Faux' blog

2011-12-29

My gitolite set-up

I'm paranoid, but also poor. I use gitolite to control access to my git repositories, because github wanted $200/month to meet half of my requirements, and wern't interested in negotiating (I tried).

Like github, I have two types of git repositories. Public repositories; which show up on gitweb and git-daemon and etc., that everyone can access; and private repositories, which contain my bank details.

My conf file consists of:

A set of user groups: While gitolite supports multiple keys for one user, I prefer to treat my various machines as separate users, for reasons that'll become apparent later. 

@faux    = admin fauxanoia fauxhoki fauxtak
@trust   = @faux alice
@semi    = fauxcodd fauxwilf bob

A set of repositories, both public and private: 

@pubrepo = canslations
@pubrepo = coke
@pubrepo = cpptracer
...
@privrepo = bank-details
@privrepo = alices-bank-details

Descriptions for all the public repositories, so they show up in gitweb: 

repo    coke
     coke = "Coke prices website"
repo    cpptracer
     cpptracer = "aj's cppraytracer, now with g++ support"

And permissions: 

repo    @pubrepo
     RW+     =   @trust
     RW      =   @semi
     R         =   @all daemon gitweb
     config  core.sharedRepository = 0664
repo    @privrepo
     RW+     =   @trust

This allows trusted keys to do anything, and semi-trusted keys (i.e. ones on machines where there are other people with root) to only append data (i.e. they can't destroy anything, and can't make any un-auditable changes).

Next, to protect against non-root users on the host itself, I have $REPO_UMASK = 0027; in my .gitolite.rc. This makes the repositories themselves inaccessible to other users. However, gitweb needs to be able to read public repositories; the above config core.sharedRepository = 0664 does this.

This leaves only /var/lib/gitolite/projects.list (which is necessary as non-git users can't ls /var/lib/gitolite/repositories/, so gitweb can't discover the project list itself), and repositories/**/description, again for gitweb.

For this, I have a gitolite-admin.git/hooks/post-update.secondary of:

#!/bin/sh
chmod a+r /var/lib/gitolite/projects.list
find /var/lib/gitolite -name description -exec chmod a+r {} +

Now, gitweb can display public projects fine, and local users can't discover or steal private repositories.

Commenting is disabled for this post.

Read more of Faux' blog

rss RSS Feed

Links

Read...