gitolite/doc/overkill.mkd
2011-04-24 15:16:43 +05:30

2.2 KiB

when gitolite is overkill

Note: I wrote this to help people for whom gitolite is genuinely overkill. I believe it will all work, but YMMV.


You don't always need something like gitolite. If you have a fixed (or very rarely changing) number of users, and all of them have full access to all your repos, you can use plain Unix permissions to get a lot of this done:

  • dedicate a userid (say "git") to host all your repos. This user will also have a group (normally called "git" on most distros I think)

  • create a directory that is accessible (at least "r" and "x" permissions) to the group "git", all the way upto the root. (That is, if the directory you chose is /home/git/repos, then /, /home, /home/git, and /home/git/repos must all be "g+rx").

  • create all repos in this directory, as the "git" user, using the following command:

    git init --bare --shared reponame.git
    
  • For each user who needs access to the repos, add them as members to the "git" group also. On Fedora this is:

    usermod -a -G git username
    

And that's basically it. The "init --shared" will create the repos with "chmod -R g+s". If you have existing repos where you forgot (or didn't know) the "--shared" argument, do this on each of them:

    cd reponame.git
    git init --shared --bare
    chmod -R g+w .
    chmod g+s `find . -type d`

I think that should do it.

Once you've setup the Unix level permissions, you may consider setting the shell of some of the less experienced users to "git-shell" (using its full path) if they don't really need a shell on the server. This will let them access git remotely but not do anything else.

Combining this with settings like receive.denyDeletes and receive.denyNonFastForwards, or at least core.logAllRefUpdates, can go a long way toward preventing accidents or at least making it feasible to recover from them.


You can do more complex things using Unix acls. If you do, and feel like writing it up, send it to me and I will add it here (with credit given of course). Personally, I can't be bothered -- once you have differing needs for different people, you really need gitolite anyway, because you probably need different rights for branches as well and Unix ACLs can't do that.