Push-only git server

Author

Kristof Kovacs

Software Architect & DevOps Consultant

Hello, I’m Kristof, a human being like you, and an easy to work with, friendly guy.

I've been a programmer, a consultant, CIO in startups, head of software development in government, and built two software companies.

Some days I’m coding Golang in the guts of a system and other days I'm wearing a suit to help clients with their DevOps practices.

Sometimes, working in some restricted environment, you need to push a few commits back to a git repo (for example, a hotfix). The git binary has a relatively obscure http-backend command that can help.

WARNING! This is hack-ish, and should be used only if you have a good reason to. You really should NOT use this over the Internet, since it's unencrypted. But it is safe in that your repo can't be cloned from the temporary, receiving server. It's push-only.

RECEIVING side, make a "bare" copy of the original repo:

git clone --bare url-of-the-the-original-repo bare
cd bare

RECEIVING side, run git http-backend like this:

sudo sysctl net.ipv4.ip_unprivileged_port_start=0 # If you need a <1024 port
git config --local http.receivepack true # Needed for push
git config --local http.uploadpack false # Disabling clone/pull
git config --local http.getanyfile false # Disabling ancient functionality
mkdir cgi-bin; printf '#!/bin/bash\nGIT_HTTP_EXPORT_ALL=1 git http-backend' >cgi-bin/repo; chmod 755 cgi-bin/repo
python3 -m http.server --cgi 80

SENDING side (where you push from):

git push http://SERVERNAME/cgi-bin/repo

RECEIVING side, forward the reveived commits to the original repo:

git push --all origin

Then stop the server. This is unsafe to keep running for more than a few moments (anyone could push you code without authentication).