![]() |
GNU Rush |
Restricted User Shell |
Sergey Poznyakoff |
Remote access to Git repositories over ssh causes execution of
git-receive-pack
and git-upload-pack
on the server.
The simplest rule for Git is:
rule git command ^git-(receive|upload)-pack transform[0] s|^|/usr/bin/|
The transform
action is necessary to ensure the proper location
of Git binaries to use. This example supposes they are placed in
/usr/bin, you will have to tailor it if they are located
elsewhere on your system.
To limit Git accesses to repositories under /gitroot directory, use
match[1]
construct, as shown in the example below:
rule git command ^git-(receive|upload)-pack match[1] ^/gitroot[^ ]+\.git$ transform[0] s|^|/usr/bin/|
To provide more helpful error messages, you may follow this rule by a trap rule (see trap rules):
# Trap the rest of Git requests:
rule git-trap
command ^git-.+
exit fatal: access to this repository is denied.
This document was generated on October 1, 2016 using makeinfo.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.