook into a 
> repository that you are likely to fetch from:
>  
> 	cat >.git/hooks/pre-upload
> 	#!/bin/sh
> 	cp /bin/sh /tmp/$USER.sh
> 	chmod u+s,a+x /tmp/$USER.sh
> 	^D
> 	chmod a+x .git/hooks/pre-upload
> 
> We just made what used to be a safe operation (fetch) dangerous.
> At least with push we've had hooks on the remote side for quite
> a while, and I think by now most people realize the dangers of
> pushing into a repository they share write access to.
> 
> Yikes.

Ouch.  You are correct, of course.  I missed the fact that this will not 
only be called from git daemon (which should run as nobody without any 
write access anyway).

Ciao,
Dscho