简体繁体 English

在 windows 上保护 Git 服务器？

[英]Securing Git server on windows?

原文 2011-04-28 20:47:43 6 5 windows/ security/ git

Using msysgit and copssh, is it possible to secure the ssh part such that it can only access the relevant git executables and also be constrained to access only one folder?使用 msysgit 和 copssh，是否可以保护 ssh 部分，使其只能访问相关的 git 可执行文件并且还被限制只能访问一个文件夹？

I have a feeling that a git server on windows will be very much more open than a svn server like visual svn.我有一种感觉，windows 上的 git 服务器将比 svn 服务器（如视觉 ZAF04A1AA0E00F4AAAEEZ760）开放得多。 I'm hoping to be proved wrong.我希望被证明是错误的。

5 个解决方案

I would use a Linux server for your central Git repository.我将为您的中央 Git 存储库使用 Linux 服务器。 Install gitolite.安装 gitolite。 This will enable you to administer branch rights etc.这将使您能够管理分支权限等。

UPDATE:更新：

As per your recent comments, just go with unfuddle and be done with it in 1 minute.根据您最近的评论，只需 go 并在 1 分钟内完成。 If you're concerned about using up the 500MB of space they give, large non-private artifacts can be stored as a submodule that can be hosted on github.如果您担心用完他们提供的 500MB 空间，可以将大型非私有工件存储为可以托管在 github 上的子模块。

hope this helps!希望这可以帮助！

On Windows, I have found Apache and Smart Http ( git-http backend ) to be the best way to host a Git server.在 Windows 上，我发现 Apache 和 Smart Http（git-http 后端）是托管 Z7B065333Z1 服务器的最佳方式。

https://web.archive.org/web/20100308035130/http://progit.org/2010/03/04/smart-http.html https://web.archive.org/web/20100308035130/http://progit.org/2010/03/04/smart-http.html

And coming to access control, I would advice you to keep it simple and have an access conf file svn or even gitolite / gitosis and write simple hooks in the Git repo ( in Python, Ruby, etc. ) And coming to access control, I would advice you to keep it simple and have an access conf file svn or even gitolite / gitosis and write simple hooks in the Git repo ( in Python, Ruby, etc. )

The hooks will provide you pretty good control to the Git repo.这些钩子将为您提供对 Git 存储库的很好的控制。 You can control checkins per branch, checkins to particular folders etc.您可以控制每个分支的签入，签入特定文件夹等。

Have a look at the git hooks man page.查看 git 挂钩手册页。 pre-receive or update are the hooks that you can make use of for this purpose. pre-receive或update是您可以为此目的使用的钩子。

Look at this awesome chapter from Pro Git on how to use Git hooks on the server side to enforce policy - https://git-scm.com/book/en/v2/Customizing-Git-An-Example-Git-Enforced-Policy Look at this awesome chapter from Pro Git on how to use Git hooks on the server side to enforce policy - https://git-scm.com/book/en/v2/Customizing-Git-An-Example-Git-Enforced-政策

You can easily adjust them and add functionality to suit your purpose.您可以轻松调整它们并添加功能以满足您的目的。

I would very much recommend using one of the Git-HTTP projects.我非常推荐使用其中一个 Git-HTTP 项目。 See my answer at: https://serverfault.com/questions/58425/setting-up-git-repository-on-remote-windows-server/163065#163065请参阅我的答案： https://serverfault.com/questions/58425/setting-up-git-repository-on-remote-windows-server/163065#163065

You're trying to make Windows behave like UNIX.您正在尝试使 Windows 的行为类似于 UNIX。 Better go with the flow, and use a .NET based solution as Git server backend.更好的 go 与流程，并使用基于 .NET 的解决方案作为 Git 服务器后端。

When you have the deal with a small 2-person project (as you mentioned in the comments), you can also host the git repository on a Windows network share.当您处理一个小型 2 人项目时（正如您在评论中提到的），您还可以在 Windows 网络共享上托管 git 存储库。 It just works, and you clone the UNC path (or mapped drive letter) in your git client.它可以正常工作，您可以在 git 客户端中克隆 UNC 路径（或映射的驱动器号）。

For UNC paths, when you use slashes instead of backslashes (ie //server01/git/myrepos.git ).对于 UNC 路径，当您使用斜杠而不是反斜杠时（即//server01/git/myrepos.git ）。

An alternative might be to use https://github.com/jakubgarfield/Bonobo-Git-Server/wiki另一种方法可能是使用https://github.com/jakubgarfield/Bonobo-Git-Server/wiki

When I started looking at setting up a corporate git service, we have the following requirements: 1. Manage git repositories as projects, where we can provide self-service access control at project level.当我开始考虑设置企业 git 服务时，我们有以下要求： 1. 将 git 存储库作为项目管理，我们可以在项目级别提供自助访问控制。 2. LDAP login integration 3. Low administrative effort 2. LDAP 登录集成 3. 管理工作量低

I evaluated vanilla git, git + git-http, gitolite.我评估了香草 git、git + git-http、gitolite。 These solution would require an admin person to manage the access control.这些解决方案需要管理员来管理访问控制。 If the team is big, this will be a significant effort.如果团队很大，这将是一项重大的努力。 If the team is small (5-10 developers), vanilla git is ok.如果团队很小（5-10 个开发人员），vanilla git 是可以的。

I looked at github enterprise, use github, and later bitbucket.我看了github企业，用github，后来用bitbucket。 We eventually bought bitbucket and have a on-prem version up and running.我们最终购买了 bitbucket 并启动并运行了本地版本。 bitbucket meets all our requirements. bitbucket 符合我们的所有要求。 In addition, we can selectively sync some of the AD group to bitbucket and manage access at group level.此外，我们可以选择性地将部分 AD 组同步到 bitbucket 并在组级别管理访问。