LinuxCommandLibrary

git-daemon

Provide unauthenticated Git repository access

TLDR

Launch a Git daemon with a whitelisted set of directories

$ git daemon --export-all [path/to/directory1] [path/to/directory2]
copy

Launch a Git daemon with a specific base directory and allow pulling from all sub-directories that look like Git repositories
$ git daemon --base-path=[path/to/directory] --export-all --reuseaddr
copy

Launch a Git daemon for the specified directory, verbosely printing log messages and allowing Git clients to write to it
$ git daemon [path/to/directory] --enable=receive-pack --informative-errors --verbose
copy

SYNOPSIS

git daemon [--verbose] [--detach] [--listen=] [--port=] [--inetd] [--export-all] [--base-path=] [--access-ok=] [--receive-pack=] [--upload-pack=] [--pid-file=] [--syslog] [--user=] [--group=] [--umask=] [--max-connections=] [--max-threads=] [--timeout=] [--reuseaddr] [--strict-paths] [--enable=] [--disable=] [--init-timeout=] [--max-cache-size=] [--stat-ctime] [--informative-errors] [--tcp-window-size=] [--help] []

PARAMETERS

--verbose
    Be more verbose.

--detach
    Detach from the terminal and run in the background as a daemon.

--listen=
    Listen on the specified host or IP address. Defaults to all interfaces.

--port=
    Listen on the specified port. Defaults to 9418.

--inetd
    Run as an inetd service.

--export-all
    Pretend as if all directories under the current directory are Git repositories.

--base-path=
    Restrict access to repositories under the specified path.

--access-ok=
    Specifies the 'git-daemon-export-ok' file location.

--receive-pack=
    Path to git-receive-pack executable. Defaults to git-receive-pack.

--upload-pack=
    Path to git-upload-pack executable. Defaults to git-upload-pack.

--pid-file=
    Write the process ID to the specified file.

--syslog
    Log to syslog.

--user=
    Run as the specified user.

--group=
    Run as the specified group.

--umask=
    Set the umask for new files.

--max-connections=
    Limit the number of concurrent connections.

--max-threads=
    Limit the number of threads.

--timeout=
    Set the timeout for idle connections in seconds.

--reuseaddr
    Enable SO_REUSEADDR socket option.

--strict-paths
    Only allow access to explicitly exported repositories.

--enable=
    Enable a specific service (e.g., upload-pack, receive-pack).

--disable=
    Disable a specific service.

--init-timeout=
    Set the initial connection timeout in seconds.

--max-cache-size=
    Set the maximum cache size.

--stat-ctime
    Use ctime for stat information

--informative-errors
    Return more verbose error message strings to clients.

--tcp-window-size=
    Use specified TCP window size.

[]
    Serve repositories from the specified directory. If omitted, the current directory is used.

DESCRIPTION

git-daemon is a simple Git server that provides unauthenticated read-only access to Git repositories.
It is typically used for serving public Git repositories without requiring users to have accounts on the server.
git-daemon listens on a specified port (default is 9418) and handles requests from Git clients like git clone, git fetch, and git pull.
It can serve multiple repositories concurrently and supports various options to control access, logging, and security. It is designed to be lightweight and efficient, suitable for serving a large number of repositories to many clients.
It's crucial to configure git-daemon securely, especially when serving private repositories (even with limited read only access).
Consider access restrictions and proper firewalls if you are not sure about exposing data to outside world.

CAVEATS

It's strongly recommended to run git-daemon with appropriate access controls and behind a firewall, especially when serving private repositories. Ensure that repositories are explicitly marked for export using 'git update-server-info' or by creating a 'git-daemon-export-ok' file in the repository's root.

SECURITY CONSIDERATIONS

Never expose git-daemon directly to the internet without proper security measures.
Use firewalls, restrict access based on IP addresses, and carefully configure the available services. Always verify repositories are meant to be public via the 'git-daemon-export-ok' file.

INETD CONFIGURATION

When running under inetd, use the '--inetd' option. Configure inetd to invoke git-daemon with the appropriate user and arguments. Example snippet:
git stream tcp nowait nobody /usr/bin/git daemon --inetd --export-all --base-path=/path/to/repos

EXPORTING REPOSITORIES

To allow a repository to be served by git-daemon, create a file named 'git-daemon-export-ok' in the repository's root directory. This file acts as an explicit confirmation that the repository is intended to be publicly accessible.
Alternatively, use 'git update-server-info'.

HISTORY

The git-daemon command has been part of Git since its early days, designed as a simple way to serve repositories over the Git protocol.
It has evolved with added features for security and performance, but its core purpose remains the same: to provide an easy and efficient read-only Git server.

SEE ALSO

Copied to clipboard