Thread (3 messages) 3 messages, 3 authors, 2025-03-25

Re: [PATCH v3] shell: allow overriding built-in commands

From: Ayman Bagabas <hidden>
Date: 2025-03-25 22:44:40

On Mar 24, 2025, at 11:28 PM, Jeff King [off-list ref] wrote:

On Sun, Mar 23, 2025 at 10:27:32PM -0700, Junio C Hamano wrote:
quoted
Jeff King [off-list ref] writes:
quoted
So it seems like a reasonable goal. A more restricted approach might be
to provide a more formal hook/plugin interface. E.g., to run a hook
script with the command name and arguments, and have it return
success/failure to allow the to proceed.

That's not quite as flexible (in your approach I could replace what
upload-pack is doing entirely, cache its output, and so on). But it
might be harder for admins to screw up. I dunno.
Yeah, we usually try not to be overly flexible for that reason, but
given that "git shell" is so limited that rewriting its services
wholesale is not all that much of a deal, I think it is OK.

I however wonder if it is worth admins' time and effort to add
features to "git-shell" using this new facility, or if they are
better off using something more established like gitolite once they
want to go fancier beyond what the basic "git-shell" offers.
Yeah, I left my general opinions on git-shell unspoken. ;)

For features, I think you are probably better off with something like
gitolite (which I think does have some access control).
Gitolite is a great software, but it also has its limitations. It couples
authentication and authorization in the same system. However, I'm looking
for something more flexible that I can plug whatever authentication
or authorization system to the mix similar to git-http-backend paired with
apache/nginx/h2o/etc.
For security, I'd be a little scared of git-shell, just because it's not
run all that frequently and we've had issues with it before (e.g.,
integer overflows). If you're taking requests from untrusted clients,
you're probably better off configuring http service.
That's a fair point. Perhaps writing my own restricted shell might be
the best solution for what I'm looking for :/
I also imagine there may be restricted shell implementations that are
more general and more battle-hardened, that you could configure to only
run a few commands. But I haven't looked at that space (because again,
I'd suggest just git-over-http).
If you know any general restricted shell implementations please do tell. I'm
looking for an SSH solution something pluggable like git-http-backend that
I can build on top of.

Honestly, git-shell's simplicity is what got my interest at first. The fact that
it's not secure and not run frequently can change and be improved.

- Ayman

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help