undef/git-commit-vandalism
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
88e2f9ed8e
git-commit-vandalism/Documentation/git-shell.txt
Jeff King 9a42c03cb7 shell: drop git-cvsserver support by default 
The git-cvsserver script is old and largely unmaintained
these days. But git-shell allows untrusted users to run it
out of the box, significantly increasing its attack surface.

Let's drop it from git-shell's list of internal handlers so
that it cannot be run by default.  This is not backwards
compatible. But given the age and development activity on
CVS-related parts of Git, this is likely to impact very few
users, while helping many more (i.e., anybody who runs
git-shell and had no intention of supporting CVS).

There's no configuration mechanism in git-shell for us to
add a boolean and flip it to "off". But there is a mechanism
for adding custom commands, and adding CVS support here is
fairly trivial. Let's document it to give guidance to
anybody who really is still running cvsserver.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-09-12 11:05:58 +09:00

107 lines
2.9 KiB
Plaintext
Raw Blame History

git-shell(1)
============
NAME
----
git-shell - Restricted login shell for Git-only SSH access
SYNOPSIS
--------
[verse]
'chsh' -s $(command -v git-shell) <user>
'git clone' <user>`@localhost:/path/to/repo.git`
'ssh' <user>`@localhost`
DESCRIPTION
-----------
This is a login shell for SSH accounts to provide restricted Git access.
It permits execution only of server-side Git commands implementing the
pull/push functionality, plus custom commands present in a subdirectory
named `git-shell-commands` in the user's home directory.
COMMANDS
--------
'git shell' accepts the following commands after the `-c` option:
'git receive-pack <argument>'::
'git upload-pack <argument>'::
'git upload-archive <argument>'::
Call the corresponding server-side command to support
the client's 'git push', 'git fetch', or 'git archive --remote'
request.
'cvs server'::
Imitate a CVS server. See linkgit:git-cvsserver[1].
If a `~/git-shell-commands` directory is present, 'git shell' will
also handle other, custom commands by running
"`git-shell-commands/<command> <arguments>`" from the user's home
directory.
INTERACTIVE USE
---------------
By default, the commands above can be executed only with the `-c`
option; the shell is not interactive.
If a `~/git-shell-commands` directory is present, 'git shell'
can also be run interactively (with no arguments). If a `help`
command is present in the `git-shell-commands` directory, it is
run to provide the user with an overview of allowed actions. Then a
"git> " prompt is presented at which one can enter any of the
commands from the `git-shell-commands` directory, or `exit` to close
the connection.
Generally this mode is used as an administrative interface to allow
users to list repositories they have access to, create, delete, or
rename repositories, or change repository descriptions and
permissions.
If a `no-interactive-login` command exists, then it is run and the
interactive shell is aborted.
EXAMPLE
-------
To disable interactive logins, displaying a greeting instead:
----------------
$ chsh -s /usr/bin/git-shell
$ mkdir $HOME/git-shell-commands
$ cat >$HOME/git-shell-commands/no-interactive-login <<\EOF
#!/bin/sh
printf '%s\n' "Hi $USER! You've successfully authenticated, but I do not"
printf '%s\n' "provide interactive shell access."
exit 128
EOF
$ chmod +x $HOME/git-shell-commands/no-interactive-login
----------------
To enable git-cvsserver access (which should generally have the
`no-interactive-login` example above as a prerequisite, as creating
the git-shell-commands directory allows interactive logins):
----------------
$ cat >$HOME/git-shell-commands/cvs <<\EOF
if ! test $# = 1 && test "$1" = "server"
then
echo >&2 "git-cvsserver only handles \"server\""
exit 1
fi
exec git cvsserver server
EOF
$ chmod +x $HOME/git-shell-commands/cvs
----------------
SEE ALSO
--------
ssh(1),
linkgit:git-daemon[1],
contrib/git-shell-commands/README
GIT
---
Part of the linkgit:git[1] suite
Reference in New Issue View Git Blame Copy Permalink