GNU Rush – a restricted user shell (split by node):   Section:   Chapter:FastBack: Usage Tips   Up: Usage Tips   FastForward: Test Mode   Contents: Table of ContentsIndex: Concept Index

6.6 git

Remote access to Git repositories over ssh causes execution of git-receive-pack and git-upload-pack on the server. The simplest rule for Git is: 

rule git
  set $command ~ "^git-(receive|upload)-pack"
  set [0] =~ "s|^|/usr/bin/|"

The set action is necessary to ensure the proper location of Git binaries to use. This example supposes they are placed in /usr/bin, you will have to tailor it if they are located elsewhere on your system.

To limit Git accesses to repositories under /gitroot directory, modify the ‘$1’, as shown in the example below: 

rule git
  match $command ~ "^git-(receive|upload)-pack"
  set [1] =~ "^/gitroot[^ ]+\.git$"
  set [0] =~ "s|^|/usr/bin/|"

To provide more helpful error messages, you may follow this rule by a trap rule (see trap rules): 

# Trap the rest of Git requests:
rule git-trap
  match $command ~ "^git-.+"
  exit "fatal: access to this repository is denied."

This document was generated on January 2, 2022 using makeinfo.

Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.