How to make a git repository read-only?
There is more than one possible way to do this.
If your users each have a shell account (perhaps limited), and each of them accessing git repositories via their own account, you can use filesystem permissions to control SSH access to git repositories. On Unix those would be write permissions on directories, perhaps with the help of creating a group and specific permissions for a group (with "sticky group ID" set).
Pushing requires
git-receive-pack
to be in $PATH of user, and be executable for them... although I am not sure how feasible this approach would be.You can use
update
orpre-receive
hook to do access control to repository, for example using update-paranoid example hook fromcontrib/hooks
in git sources.With larger number of users you could be better with using a tool to manage access to git repositories, like Gitosis (in Python, requires setuptools) or Gitolite (in Perl).
For read only access you can setup git daemon to provide read-only anonymous (and unauthenticated) access via
git://
protocol, instead of access via SSH protocol.See documentation for
url.<base>.insteadOf
config variable for a way to ease the transition from SSH to GIT protocol.
See also Chapter 4. "Git on the Server" of Pro Git book by Scott Chacon (CC-BY-NC-SA licensed).
A pre-receive
hook that simply prints an informative message and exits with a non zero status does the job.
Assuming you put some meaningful information in your message, it also cuts down on the queries from frustrated users asking why they can't push:
#!/bin/bash
echo "=================================================="
echo "This repository is no longer available for pushes."
echo "Please visit blah blah yadda yadda ...."
echo "=================================================="
exit 1
Remember to set the executable permission for the script and to make sure is owned by the right user and/or group, or else it will not execute and will not give any warning.
Since git relies primarily on the filesystem for access control, that will work. Note that in your permissions, the world has no access to the file, but the user and group have read/write access. If you want world-readable, your permissions should be 0444
.
You could do further fine-grained control by setting the repo permissions as 0664
where the user is nobody
and the group is something like gitdevs
. Then, only people in the gitdevs
group will have the ability to write to the repo, but the world can read from it.
Follow-up Here is a link that covers various ways to share your repo and covers come pro's & cons and access control features.
chmod -R a-w /path/to/repo.git