3
\$\begingroup\$

I want a git repository, accessible over ssh, to be read-only when used with certain keys. With other keys access to the full system is okay.

Here is my solution.

git-readonlyshell:

if echo "2ドル" | egrep -q ^git-upload-pack; then
 sh -c "2ドル"
else
 echo Error: read only access 1>&2
fi

.ssh/authorized_keys:

command="./git-readonlyshell -c \"$SSH_ORIGINAL_COMMAND\"" ...

Thoughts?

Any scenario in which this would break?

asked Nov 25, 2013 at 4:24
\$\endgroup\$
11
  • 2
    \$\begingroup\$ Why not just have a user that is read-only for the repository and use one user for full-access, and the other for read-only? \$\endgroup\$ Commented Nov 25, 2013 at 4:29
  • \$\begingroup\$ @rolfl I could. But then I have to specify a longer path after the :, meaning user@server:/full/path/to/repo \$\endgroup\$ Commented Nov 25, 2013 at 4:35
  • 2
    \$\begingroup\$ @nafg: Can you please roll back your last edit if it was in response to GoodPerson's answer? The answer becomes somewhat pointless when you edit your question like this. \$\endgroup\$ Commented Nov 25, 2013 at 7:34
  • 1
    \$\begingroup\$ @ChrisWue: I rolled back the edit, so that the answer makes sense again. nafg: If you want to ask a follow-up question, you should append it to the original question instead of changing your question. \$\endgroup\$ Commented Nov 25, 2013 at 10:21
  • \$\begingroup\$ @ChrisWue: trying to recall, are you talking about the fact that I added "Any scenario in which this would break?" If so no, it was no in response to GoodPerson's answer, it was my original intention and I realized I had been unclear. \$\endgroup\$ Commented Nov 29, 2013 at 7:01

1 Answer 1

5
\$\begingroup\$

Should be

printf "%s\n" "2ドル" | grep -E "^git-upload-pack" && sh -c "2ドル"

Notes:

  • sh not bash for portability
  • The printf instead of echo is for safety. What happens if someone puts "-n foo" as "2ドル"?
ChrisWue
20.6k4 gold badges42 silver badges107 bronze badges
answered Nov 25, 2013 at 4:30
\$\endgroup\$
1
  • \$\begingroup\$ It is insecure. The $SSH_ORIGINAL_COMMAND can contain multiple command-lines, e.g., git-upload-pack dummy; cat /etc/passwd. \$\endgroup\$ Commented Feb 28, 2018 at 7:26

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.