How to make a git repository read-only?
I have some git repositories accessed remotely through SSH and I want to make some of them read-only to prevent more pushes. Some people have remotes pointing to these repositories.
These bare repositories were initialised --shared=group, so is setting file permissions to 660 for all files good enough to still allow SSH access, but disallow writes? Or is there an easier way?
Cheers.
Answer
There is more than one possible way to do this.
If your users each have a shell account (perhaps limited), and each of them accessing git repositories via their own account, you can use filesystem permissions to control SSH access to git repositories. On Unix those would be write permissions on directories, perhaps with the help of creating a group and specific permissions for a group (with "sticky group ID" set).
Pushing requires
git-receive-packto be in $PATH of user, and be executable for them... although I am not sure how feasible this approach would be.You can use
updateorpre-receivehook to do access control to repository, for example using update-paranoid example hook fromcontrib/hooksin git sources.With larger number of users you could be better with using a tool to manage access to git repositories, like Gitosis (in Python, requires setuptools) or Gitolite (in Perl).
For read only access you can setup git daemon to provide read-only anonymous (and unauthenticated) access via
git://protocol, instead of access via SSH protocol.See documentation for
url.<base>.insteadOfconfig variable for a way to ease the transition from SSH to GIT protocol.
See also Chapter 4. "Git on the Server" of Pro Git book by Scott Chacon (CC-BY-NC-SA licensed).