Restricted User Shell
Remote access to Git repositories over ssh causes execution of
git-upload-pack on the server.
The simplest rule for Git is:
rule git set $command ~ "^git-(receive|upload)-pack" set  =~ "s|^|/usr/bin/|"
set action is necessary to ensure the proper location
of Git binaries to use. This example supposes they are placed in
/usr/bin, you will have to tailor it if they are located
elsewhere on your system.
To limit Git accesses to repositories under /gitroot directory, modify the ‘$1’, as shown in the example below:
rule git match $command ~ "^git-(receive|upload)-pack" set  =~ "^/gitroot[^ ]+\.git$" set  =~ "s|^|/usr/bin/|"
To provide more helpful error messages, you may follow this rule by a trap rule (see trap rules):
# Trap the rest of Git requests: rule git-trap match $command ~ "^git-.+" exit "fatal: access to this repository is denied."
This document was generated on June 29, 2019 using makeinfo.Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.