stackoom
  简体   繁体   中英

Can I use .gitignore or .git/info/exclude to impede specific users from pulling/pushing files that are deemed "restricted" to them?

 原文  2019-11-27 01:57:13       windows/ git/ gitignore/ git-bash/ openssh

Question

I'm hosting a bare repository on Windows Server 2008 with Windows Git and OpenSSH. For legal reasons, I want some files to be inaccessible for a specific user but remain accessible to all other users. In other words, I want certain "restricted" files to be ignored (non-pullable) for a specific user.

Assume we have two users (Administrator and Guest) and a Git repository with 2 files : (a.txt and b.txt).

Assume "b.txt" is a restricted file that Guest should not have access to.

git clone guest@ipaddress:C:/path/to/repository.git or git pull guest@ipaddress:C:/path/to/repository.git

should clone or pull "a.txt"

git clone administrator@ipaddress:C:/path/to/repository.git or git pull administrator@ipaddress:C:/path/to/repository.git

should clone or pull both files.

Is there a way to achieve this result with .gitignore or .git/info/exclude?

2 answers

solution1
 1  2019-11-27 02:10:59

Is there a way to achieve this result with .gitignore or .git/info/exclude?

No.

Git is all about commits , and pull (really, git fetch ) and push operations transfer commits . Commits contain files—a commit consists partly of data (a snapshot) and partly of metadata (information about the snapshot)—and you either have a commit, in which case you have all the files, or you don't have a commit, in which case you don't have all the files.

Files that need restrictions for whatever reasons—legal, corporate, or otherwise—must either not be in Git at all, or stored in some sort of pre-secured fashion (eg, encrypted). In general the "not in Git at all" approach tends to work best. Consider storing, in Git, the URL of a restricted Web site that stores the actual file.

solution2
 1  2019-11-27 05:13:10

It's not possible to restrict user access to only parts of a repository. gitignore files are designed to prevent people from accidentally checking in code they didn't intend, not to restrict access to code already in the repository.

Even solutions that limit access to refs can be bypassed by a clever attacker in a way that lets them exfiltrate data from the repository. You should assume anyone with read access to a repository can read all of the objects in that repository; if you need to restrict some users' access to certain data, it needs to either be encrypted or live in a different repository.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Directory symlinks change to file symlinks after pushing and pulling from Git Git still tracks files in gitignore file I want to make a folder where users can drop files but not delete them My winform app uses xml files to store data, where should I store them so Vista users can write to them? How do I exclude files from a search that may be in use or being copied to in python? How can I print specific name files from filesystem How can I use `git tag --list` with information from `git log --tags` Pulling three csv/xls files into dataframes causes one of them to not be found trying to download specific files from ftp recursively and run a command on them Files to exclude from GIT for Android Studio Gradle Project to maintain the code in MAC as well as Windows.?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM