防止其他git作者 [英] Prevent other git authors
问题描述
我已经建立了自己的私人git服务器,并且拥有一个由5名成员组成的团队。我有他们的用户帐户所有设置,但我如何防止由随机怪异帐户完成对远程提交。因为我的一些团队也使用github,并且不希望他们的用户名出现在日志中,而是他们的用户名我分配给他们。 为了防止用户使用随机奇怪的账户提交,你可以设置一个git pre-receive
钩子来验证传入提交时的提交者/作者姓名与列表的有效名称。但是这并不提供认证组件。为避免模仿,您可以简单地要求所有提交都是gpg签名的( git commit - S ...
),并让您 pre-receive
hook验证服务器上gpg密钥环的签名。
根据人们连接到远程服务器的方式,如果您有权访问该连接,您还可以明确地将提交者/作者姓名与用于连接的用户名匹配。
更新1
如果你的提交者通过ssh推送你的服务器,那么上面的第三个选项可能是最简单的。在 .ssh / authorized_keys
文件中,为每个标识用户的键设置一个环境变量:
environment =SSH_USER = larsssh-rsa ...
然后在 pre-receive
钩子中,可以使用该环境变量来查找针对某个表的有效提交者名称/电子邮件。你可以在 githooks(5)
手册页阅读关于 pre-receive
钩子,它们在标准输入中接收形式:
< oldrev> < NEWREV> < refname>
您可以从< newrev>
像这样:
commiter_name = $(git show -s --format ='format:%cn'< newrev>)
使用%ce
而不是%cn
。
更新2 b
或者,只是忘了查表。在您的 .ssh / authorized_keys
文件中:
environment =ALLOWED_NAME = Bob Jones,environment =ALLOWED_EMAIL=bob@example.comssh-rsa ...
然后在预先收到的钩子中:
#!/ bin / sh
while read oldrev newrev refname;做
cn = $(git show -s --format ='format:%cn'$ newrev)
ce = $(git show -s --format ='format:%ce'$ newrev )
[$ cn=$ ALLOWED_NAME] || {
echo*** Inalid提交者名称
exit 1
}
[$ ce=$ ALLOWED_EMAIL] || {
echo*** Inalid提交者电子邮件
exit 1
}
完成
我想你有你想要的东西。
更新3
您可以使用http
身份验证完成类似的操作,因为在 pre-receive
脚本中,您会
有权访问 REMOTE_USER
环境变量,其中包含
认证的远程用户的名称。您可能需要
才能进行某种表查找,以获得批准的名称和
电子邮件地址的价值。
I have setup my own private git server, and have a team of 5 members. I have their user accounts all setup, but how do I prevent commits to the remote being done by random weird accounts. Because some of my team also use github and wouldn't want their usernames appearing in the log, but rather their username I assign them.
To prevent people committing using "random weird accounts", you could set up a git pre-receive
hook to validate the commiter/author names on incoming commits against a list of valid names. But this doesn't provide the authentication component.
To prevent impersonation, you could simply required that all commmits are gpg-signed (git commit -S ...
), and have you pre-receive
hook validate the signatures against a gpg keyring on the server.
Depending on how people are connecting to your remote server, you could also explicitly match the commiter/author name against the username used for the connection, if you have access to that.
Update 1
If your committers are pushing to your server over ssh, then the third option above is probably the easiest. In your .ssh/authorized_keys
file, set an environment variable for each key that identifies the user:
environment="SSH_USER=lars" ssh-rsa ...
And then in your pre-receive
hook, you can use that environment variable to look up valid committer names/emails against some table. You can read about pre-receive
hooks in the githooks(5)
man page, they receive on stdin a lines of the form:
<oldrev> <newrev> <refname>
You can get the commit name from <newrev>
like this:
commiter_name=$(git show -s --format='format:%cn' <newrev>)
And the mail using %ce
instead of %cn
.
Update 2
Or heck, just forget table lookups. In your .ssh/authorized_keys
file:
environment="ALLOWED_NAME=Bob Jones",environment="ALLOWED_EMAIL=bob@example.com" ssh-rsa ...
And then in your pre-receive hook:
#!/bin/sh
while read oldrev newrev refname; do
cn=$(git show -s --format='format:%cn' $newrev)
ce=$(git show -s --format='format:%ce' $newrev)
[ "$cn" = "$ALLOWED_NAME" ] || {
echo "*** Inalid committer name"
exit 1
}
[ "$ce" = "$ALLOWED_EMAIL" ] || {
echo "*** Inalid committer email"
exit 1
}
done
And I think you have what you want.
Update 3
You could probably accomplish something similar using http
authentication, because within your pre-receive
script you would
have access to the REMOTE_USER
environment variable, which contains
the name of the authenticated remote user. You would probably need to
go with some sort of table lookup to get value of approved names and
email addresses.
这篇关于防止其他git作者的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!