git-daemon

Launch a Git daemon with a whitelisted set of directories

Launch a Git daemon with a specific base directory and allow pulling from all sub-directories that look like Git repositories
Launch a Git daemon for the specified directory, verbosely printing log messages and allowing Git clients to write to it

git-daemon [--help | --version | --usage]
git-daemon [--base-path=<path>] [--port=<port>] [--listen=<host-or-ip>] [--syslog | --log-output] [--max-connections=<n>] [--timeout=<n>] [--initd | --inetd] [--user=<user>] [--group=<group>] [--enable=<service>] [--disable=<service>] [--verbose] [--export-all] [--upload-pack | --no-upload-pack] [--upload-archive | --no-upload-archive] [--receive-pack | --no-receive-pack] [--strict-paths] [--interpolated-path=<path>] [--informative-errors] [--allow-override=<service>] [--forbid-override=<service>] [<directory>]

--base-path=<path>
    Sets a base path for repositories. Clients must specify a path relative to this base path. This is useful for restricting access to a specific directory.

--port=<port>
    Listens on the specified port instead of the default Git protocol port (9418).

--listen=<host-or-ip>
    Listens on the specified host or IP address. By default, it listens on all available interfaces.

--export-all
    Allows serving all repositories that do not have the daemon.uploadpack config variable explicitly set to false. Without this option, only repositories with daemon.uploadpack=true or a git-daemon-export-ok file are served.

--enable=<service>
    Enables the specified service (e.g., upload-pack, upload-archive). By default, only upload-pack is enabled for exportable repositories.

--disable=<service>
    Disables the specified service. This overrides any --enable or configuration settings.

--syslog
    Logs messages to syslog instead of standard error.

--log-output
    Logs messages to standard error. This is the default unless --inetd or --syslog is used.

--max-connections=<n>
    Sets the maximum number of concurrent connections the daemon will handle. New connections are rejected once this limit is reached.

--timeout=<n>
    Sets the maximum number of seconds to wait for a new connection or for an idle client to become active. After this time, the connection is dropped.

--initd
    Runs the daemon in a way suitable for an init script, detaching from the controlling terminal and listening on the configured port. This is for standalone daemon operation.

--inetd
    Runs the daemon in a way suitable for inetd or xinetd. It expects to read from standard input and write to standard output. This mode handles a single connection and then exits.

--user=<user>
    Changes the user ID to <user> after binding the listening socket. Requires root privileges to set up.

--group=<group>
    Changes the group ID to <group> after binding the listening socket. Requires root privileges to set up.

--verbose
    Prints more detailed diagnostic information to the log output.

The git-daemon command provides a simple, lightweight way to serve Git repositories over the unauthenticated Git protocol (port 9418 by default). It is primarily used for providing public, read-only access to repositories, such as those found in many open-source projects. Unlike HTTP or SSH, the Git protocol is designed specifically for Git, offering high performance and low overhead for anonymous clones and fetches.

When running, git-daemon listens for incoming connections and, upon request, serves content from specified repositories. For a repository to be served, it must be explicitly marked as exportable. This is typically done by setting the daemon.uploadpack configuration variable to true within the repository's configuration, or by placing a git-daemon-export-ok file at the root of the repository. Clients connect using git clone git://hostname/path/to/repo.git.

git-daemon can run as a standalone process (often started from an init script), or it can be managed by a 'super-server' like inetd or xinetd, which spawns an instance of the daemon for each incoming connection. It does not provide any authentication or encryption, making it suitable only for publicly accessible data where security is not a primary concern for data in transit.

git-daemon offers only unauthenticated, unencrypted, read-only access to Git repositories. This implies several caveats:

• No Authentication: Any client can connect and clone/fetch data from exposed repositories. It is unsuitable for private repositories or sensitive data.
• No Encryption: Data transfer occurs in plaintext over the network. Malicious actors could intercept and read the data.
• Read-Only: Pushing changes back to the server is not supported via git-daemon. For write access, an SSH-based or HTTP/S-based Git server is required.
• Repository Export Configuration: Repositories are not served by default. They must be explicitly marked for export either by having a git-daemon-export-ok file or by setting daemon.uploadpack=true in their configuration. Care must be taken not to accidentally expose unintended repositories, though the --export-all option can override this default behavior.

For a repository to be served by git-daemon, it must be explicitly configured for export. There are two primary ways to do this:

• git-daemon-export-ok file: Placing an empty file named git-daemon-export-ok in the root directory of the Git repository will mark it as exportable. This is a simple, direct method.
• daemon.uploadpack config: Setting the Git configuration variable daemon.uploadpack to true within the repository's .git/config file enables the upload-pack service for that repository. This is the more modern and flexible approach. Similarly, daemon.uploadarchive=true enables the upload-archive service.

The --export-all command-line option for git-daemon overrides these per-repository settings, allowing all repositories (that don't explicitly forbid it with daemon.uploadpack=false) under the specified base path to be served.

git-daemon can be run in two main modes:

• Standalone Daemon: Using the --initd option, git-daemon can run as a persistent background process. This is suitable for scenarios where the daemon needs to be constantly running, such as when configured via a system's init or systemd scripts.
• Super-server (inetd/xinetd): Using the --inetd option, git-daemon can be spawned on demand by a super-server like inetd or xinetd. In this mode, it handles a single connection and then exits. This is useful for managing resource usage and connection limits, especially when connections are infrequent.

git-daemon is one of the original methods for serving Git repositories over the network, introduced very early in Git's development alongside SSH-based access. Its design prioritizes simplicity and performance for anonymous, read-only distribution of code. It leverages a custom, lightweight protocol that is highly optimized for Git's data transfer needs. While more feature-rich Git hosting solutions (like GitWeb, Git-HTTP, or full-fledged Git platforms) have emerged, git-daemon remains a fundamental tool for providing raw, low-overhead public access to Git repositories, especially in scenarios where high-volume anonymous cloning is desired without the overhead of HTTP or SSH server stacks.

git(1), git-clone(1), git-upload-pack(1), git-upload-archive(1), inetd(8), xinetd(8)