58 lines
2.2 KiB
Markdown
58 lines
2.2 KiB
Markdown
## when gitolite is overkill
|
|
|
|
Note: I wrote this to help people for whom gitolite is genuinely overkill. I
|
|
believe it will all work, but YMMV.
|
|
|
|
----
|
|
|
|
You don't always need something like gitolite. If you have a fixed (or very
|
|
rarely changing) number of users, and all of them have full access to all your
|
|
repos, you can use plain Unix permissions to get a lot of this done:
|
|
|
|
* dedicate a userid (say "git") to host all your repos. This user will also
|
|
have a group (normally called "git" on most distros I think)
|
|
|
|
* create a directory that is accessible (at least "r" and "x" permissions)
|
|
to the group "git", all the way upto the root. (That is, if the directory
|
|
you chose is /home/git/repos, then /, /home, /home/git, and
|
|
/home/git/repos must all be "g+rx").
|
|
|
|
* create all repos in this directory, as the "git" user, using the following
|
|
command:
|
|
|
|
git init --bare --shared reponame.git
|
|
|
|
* For each user who needs access to the repos, add them as members to the
|
|
"git" group also. On Fedora this is:
|
|
|
|
usermod -a -G git username
|
|
|
|
And that's basically it. The "init --shared" will create the repos with
|
|
"chmod -R g+s". If you have existing repos where you forgot (or didn't know)
|
|
the "--shared" argument, do this on each of them:
|
|
|
|
cd reponame.git
|
|
git init --shared --bare
|
|
chmod -R g+w .
|
|
chmod g+s `find . -type d`
|
|
|
|
I think that should do it.
|
|
|
|
Once you've setup the Unix level permissions, you may consider setting the
|
|
shell of some of the less experienced users to "git-shell" (using its full
|
|
path) if they don't really need a shell on the server. This will let them
|
|
access git remotely but not do anything else.
|
|
|
|
Combining this with settings like `receive.denyDeletes` and
|
|
`receive.denyNonFastForwards`, or at least `core.logAllRefUpdates`, can go a
|
|
long way toward preventing accidents or at least making it feasible to recover
|
|
from them.
|
|
|
|
----
|
|
|
|
You can do more complex things using Unix acls. If you do, and feel like
|
|
writing it up, send it to me and I will add it here (with credit given of
|
|
course). Personally, I can't be bothered -- once you have differing needs for
|
|
different people, you really need gitolite anyway, because you probably need
|
|
different rights for branches as well and Unix ACLs can't do that.
|