git-shell.1 (4492B)
- '\" t
- .\" Title: git-shell
- .\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
- .\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/>
- .\" Date: 2025-03-14
- .\" Manual: Git Manual
- .\" Source: Git 2.49.0
- .\" Language: English
- .\"
- .TH "GIT\-SHELL" "1" "2025-03-14" "Git 2\&.49\&.0" "Git Manual"
- .\" -----------------------------------------------------------------
- .\" * Define some portability stuff
- .\" -----------------------------------------------------------------
- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- .\" http://bugs.debian.org/507673
- .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- .ie \n(.g .ds Aq \(aq
- .el .ds Aq '
- .\" -----------------------------------------------------------------
- .\" * set default formatting
- .\" -----------------------------------------------------------------
- .\" disable hyphenation
- .nh
- .\" disable justification (adjust text to left margin only)
- .ad l
- .\" -----------------------------------------------------------------
- .\" * MAIN CONTENT STARTS HERE *
- .\" -----------------------------------------------------------------
- .SH "NAME"
- git-shell \- Restricted login shell for Git\-only SSH access
- .SH "SYNOPSIS"
- .sp
- .nf
- \fIchsh\fR \-s $(command \-v git\-shell) <user>
- \fIgit clone\fR <user>\fB@localhost:/path/to/repo\&.git\fR
- \fIssh\fR <user>\fB@localhost\fR
- .fi
- .SH "DESCRIPTION"
- .sp
- This is a login shell for SSH accounts to provide restricted Git access\&. It permits execution only of server\-side Git commands implementing the pull/push functionality, plus custom commands present in a subdirectory named \fBgit\-shell\-commands\fR in the user\(cqs home directory\&.
- .SH "COMMANDS"
- .sp
- \fIgit shell\fR accepts the following commands after the \fB\-c\fR option:
- .PP
- \fIgit receive\-pack <argument>\fR, \fIgit upload\-pack <argument>\fR, \fIgit upload\-archive <argument>\fR
- .RS 4
- Call the corresponding server\-side command to support the client\(cqs
- \fIgit push\fR,
- \fIgit fetch\fR, or
- \fIgit archive \-\-remote\fR
- request\&.
- .RE
- .PP
- \fIcvs server\fR
- .RS 4
- Imitate a CVS server\&. See
- \fBgit-cvsserver\fR(1)\&.
- .RE
- .sp
- If a \fB~/git\-shell\-commands\fR directory is present, \fIgit shell\fR will also handle other, custom commands by running "\fBgit\-shell\-commands/\fR\fI<command>\fR \fI<arguments>\fR" from the user\(cqs home directory\&.
- .SH "INTERACTIVE USE"
- .sp
- By default, the commands above can be executed only with the \fB\-c\fR option; the shell is not interactive\&.
- .sp
- If a \fB~/git\-shell\-commands\fR directory is present, \fIgit shell\fR can also be run interactively (with no arguments)\&. If a \fBhelp\fR command is present in the \fBgit\-shell\-commands\fR directory, it is run to provide the user with an overview of allowed actions\&. Then a "git> " prompt is presented at which one can enter any of the commands from the \fBgit\-shell\-commands\fR directory, or \fBexit\fR to close the connection\&.
- .sp
- Generally this mode is used as an administrative interface to allow users to list repositories they have access to, create, delete, or rename repositories, or change repository descriptions and permissions\&.
- .sp
- If a \fBno\-interactive\-login\fR command exists, then it is run and the interactive shell is aborted\&.
- .SH "EXAMPLES"
- .sp
- To disable interactive logins, displaying a greeting instead:
- .sp
- .if n \{\
- .RS 4
- .\}
- .nf
- $ chsh \-s /usr/bin/git\-shell
- $ mkdir $HOME/git\-shell\-commands
- $ cat >$HOME/git\-shell\-commands/no\-interactive\-login <<\eEOF
- #!/bin/sh
- printf \*(Aq%s\en\*(Aq "Hi $USER! You\*(Aqve successfully authenticated, but I do not"
- printf \*(Aq%s\en\*(Aq "provide interactive shell access\&."
- exit 128
- EOF
- $ chmod +x $HOME/git\-shell\-commands/no\-interactive\-login
- .fi
- .if n \{\
- .RE
- .\}
- .sp
- To enable git\-cvsserver access (which should generally have the \fBno\-interactive\-login\fR example above as a prerequisite, as creating the git\-shell\-commands directory allows interactive logins):
- .sp
- .if n \{\
- .RS 4
- .\}
- .nf
- $ cat >$HOME/git\-shell\-commands/cvs <<\eEOF
- if ! test $# = 1 && test "$1" = "server"
- then
- echo >&2 "git\-cvsserver only handles \e"server\e""
- exit 1
- fi
- exec git cvsserver server
- EOF
- $ chmod +x $HOME/git\-shell\-commands/cvs
- .fi
- .if n \{\
- .RE
- .\}
- .SH "SEE ALSO"
- .sp
- ssh(1), \fBgit-daemon\fR(1), contrib/git\-shell\-commands/README
- .SH "GIT"
- .sp
- Part of the \fBgit\fR(1) suite