15

Is there any way to block code push directly to master? I tried adding a script in .git/hooks/update:

#!/bin/sh
if [ $USER != "git-repo-admin" ];
then
  if [ "$1" == refs/heads/master ];
  then
    echo "Manual pushing to this repo is restricted"
    exit 1
  fi
fi

But this doesn't work - Everybody can still push. I want to allow only specific users to push to master and block others.

zb226
  • 9,586
  • 6
  • 49
  • 79
Mitul
  • 613
  • 1
  • 8
  • 19
  • 1
    If your purpose is to review the code changes before they reach the master repository you might find gerrit interesting https://code.google.com/p/gerrit/ – Simon Sep 26 '13 at 07:44
  • 2
    That hook looks OK. Two questions though: (1) why `.git/`, a "push"-receiving repo should usually be `--bare`; (2) did you make sure the hook is executable (chmod +x)? (What happens if you run it manually, as `./.git/hooks/update refs/heads/master` for instance?) – torek Sep 26 '13 at 07:45

3 Answers3

13

The original script was perfect, I just needed to rename it from .git/hooks/update.sample to .git/hooks/update on the remote server and make sure it's executable.

#!/bin/sh
if [ $USER != "git-repo-admin" ];
then
  if [ "$1" == refs/heads/master ];
  then
    echo "Manual pushing to this repo is restricted"
    exit 1
  fi
fi
zb226
  • 9,586
  • 6
  • 49
  • 79
Mitul
  • 613
  • 1
  • 8
  • 19
6

Using git hooks to control access might be useful as a once-off hack but can be a slippery slope leading to a hard-to-maintain git server configuration.

Thus, I would recommend setting up gitolite, which is precisely done for this kind of access control.
It manages bare repos (which are good for pushing).

You can find an example of preventing a push in a branch in "Gitolite permissions on branches": 

repo @project
    RW+        = @git-repo-admin
    R   master = @developers
    -   master = @developers
    RW+        = @developers

Gitolite can rely on ssh for the authentication part, and automate the public key registration process.

But without Gitolite, you still can protect read/write access to a Git repo using ssh only, as described in "Git on the Server - Setting Up the Server" of the Pro Git Book (as mentioned by Anthony Geoghegan in the comments)

As an extra precaution, you can easily restrict the 'git' user to only doing Git activities with a limited shell tool called git-shell that comes with Git.
If you set this as your 'git' user’s login shell, then the 'git' user can’t have normal shell access to your server. To use this, specify git-shell instead of bash or csh for your user’s login shell. To do so, you’ll likely have to edit your /etc/passwd file.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • @AnthonyGeoghegan Good point (about Git on Server, before your edit). I have included it in the answer for more visibility. – VonC May 13 '14 at 11:49
  • @AnthonyGeoghegan Gitolite uses git hooks, but facilitate their maintenance by managing them in a dedicated repo (`gitolite-admin`). The setup is really easy. – VonC May 13 '14 at 11:55
  • 1
    Having only needed simple features from shared git repositories, I used a modified version of Scott Chacon's http://git-scm.com/book/en/Git-on-the-Server-Setting-Up-the-Server Using git hooks to control access might be useful as a once-off hack but can be a slippery slope leading to a hard-to-maintain git server configuration. This answer deserves an upvote as it’s better to use software written for the purpose of providing access control and which allows easily changing permissions. Note: This comment is an amalgamation of previous ones that were submitted accidentally when I hit Enter. – Anthony Geoghegan May 13 '14 at 11:57
4

You can go to repo settings -> Branches

Git asks which branch you want to protectGit protect branch

pravs
  • 371
  • 1
  • 4
  • 14