1

I have a server with six Git repositories, to which I have read+write access through a single SSH account, all in /opt/git/, all owned by the SSH account.

I'd like to give somebody else read+write access the a few of the repositories, but not to all.

  • How do I create a new SSH user that has access to only a few select repositories?
  • Can I use filepermissions (currently 0755) to control this type of access?
  • Are there any best practices?

It's unlikely we'll have a third developer for quite a while, atleast not before we get a proper sysadmin, so it's okay if it's "good enough for now".

Martijn
  • 3,696
  • 2
  • 38
  • 64

1 Answers1

0

That would be best managed by gitolite (an authorization layer), which would allow you to configure a list of:

  • ssh user keys
  • repositories

And associate the users you want to the right repos.

All users would still access those repos through ssh with the account git, but using their own public/private ssh keys (registered in gitolite config file), generated with a command similar to:

ssh-keygen -t rsa -f "${H}/.ssh/myLogin" -C "My Gitolite access (not interactive)" -q -P ""

Each user would set up a %HOME%/.ssh/config file in order to reference myLogin/myLogin.pub keys.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Problem with gitolite is that it takes quite a while to setup and configure. I'd prefer something a little bit simpler. – Martijn Apr 23 '13 at 19:43
  • 1
    @Martijn no it takes a few seconds only. I have one intallation automated (https://github.com/VonC/compileEverything/blob/master/gitolite/install_or_update_gitolite.sh), but even manually it is only two commands, after having cloned the gitolite repo (as in http://stackoverflow.com/a/13646524/6309). – VonC Apr 23 '13 at 19:46
  • I guess I'll try it. Noticed you also had scripts for GitLab, which has a UI. What would you advise for somebody with limited sysadmin skills. – Martijn Apr 24 '13 at 06:55
  • @Martijn Gitolite first, GitLab 5.1 second (it doesn't use Gitolite, but its own authorization layer) – VonC Apr 24 '13 at 06:57
  • OK, so `Gitolite` after all. Thanks @VonC for the links, I'll check it out and experiment – RocketNuts Apr 17 '20 at 08:08