阻止用户承诺的git为错误的用户 [英] Stop users committing to git as wrong user
问题描述
我使用Git和 codeBase的的一个项目。
我只是做了一个测试,我能够提交到Git仓库用,导致其标记提交由不同的用户是不同的电子邮件地址和名称设置。我把这个存储库,它显示了作为用户犯下即使它是我。
有没有办法来prevent用户提交或别人的用户详细信息推(有效的,使他们不能伪造承诺为来自不同的用户是)?
编辑:
我认为这验证都需要在因为在本地的工作推到提交服务器的阶段发生复制它只是用户具有完全访问到存储库,做任何他们想做的。这是什么,因此我应该问 codeBase的了解可能?
编辑2:
的要求混帐配置:
(回购/ git的/配置)
[核心]
repositoryformatversion = 0
FILEMODE =真
裸= FALSE
logallrefupdates =真
IGNORECASE =真
[遥控器原产地]
取= +裁判/头/ *:裁判/遥控器/产地/ *
URL = git@$c$cbasehq.com:其中,节录公司名称> /<绝密项目名称> /test.git
[分支大师]
远程=由来
合并=裁判/头/主
哎呀:虽然这是一个有效的方法,它假设您对服务器有效的完全控制。如果您使用的是托管解决方案全盘皆输。
您可以验证版本库的更新
挂钩的作者姓名和电子邮件。你可以得到这两个值是这样的:
#!/ bin / sh的
设置 - refname sha1_old sha1_new
AUTHOR_NAME = $(git的日志 - pretty =格式:%的$ sha1_new)
AUTHOR_EMAIL = $(git的日志 - pretty =格式:%AE $ sha1_new)
这一招,当然是找出这些是否是有效的。这里有一个窍门:
您可以使用命令=
选项,在你的ssh配置,使周围的git - 接收包$ C $的包装C>映射SSH密钥作者信息。例如,这样的事情:
#!/ bin / sh的GV_AUTHOR_NAME =$ 1
GV_AUTHOR_EMAIL =$ 2出口GV_AUTHOR_EMAIL GV_AUTHOR_NAME
EVAL EXEC $ SSH_ORIGINAL_COMMAND
和你会使用的authorized_keys
行是这样的:
命令=〜/斌/ gitvalidator拉尔斯·凯洛格 - 斯特德曼'lars@seas.harvard.edu'SSH-RSA ...
这一切的结果是,你的更新
脚本会对环境变量 GV_AUTHOR_NAME
和 GV_AUTHOR_EMAIL
可用,并且可以检查这些反对提交并退出与一个错误,如果他们不匹配。
I'm using git and Codebase for a project.
I just did a test and I'm able to commit to the git repository with a different email address and name set which causes it to tag the commit as being by a different user. I pushed this to the repository and it showed up as that user having committed even though it was me.
Is there a way to prevent users from committing or pushing with someone else's user details (effectively so they can't "forge" commits as being from a different user)?
Edit:
I assume this authentication would need to happen at the stage of pushing commits to the server since in the local working copy it's simply a repository which the user has full access to, to do whatever they want with. Is this therefore something I should ask Codebase about maybe?
Edit 2:
Git config as requested:
(repo/.git/config)
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
[remote "origin"]
fetch = +refs/heads/*:refs/remotes/origin/*
url = git@codebasehq.com:<redacted company name>/<redacted project name>/test.git
[branch "master"]
remote = origin
merge = refs/heads/master
Ooops: While this is a valid technique, it assumes you have effectively full control over the server. If you're using a hosted solution all bets are off.
You can validate the author name and email in the repository's update
hook. You can get both values like this:
#!/bin/sh
set -- refname sha1_old sha1_new
author_name=$(git log --pretty=format:%an $sha1_new)
author_email=$(git log --pretty=format:%ae $sha1_new)
The trick, of course, is figuring out whether or not these are valid. Here's one trick:
You can use the command=""
option in your ssh configuration to make a wrapper around git-receive-pack
that maps ssh keys to author information. For example, something like this:
#!/bin/sh
GV_AUTHOR_NAME="$1"
GV_AUTHOR_EMAIL="$2"
export GV_AUTHOR_EMAIL GV_AUTHOR_NAME
eval exec $SSH_ORIGINAL_COMMAND
And you would use an authorized_keys
line something like this:
command="~/bin/gitvalidator 'Lars Kellogg-Stedman' 'lars@seas.harvard.edu'" ssh-rsa ...
The result of all this is that your update
script would have the environment variables GV_AUTHOR_NAME
and GV_AUTHOR_EMAIL
available, and could check these against the commit and exit with an error if they didn't match.
这篇关于阻止用户承诺的git为错误的用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!