6.6 git

Remote access to Git repositories over ssh causes execution of git-receive-pack and git-upload-pack on the server. The simplest rule for Git is:

 
rule git
  command ^git-(receive|upload)-pack
  transform[0] s|^|/usr/bin/|

The transform action is necessary to ensure the proper location of Git binaries to use. This example supposes they are placed in ‘/usr/bin’, you will have to tailor it if they are located elsewhere on your system.

To limit Git accesses to repositories under ‘/gitroot’ directory, use match[1] construct, as shown in the example below:

 
rule git
  command ^git-(receive|upload)-pack
  match[1] ^/gitroot[^ ]+\.git$
  transform[0] s|^|/usr/bin/|

To provide more helpful error messages, you may follow this rule by a trap rule (see section trap rules):

 
# Trap the rest of Git requests:
rule git-trap
  command ^git-.+
  exit fatal: access to this repository is denied.