git-shell

git-shell [-c command]

-c command
    Executes a specific Git command supplied directly on the command line, typically used when invoked by SSH to perform a Git operation (e.g., git-upload-pack, git-receive-pack), rather than waiting for interactive input from the user.

git-shell is a restricted login shell program designed to provide a secure and controlled environment for users accessing Git repositories via SSH. Its primary function is to prevent arbitrary shell access while allowing legitimate Git operations. When a user's login shell is set to git-shell (typically in /etc/passwd or via the command= option in ~/.ssh/authorized_keys), they are limited to executing only Git-specific commands. These include common operations like git push and git pull, as well as the underlying Git transfer protocols such as git-upload-pack, git-receive-pack, and git-upload-archive.

Any attempt to execute other shell commands or arbitrary programs is rejected by git-shell, ensuring that the server remains secure and only permitted Git activities take place. This makes git-shell an essential component for hosting Git repositories where security and restricted access are paramount. It also offers a mechanism for controlled extensibility by allowing specific custom commands.

git-shell is intended to be a highly restrictive shell. Users whose login shell is set to git-shell will not have access to a general interactive shell prompt and cannot execute arbitrary system commands.

While it's possible to whitelist custom commands by placing executables in ~/git-shell-commands/, this should be done with extreme caution to maintain the security integrity of the server. Misconfigured custom commands can expose vulnerabilities.

Administrators can enable specific non-Git commands to be executed by users configured with git-shell. This is achieved by placing executable files within the ~/git-shell-commands/ directory. These commands will then be callable by users, either as git command-name or directly by their name if invoked via the SSH command= option.

To prevent users from establishing an interactive shell session with git-shell, an empty file named no-interactive-login can be created within the ~/git-shell-commands/ directory. The presence of this file forces users to only execute commands via the SSH command= mechanism, ensuring that only Git push/pull operations or explicitly allowed custom commands are possible, and no general interactive user login is permitted.

git-shell has been an integral part of the Git ecosystem since its early development. It was conceived to address the crucial need for secure, SSH-based access to Git repositories, a common and preferred method for remote Git operations. Its design has consistently focused on providing a robust mechanism to limit user access to only Git-related commands, thereby mitigating potential security risks associated with granting full shell access on repository hosting servers.

git(1), ssh(1), sshd(8), authorized_keys(5)