[英]Using su/sudo when accessing remote Git repositories over SSH
Suppose that there is a remote Git repository R on a Linux server.假设在 Linux 服务器上有一个远程 Git 存储库R。 R is owned by a user U for which a remote login via SSH is not allowed at all (eg
root
). R归用户U所有,该用户根本不允许通过 SSH 进行远程登录(例如
root
)。 Neither password-based nor key-based authentication is available for that user.该用户既不能使用基于密码的认证,也不能使用基于密钥的认证。 What is allowed, however, is logging on as a different user and then using
su
or sudo
to issue commands as U .什么是允许的,但是,被登录为不同的用户,然后使用
su
或sudo
发出命令当U。
Is it possible to combine these two methods so that Git will use su
or sudo
on the remote server in order to access the repository?是否可以将这两种方法结合起来,以便 Git 在远程服务器上使用
su
或sudo
来访问存储库?
Alternatively, is there another method to access R without changing its access permissions or enabling SSH logins for U ?或者,是否有另一种方法可以访问R而不更改其访问权限或为U启用 SSH 登录?
PS: I don't mind having to type passwords manually eg at an su
prompt, as long as Git handles the rest. PS:我不介意手动输入密码,例如在
su
提示符下,只要 Git 处理其余的。
EDIT:编辑:
It seems from the comments that I need to clarify my reason for wanting to do something like this.从评论看来,我需要澄清我想做这样的事情的原因。 The files tracked by R are system files that are in use by the server in question - R is not a bare repository.
R跟踪的文件是相关服务器正在使用的系统文件 - R不是裸存储库。 That means that the repository cannot really be moved, not without a lot of trickery.
这意味着存储库无法真正移动,并非没有很多技巧。
Getting Git to use sudo
would allow R to be accessed using the same security model that protects these files, rather than through a separate avenue that would have to be configured and synchronized separately.让 Git 使用
sudo
将允许使用保护这些文件的相同安全模型访问R ,而不是通过必须单独配置和同步的单独途径。
Oh, you can do哦,你可以
git config remote.origin.uploadpack "sudo -u U git-upload-pack"
to get git fetch
to use sudo
for the remote called origin
.让
git fetch
将sudo
用于名为origin
的远程。
You'd need to ensure sudo is set up to allow this user to execute this command with no password, as I see no way to prompt for password.您需要确保将 sudo 设置为允许此用户在没有密码的情况下执行此命令,因为我认为无法提示输入密码。
Source:来源:
I found myself wanting to do a somewhat similar thing, and found this nugget thoroughly buried in man git-config
我发现自己想做一些类似的事情,并发现这个金块完全埋在
man git-config
I should point out that this does only half the job as I needed only git fetch
to work.我应该指出,这仅完成了一半的工作,因为我只需要
git fetch
即可工作。 I imagine you could do a similar thing with remote.origin.receivepack
in order to get git push
to work but I have not tried that.我想你可以用
remote.origin.receivepack
做类似的事情以使git push
工作,但我还没有尝试过。
What is easier is to establish another listener than the sshd dameon: setup an Apache, which:比 sshd dameon 更容易的是建立另一个侦听器:设置一个 Apache,它:
root
(as explained in " How do I run Apache as root? ", that is not a good idea/practice, because any new vulnerabilities found in Apache, which can then be exploited as... root
)root
身份运行(如“我如何以root
身份运行 Apache? ”中所述,这不是一个好主意/做法,因为在 Apache 中发现的任何新漏洞都可以被利用为... root
)git-http-backend
script, which allows for git commands over http (called smart http , documented here )git-http-backend
脚本,该脚本允许通过 http 执行 git 命令(称为smart http , 记录在此处) That way, you don't have to worry about sudo
and su
.这样,您就不必担心
sudo
和su
。
And you can couple that with an authentication step if you want.如果需要,您可以将其与身份验证步骤结合使用。
<Location /git>
AuthType Basic
AuthName "Private Git Access"
AuthUserFile "/etc/git-auth-file"
Require valid-user
</Location>
You even can add authorization with gitolite .您甚至可以使用 gitolite添加授权。
Git comes already with some server-features to make repositories accessible for client users. Git 已经带有一些服务器功能,使客户端用户可以访问存储库。 One serving solution which seems to fit your needs best is using the
git-shell
.一种似乎最适合您需求的服务解决方案是使用
git-shell
。
The git-shell
allows you tie ssh-users up with git-repositories. git-shell
允许您将 ssh-users 与 git-repositories 联系起来。 After successful authentification these users end up in the git-shell which prohibits shell-operations but - if accessed through a git client - gives full access to the hosted repositories.成功验证后,这些用户最终会进入 git-shell,它禁止 shell 操作,但是 - 如果通过 git 客户端访问 - 可以完全访问托管存储库。
The only thing you must do is:您唯一必须做的是:
/etc/passwd
on your server/etc/passwd
Find the line of the user you want give git-access (probably its name is git
)找到您想要授予 git-access 的用户行(可能它的名字是
git
)
Warning: Do not change the entry of your current user!
警告:不要更改当前用户的入口! You won't be able to log in via shell anymore!
您将无法再通过 shell 登录!
Change the shell-reference of that user from (fe) /bin/bash
to /usr/bin/git-shell
(the specific paths depend on the configuration of your system).将该用户的 shell-reference 从 (fe)
/bin/bash
更改为/usr/bin/git-shell
(具体路径取决于您的系统配置)。
The set-up-procedure for such a scenario is in detail described in the pro git book .在pro git book中详细描述了这种场景的设置过程。
To enhance gits simple serving features (in the future) with rights management, you may use gitolite - which uses the gitolite-shell
(and replaces the git-shell) to provide it's magic superpowers.为了通过权限管理增强 gits 简单服务功能(在未来),您可以使用gitolite - 它使用
gitolite-shell
(并取代 git-shell)来提供它的神奇超能力。
A very simple solution would be to git clone
the repo into the "different user" (which I'll call U2)'s directory, and then use ssh
access against that repo.一个非常简单的解决方案是将 repo
git clone
到“不同用户”(我将其称为 U2)的目录中,然后对该 repo 使用ssh
访问。 git is a decentralized VCS, so there's no such thing as an "owning" repo. git 是一个去中心化的 VCS,所以没有所谓的“拥有”回购。 All repositories are on equal footing.
所有存储库都处于平等地位。
You could either occasionally manually push changes from the U2 repo back into the U repo using sudo
from the remote machine or you could even setup a post-commit hook which automatically pushes changes to the U2 repo back to the original U repo.您可以偶尔使用远程机器上的
sudo
手动将 U2 存储库中的更改推送回 U 存储库,或者您甚至可以设置一个提交后挂钩,自动将 U2 存储库的更改推送回原始 U 存储库。 The post-commit hook would work fine as long as no one else is directly modifying the U repo.只要没有其他人直接修改 U 存储库,提交后挂钩就可以正常工作。
If you do have someone directly modifying the U repo, then someone will need to pull in the changes either in the U2 repo or the U repo and merge them on a regular basis.如果您确实有人直接修改了 U 存储库,则需要有人在 U2 存储库或 U 存储库中引入更改并定期合并它们。 Depending on the scope of these changes, the merges could be trivial or complex.
根据这些更改的范围,合并可能是微不足道的,也可能是复杂的。 However, I'd recommend just disallowing anyone to directly modify the U repo unless you have a good reason for it.
但是,除非您有充分的理由,否则我建议禁止任何人直接修改 U 存储库。 In this particular scenario, the U2 repo becomes the de facto authoritative repo, anyway.
在这种特殊情况下,无论如何,U2 存储库都将成为事实上的权威存储库。 So in some sense you could drop the original U repo all together.
因此,从某种意义上说,您可以将原始 U 存储库全部删除。
This is in fact the other simple approach to take which is to simply make the U repo directly accessible to the U2 user by moving it.这实际上是另一种简单的方法,即通过移动 U 存储库,使 U2 用户可以直接访问它。 I know you said in your question that you didn't want to modify the original permissions, but this sounds like a silly and very non-standard arrangement for the repo.
我知道您在问题中说您不想修改原始权限,但这听起来像是对 repo 的一种愚蠢且非常不标准的安排。 The whole point of a git repo is to make it available for changes, and if you can't do that simply, then I would say your initial configuration is flawed.
git repo 的全部意义在于使其可用于更改,如果您不能简单地做到这一点,那么我会说您的初始配置存在缺陷。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.