Restricted User Shell
Remote access to Git repositories over ssh causes execution of
git-upload-pack on the server.
The simplest rule for Git is:
rule git command ^git-(receive|upload)-pack transform s|^|/usr/bin/|
transform action is necessary to ensure the proper location
of Git binaries to use. This example supposes they are placed in
/usr/bin, you will have to tailor it if they are located
elsewhere on your system.
To limit Git accesses to repositories under /gitroot directory, use
match construct, as shown in the example below:
rule git command ^git-(receive|upload)-pack match ^/gitroot[^ ]+\.git$ transform s|^|/usr/bin/|
To provide more helpful error messages, you may follow this rule by a trap rule (see trap rules):
# Trap the rest of Git requests: rule git-trap command ^git-.+ exit fatal: access to this repository is denied.
This document was generated on October 1, 2016 using makeinfo.Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.