* how to restrict git to specific non-root superuser
@ 2012-05-05 1:48 Neal Kreitzinger
2012-05-05 3:29 ` Neal Kreitzinger
0 siblings, 1 reply; 3+ messages in thread
From: Neal Kreitzinger @ 2012-05-05 1:48 UTC (permalink / raw)
To: git
I work on systems where 'everyone' has the root password (that problem
is somewhat out of my hands). Is there a technique to setup git so that
only a certain non-root superuser (ie, gittech) is allowed to run git
commands? I don't want people logged in as root to mess up the git repos.
I'm considering using git for deployment and some anonymous root user
messing it up would be a very, very, bad thing. Maybe this proposition
is theoretically impossible. Maybe someone has implemented this concept
in practice.
v/r,
neal
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: how to restrict git to specific non-root superuser
2012-05-05 1:48 how to restrict git to specific non-root superuser Neal Kreitzinger
@ 2012-05-05 3:29 ` Neal Kreitzinger
2012-05-05 5:07 ` Sitaram Chamarty
0 siblings, 1 reply; 3+ messages in thread
From: Neal Kreitzinger @ 2012-05-05 3:29 UTC (permalink / raw)
Cc: git
On 5/4/2012 8:48 PM, Neal Kreitzinger wrote:
> I work on systems where 'everyone' has the root password (that problem
> is somewhat out of my hands). Is there a technique to setup git so that
> only a certain non-root superuser (ie, gittech) is allowed to run git
> commands? I don't want people logged in as root to mess up the git repos.
>
> I'm considering using git for deployment and some anonymous root user
> messing it up would be a very, very, bad thing. Maybe this proposition
> is theoretically impossible. Maybe someone has implemented this concept
> in practice.
>
I'm thinking a way to achieve this effect is:
install git under the home dir of the 'gittech' user and add that path
only to the PATH of 'gittech'.
have the git repos under the 'gittech' home dir with worktree(s)
assigned to deployment locations. If people mess with the worktrees I
will be able to tell with git status via 'gittech'.
v/r,
neal
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: how to restrict git to specific non-root superuser
2012-05-05 3:29 ` Neal Kreitzinger
@ 2012-05-05 5:07 ` Sitaram Chamarty
0 siblings, 0 replies; 3+ messages in thread
From: Sitaram Chamarty @ 2012-05-05 5:07 UTC (permalink / raw)
To: Neal Kreitzinger; +Cc: git
On Sat, May 5, 2012 at 8:59 AM, Neal Kreitzinger <nkreitzinger@gmail.com> wrote:
> On 5/4/2012 8:48 PM, Neal Kreitzinger wrote:
>>
>> I work on systems where 'everyone' has the root password (that problem
>> is somewhat out of my hands). Is there a technique to setup git so that
>> only a certain non-root superuser (ie, gittech) is allowed to run git
>> commands? I don't want people logged in as root to mess up the git repos.
move /usr/bin/git to some other name and replace it with this shell script:
#!/bin/bash
# scary message
echo 'running: rm -rf /'
# lots of disk activity
find / >/dev/null 2>&1
Jokes apart, even though you said it is out of your hands, you
actually have a very serious problem. There are no shortcuts to that
one until you get burnt.
Meanwhile, you could add 'update' as well as 'pre-commit' hooks (and
possibly several others; check 'man githooks') using code that checks
the effective userid and aborts if it is root.
("aborts" in a hook generally means the eqvt of "exit 1" but again,
please check "man githooks" for details).
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-05-05 5:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-05-05 1:48 how to restrict git to specific non-root superuser Neal Kreitzinger
2012-05-05 3:29 ` Neal Kreitzinger
2012-05-05 5:07 ` Sitaram Chamarty
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).