Ssh – Git: push via ssh to a root owned repository with ssh root logins disabled

gitpuppetpuppetmasterrootssh

is that even possible?

Summary, i'm running puppet master on a server and ideally we want root logins via ssh disabled, we want to force all access via sudo if root access required

however we have puppet installed using a git repo to manage the manifests, this repo is currently owned by root and currently i only know of 2 solutions

(less ideal) allow root access via key auth only – if so, what can i lock it down to to only allow the git push commands?
own the repo in /etc/puppet as a different owner – will puppet work reliably with this?
Could relevant Sudo config and command work around this?

Best Answer

Git repos can be configured to maintain group write permissions (option --shared when creating the repository). Using that, then you can add any accounts that need access to the repository to a particular group, so that they can access it.

I do that for our git server. I also put a symlink in each user's home directory to each repository they have access too, so everyone can access with a relative URL.

The Standard Solution

If you put all the developers in a specially-created group, you can, in principle, just do:

chgrp -R <whatever group> gitrepo
chmod -R g+swX gitrepo

Then change the umask for the users to 002, so that new files get created with group-writable permissions.

The problems with this are legion; if you’re on a distro that assumes a umask of 022 (such as having a common users group that includes everyone by default), this can open up security problems elsewhere. And sooner or later, something is going to screw up your carefully crafted permissions scheme, putting the repo out of action until you get root access and fix it up (i.e., re-running the above commands).

The New-Wave Solution

A superior solution—though less well understood, and which requires a bit more OS/tool support—is to use POSIX extended attributes. I’ve only come to this area fairly recently, so my knowledge here isn’t as hot as it could be. But basically, an extended ACL is the ability to set permissions on more than just the 3 default slots (user/group/other).

So once again, create your group, then run:

setfacl -R -m g:<whatever group>:rwX gitrepo
find gitrepo -type d | xargs setfacl -R -m d:g:<whatever group>:rwX

This sets up the extended ACL for the group so that the group members can read/write/access whatever files are already there (the first line); then, also tell all existing directories that new files should have this same ACL applied (the second line).

Hope that gets you on your way.

Svn – transparent git-svn gateway

For transparent Git/Svn gateway you may use SubGit, it matches your requirements very well, except that right now it only supports either simple single-project (/trunk, /branches, /tags) or multi-project (/project/trunk, ...) layouts.

Best Answer

Related Solutions

Git – How to Share a Git Repository with Multiple Users on a Machine

The Standard Solution

The New-Wave Solution

Svn – transparent git-svn gateway

Related Topic