[RFC] Single system account for multiple git users

[RFC] Single system account for multiple git users

[Dmitry Potapov]

Hi,

Using SSH access with restricted git-shell as login shell and using
the script from the update-hook-example.txt works fine, but it requres
that every Git user has a separate system account on the server, which
is often frowned upon by system administrators, who would prefer to have
a single system account for access to Git repo.

I have looked on gitosis, but it requires normal shell account for
the git user, which was vetoed by sysadmin. Also, I found its
configuration more complex than necessary and not flexible enough
to differentiate what branches can have non-fast-forward pushes on
it and what cannot.

In fact, the simple solution for me would be to have authorized_key
for the git user being like this:

environment="GIT_USER=user1" ssh-rsa USER1-SSH-PUBLIC-KEY
environment="GIT_USER=user2" ssh-rsa USER2-SSH-PUBLIC-KEY
...

In this case, with one line change to update-hook-example from
username=$(id -u -n)
to
username="$GIT_USER"
I would get exactly what I want.

However, the environment option in authorized_key works only if
PermitUserEnvironment is set in sshd configuration, and this option
will allow _all_ users to overwrite their environment, which may be
not desirable in some settings for security reasons.

So, instead, I have to write a simple program, which is placed as
the login shell and interprets the given command as user name, sets
GIT_USER to it, and invokes git-shell with SSH_ORIGINAL_COMMAND.
Thus authorized_key looks like that:

command="git-su user1" ssh-rsa USER1-SSH-PUBLIC-KEY
command="git-su user2" ssh-rsa USER2-SSH-PUBLIC-KEY
...

But then I realized that it is simpler and more efficient to add
some built-in command to git-shell to do that.

You can see my patch below. I hope it will be useful for people
who wants to user git on server with a single system account for
all git users.

Dmitry

-- 8< --
From: Dmitry Potapov <dpotapov@gmail.com>
Date: Wed, 25 Jun 2008 08:14:22 +0400
Subject: [PATCH] git-shell: add git-su command

git-su interprets the given command as a user name that must be set to the
GIT_USER environment variable and then executing SSH_ORIGINAL_COMMAND as
it were the command given to git-shell. This allows to have different
values for GIT_USER variable for different ssh public keys, which is
necessary to have a single system for many Git users. With this command
the typical authorized_key will for git user will be look like this:

command="git-su user1" ssh-rsa USER1-SSH-PUBLIC-KEY
command="git-su user2" ssh-rsa USER2-SSH-PUBLIC-KEY
...

The alternative of using the "environment" option in authorized_key may be
problematic as it requires that the PermitUserEnvironment option was set
in sshd_config and by default this option is not enabled, because it may
allow some users to bypass access restrictions.

Signed-off-by: Dmitry Potapov <dpotapov@gmail.com>
---

I moved command parsing logic from main() to a separate function,
(which makes the patch a bit bigger than it actually is) and then
added do_su_cmd(), which reuses this functionality.

 shell.c |   51 ++++++++++++++++++++++++++++++++++-----------------
 1 files changed, 34 insertions(+), 17 deletions(-)

diff --git a/shell.c b/shell.c
index 91ca7de..05bd3cc 100644
--- a/shell.c
+++ b/shell.c
@@ -41,6 +41,19 @@ static int do_cvs_cmd(const char *me, char *arg)
 	return execv_git_cmd(cvsserver_argv);
 }
 
+static int exec_cmd(char *prog);
+
+static int do_su_cmd(const char *me, char *arg)
+{
+	char *cmd = getenv("SSH_ORIGINAL_COMMAND");
+	if (!cmd)
+		die("SSH_ORIGINAL_COMMAND is not set");
+	if (setenv("GIT_USER", arg, 1))
+		die ("setenv failed: %s", strerror(errno));
+	if (unsetenv("SSH_ORIGINAL_COMMAND"))
+		die ("unsetenv failed: %s", strerror(errno));
+	return exec_cmd(cmd);
+}
 
 static struct commands {
 	const char *name;
@@ -49,28 +62,14 @@ static struct commands {
 	{ "git-receive-pack", do_generic_cmd },
 	{ "git-upload-pack", do_generic_cmd },
 	{ "cvs", do_cvs_cmd },
+	{ "git-su", do_su_cmd },
 	{ NULL },
 };
 
-int main(int argc, char **argv)
+static int exec_cmd(char *prog)
 {
-	char *prog;
 	struct commands *cmd;
 
-	/*
-	 * Special hack to pretend to be a CVS server
-	 */
-	if (argc == 2 && !strcmp(argv[1], "cvs server"))
-		argv--;
-
-	/*
-	 * We do not accept anything but "-c" followed by "cmd arg",
-	 * where "cmd" is a very limited subset of git commands.
-	 */
-	else if (argc != 3 || strcmp(argv[1], "-c"))
-		die("What do you think I am? A shell?");
-
-	prog = argv[2];
 	if (!strncmp(prog, "git", 3) && isspace(prog[3]))
 		/* Accept "git foo" as if the caller said "git-foo". */
 		prog[3] = '-';
@@ -91,7 +90,25 @@ int main(int argc, char **argv)
 		default:
 			continue;
 		}
-		exit(cmd->exec(cmd->name, arg));
+		return cmd->exec(cmd->name, arg);
 	}
 	die("unrecognized command '%s'", prog);
 }
+
+int main(int argc, char **argv)
+{
+	/*
+	 * Special hack to pretend to be a CVS server
+	 */
+	if (argc == 2 && !strcmp(argv[1], "cvs server"))
+		argv--;
+
+	/*
+	 * We do not accept anything but "-c" followed by "cmd arg",
+	 * where "cmd" is a very limited subset of git commands.
+	 */
+	else if (argc != 3 || strcmp(argv[1], "-c"))
+		die("What do you think I am? A shell?");
+
+	return exec_cmd(argv[2]);
+}
-- 
1.5.6.1

Re: [RFC] Single system account for multiple git users

[Asheesh Laroia]

On Mon, 30 Jun 2008, Dmitry Potapov wrote:

> Hi,
>
> Using SSH access with restricted git-shell as login shell and using the 
> script from the update-hook-example.txt works fine, but it requres that 
> every Git user has a separate system account on the server, which is 
> often frowned upon by system administrators, who would prefer to have a 
> single system account for access to Git repo.
>
> I have looked on gitosis, but it requires normal shell account for the 
> git user, which was vetoed by sysadmin. Also, I found its configuration 
> more complex than necessary and not flexible enough to differentiate 
> what branches can have non-fast-forward pushes on it and what cannot.

I seem to recall that gitosis works with git-shell.  Maybe I'm 
mis-remembering, though.

-- Asheesh.

-- 
QOTD:
 	Some people have one of those days.  I've had one of those lives.

Re: [RFC] Single system account for multiple git users

[Jakub Narebski]

Dmitry Potapov <dpotapov@gmail.com> writes:

> Using SSH access with restricted git-shell as login shell and using
> the script from the update-hook-example.txt works fine, but it requres
> that every Git user has a separate system account on the server, which
> is often frowned upon by system administrators, who would prefer to have
> a single system account for access to Git repo.
> 
> I have looked on gitosis, but it requires normal shell account for
> the git user, which was vetoed by sysadmin. [...]

Have you took a look at ssh_acl from InterfacesFrontendsAndTools
from Git Wiki?

-- 
Jakub Narebski
Poland
ShadeHawk on #git

Re: [RFC] Single system account for multiple git users

[Dmitry Potapov]

On Mon, Jun 30, 2008 at 7:59 PM, Asheesh Laroia <asheesh@asheesh.org> wrote:
>
> I seem to recall that gitosis works with git-shell.  Maybe I'm
> mis-remembering, though.

I don't see how it is possible for gitosis to work with git-shell.
Besides, in the article (which also is mentioned in Gitosis FAQ in the
section:  Creating new repositories and adding users") clearly state:

"The next thing to do is to create a user that will own the repositories
you want to manage. This user is usually called git, but any name will
work, and you can have more than one per system if you really want to.
The user does not need a password, but does need a valid shell
(otherwise, SSH will refuse to work)."

Source: http://scie.nti.st/2007/11/14/hosting-git-repositories-the-easy-and-secure-way

So, I think you misread something.

Dmitry

Re: [RFC] Single system account for multiple git users

[Jon Loeliger]

Dmitry Potapov wrote:

> "The next thing to do is to create a user that will own the repositories
> you want to manage. This user is usually called git, but any name will
> work, and you can have more than one per system if you really want to.
> The user does not need a password, but does need a valid shell
> (otherwise, SSH will refuse to work)."

Does that just mean that the git-shell program
has to be listed in /etc/shells?

jdl

Re: [RFC] Single system account for multiple git users

[Dmitry Potapov]

On Mon, Jun 30, 2008 at 8:04 PM, Jakub Narebski <jnareb@gmail.com> wrote:
>
> Have you took a look at ssh_acl from InterfacesFrontendsAndTools
> from Git Wiki?

I have looked at it and if I am not mistaken it requires the normal
shell as login shell.

BTW, the link to GitWiki is outdated, the new link is
http://www.inf.ufpr.br/ribas/ssh_acl.html
but it practically lacks of all documentation, and at the top
of that page, you can see:
===================
WARNING

These explanation are outdated!

I already wrote a new version and I'm using

Soon I will update here
===================

My goal was to have something small and simple. I really like git-shell
plus the update hook from the documentation, but that does not allow
to have multiple Git users with a single system account.

Dmitry

Re: [RFC] Single system account for multiple git users

[Dmitry Potapov]

On Mon, Jun 30, 2008 at 8:56 PM, Jon Loeliger <jdl@freescale.com> wrote:
>
> Does that just mean that the git-shell program
> has to be listed in /etc/shells?

Whether git-shell should be listed in etc/shells depends on your
distributive, but it is irrelevant in this case. git-shell will not interpret
the given command. So, it won't work.

Dmitry

Re: [RFC] Single system account for multiple git users

[Melchior FRANZ]

* Dmitry Potapov -- Monday 30 June 2008:
> [...] but it requres that every Git user has a separate system
> account on the server, which is often frowned upon by system
> administrators, who would prefer to have a single system account
> for access to Git repo. 

Indeed. This is AFAIK the main reason why git might not be used
by a project where I'm contributor. gitosis could help here, but
I guess that a built-in solution would be preferred. An external
addon looks a bit like band-aid.  ;-)

m.

Re: [RFC] Single system account for multiple git users

[Dmitry Potapov]

On Tue, Jul 01, 2008 at 10:55:50AM +0200, Melchior FRANZ wrote:
> 
> Indeed. This is AFAIK the main reason why git might not be used
> by a project where I'm contributor. gitosis could help here, but
> I guess that a built-in solution would be preferred. An external
> addon looks a bit like band-aid.  ;-)

Yes, and they impose some its own access control model, which is
different to what you normally have using git-shell. So, the purpose
of my patch was to provide the absolutely minimal change to git-shell
which allows to have a central Git server with multiple Git users under
one system account. I guess that most Git developers do not use Git in
this configuration, so they are not very interested in this patch. But
there are projects where having a central repo is strict requirement
(usually justified by having centralized place to backup all sources,
difficult exchanging patches by email especially in great volume, and
impossibility direct connection due to firewalls, etc...).

So, I believe that my patch (or something simple like that) could help
Git with wider adaptation.

Thanks,
Dmitry