10

Suppose that there is a remote Git repository R on a Linux server. R is owned by a user U for which a remote login via SSH is not allowed at all (e.g. root). Neither password-based nor key-based authentication is available for that user. What is allowed, however, is logging on as a different user and then using su or sudo to issue commands as U.

Is it possible to combine these two methods so that Git will use su or sudo on the remote server in order to access the repository?

Alternatively, is there another method to access R without changing its access permissions or enabling SSH logins for U?

P.S.: I don't mind having to type passwords manually e.g. at an su prompt, as long as Git handles the rest.

EDIT:

It seems from the comments that I need to clarify my reason for wanting to do something like this. The files tracked by R are system files that are in use by the server in question - R is not a bare repository. That means that the repository cannot really be moved, not without a lot of trickery.

Getting Git to use sudo would allow R to be accessed using the same security model that protects these files, rather than through a separate avenue that would have to be configured and synchronized separately.

thkala
  • 84,049
  • 23
  • 157
  • 201
  • 1
    I guess pulling changes in - from the perspective of the server - is not what you want? Because this is what i would strongly recommend. Server processes should never run as root and only humans should be able to login and gain super-user-rights. – Florian Neumann May 09 '14 at 10:36
  • 1
    @florianb: To be honest, I'd rather not have to login manually on that server and then `su` just to use the VCS... I suppose I could use an `expect` script or something, but if Git can be configured to do it on its own, I'd prefer that... – thkala May 09 '14 at 20:59
  • i see. Thanks. Sou you would only like to use your server as ordinary repo-host? – Florian Neumann May 09 '14 at 21:25

4 Answers4

9

Oh, you can do

git config remote.origin.uploadpack "sudo -u U git-upload-pack"

to get git fetch to use sudo for the remote called origin.

You'd need to ensure sudo is set up to allow this user to execute this command with no password, as I see no way to prompt for password.

Source:

I found myself wanting to do a somewhat similar thing, and found this nugget thoroughly buried in man git-config

I should point out that this does only half the job as I needed only git fetch to work. I imagine you could do a similar thing with remote.origin.receivepack in order to get git push to work but I have not tried that.

eli
  • 91
  • 1
6

What is easier is to establish another listener than the sshd dameon: setup an Apache, which:

That way, you don't have to worry about sudo and su.

And you can couple that with an authentication step if you want.

<Location /git>
  AuthType Basic
  AuthName "Private Git Access"
  AuthUserFile "/etc/git-auth-file"
  Require valid-user
</Location>

You even can add authorization with gitolite.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • To be honest I was hoping for an answer along the lines of "oh, you can run `git config remote.shell "sudo -u U git-shell"` to get `git` to use `sudo`"... – thkala May 16 '14 at 15:38
  • In any case, this would be the proper solution in most cases and it might even work for me if used along with an SSH tunnel or two. I'll award the bounty to this answer, but I'll hold-off accepting in case I find a solution closer to what I would like to see happen. – thkala May 16 '14 at 15:40
  • Run apache as root? Please do not advise people to do that. – Paul Hedderly Jun 09 '21 at 15:18
  • @PaulHedderly I must have forgotten to take my pills that day. I will edit the answer. – VonC Jun 09 '21 at 15:20
2

Git comes already with some server-features to make repositories accessible for client users. One serving solution which seems to fit your needs best is using the git-shell.

The git-shell allows you tie ssh-users up with git-repositories. After successful authentification these users end up in the git-shell which prohibits shell-operations but - if accessed through a git client - gives full access to the hosted repositories.

The only thing you must do is:

  1. Go to the /etc/passwd on your server

  2. Find the line of the user you want give git-access (probably its name is git)

    Warning: Do not change the entry of your current user! You won't be able to log in via shell anymore!

  3. Change the shell-reference of that user from (f.e.) /bin/bash to /usr/bin/git-shell (the specific paths depend on the configuration of your system).

The set-up-procedure for such a scenario is in detail described in the pro git book.

To enhance gits simple serving features (in the future) with rights management, you may use gitolite - which uses the gitolite-shell (and replaces the git-shell) to provide it's magic superpowers.

Florian Neumann
  • 5,587
  • 1
  • 39
  • 48
  • That sounds like an overly complicated solution to a simple problem. I only need to access one repository - I do not believe the complexity of `gitolite` is warranted, not to mention that I would have to reconfigure a lot of additional systems to get it working. – thkala May 16 '14 at 15:32
  • @thkala as i mentioned in my answer use just `git-shell`. If you realize that you need more serving-features, you may extend it using gitolite. – Florian Neumann May 16 '14 at 15:37
  • `git-shell` is only usable if the user account in question may only be used for Git. `U` in my case is a proper shell account with several privileges beyond that of a normal user. – thkala May 16 '14 at 15:47
  • I apprehended from your question, that you're able to login with a different user and i apparently mistakenly thought that you might be able to create a user which you may use to access your git-repo via ssh. I also thought you have root-access since you're talking about su-rights. – Florian Neumann May 16 '14 at 15:56
  • Creating more system users just to access a single Git repository would soon become a mess - I would need an additional user for each normal user that is allowed to access that repository via `sudo` to preserve the same degree of access control granularity and logging. – thkala May 16 '14 at 16:05
  • Using a single ssh-user for multiple human users is [common sense](http://security.stackexchange.com/questions/34216/how-to-secure-ssh-such-that-multiple-users-can-log-in-to-one-account) - especially in the git-environment. However you're just moving administration effort around. – Florian Neumann May 16 '14 at 16:22
  • You are right, it *is* moving effort around - although either SSH keys or SSH users make little difference if there is a suitably automated management system. The main issue in my case is that `sudo` is *already* configured - I'd rather avoid duplicate configuration if I can... – thkala May 16 '14 at 17:56
0

A very simple solution would be to git clone the repo into the "different user" (which I'll call U2)'s directory, and then use ssh access against that repo. git is a decentralized VCS, so there's no such thing as an "owning" repo. All repositories are on equal footing.

You could either occasionally manually push changes from the U2 repo back into the U repo using sudo from the remote machine or you could even setup a post-commit hook which automatically pushes changes to the U2 repo back to the original U repo. The post-commit hook would work fine as long as no one else is directly modifying the U repo.

If you do have someone directly modifying the U repo, then someone will need to pull in the changes either in the U2 repo or the U repo and merge them on a regular basis. Depending on the scope of these changes, the merges could be trivial or complex. However, I'd recommend just disallowing anyone to directly modify the U repo unless you have a good reason for it. In this particular scenario, the U2 repo becomes the de facto authoritative repo, anyway. So in some sense you could drop the original U repo all together.

This is in fact the other simple approach to take which is to simply make the U repo directly accessible to the U2 user by moving it. I know you said in your question that you didn't want to modify the original permissions, but this sounds like a silly and very non-standard arrangement for the repo. The whole point of a git repo is to make it available for changes, and if you can't do that simply, then I would say your initial configuration is flawed.

b4hand
  • 9,550
  • 4
  • 44
  • 49
  • If I have to `sudo` manually to user U, I might as well reverse the flow and issue a `git pull` from my client system without an intermediate repository. In any case, the whole point of hiding the repository behind `sudo` is due to it containing sensitive information that should not be accessible to other users... – thkala May 16 '14 at 15:28
  • How can you secure access to the git repo on your client machines? You run into the exact same problem. Your security model seems flawed. Hiding it behind sudo is futile if you allow any client access. And if you don't allow client access to it, the repo itself is useless. – b4hand May 16 '14 at 15:37
  • The Git clients are not really a concern in this case (or within the scope of this question, if you wish) because they are far more isolated network-wise. But yes, the whole point of the question is to (hopefully) find a way to *not* allow client access without `sudo`. – thkala May 16 '14 at 16:08
  • Your question is not very clear on your intent. It sounds like what you really want is a non-root https service running in a chroot jail that contains the `git` repo. Run this machine in the same network isolation as your clients, and you'll be fine. It still sounds like your repo is in the wrong place for your security model. Personally, I wouldn't store material that I truly consider sensitive in a git repo unless it was encrypted. – b4hand May 16 '14 at 16:22
  • I edited the question to clarify my intent. In retrospect, I should have been more clear - without the clarification it probably seems quite a bit like a [XY problem](http://mywiki.wooledge.org/XyProblem). – thkala May 16 '14 at 18:10
  • Yes, very much so, thank you for the clarification; although, this doesn't really sound like a programming question anymore. Probably better suited for serverfault, etc. – b4hand May 17 '14 at 00:09