0

I'm trying to meet a requirement where devs can log in to a server, launch, and test code without having the ability to pull (or access any ssh keys)code from the repository.

I don't want to grant them access to push or pull from Git.

Currently, I have the root user set up with an SSH key for Git that allows cloning and pulling to /home/luser/myproject.

However, I realize that running these operations as root isn't ideal since I have to change the ownership of the files afterward. But I can't give developers access to these SSH keys. They only need to be able to log in, launch the code, and run their tests.

I am thinking that maybe a cronjob to pull code and then chown the files afterwards, but perhaps there is a recommended practice for this; where users can have access to pulled code, but nothing more.

Is there a recommend practice for this ? Surely there is .

Improve this question
4
  • 5
    This sounds a bit like an XY problem. I suspect that the recommended practice is a proper CI/CD system, rather than trying to hack something together with cronjobs.
    – Gh0stFish
    CommentedAug 25, 2024 at 20:41
  • 2
    Can you elaborate on the distinction between granting access developers to the latest code, while denying them pull access? Pulling code and having access to the latest code seem equivalent to me, but you seem to want one without the other. Why is that?
    – Sjoerd
    CommentedAug 26, 2024 at 11:49
  • 1
    The recommended practice is to have dedicated dev/test sandbox environments separate from your critical production servers, where developers can do whatever they want without serious security implications. Automate your deployment process so developer involvement is not required, and use protected branch and gated checkin features of your CI/CD solution (Azure DevOps, GitHub, GitLab, TeamCity, etc.) to prevent developers from pushing straight into production.
    – DL444
    CommentedAug 26, 2024 at 13:30
  • This is dev, I just wanted restrictions there too. Anyway. I get the point. a proper CI/CD process should exist.
    – LUser
    CommentedAug 27, 2024 at 11:21

1 Answer 1

Reset to default
1

You could use a restricted shell. For example Bash has an option for that purpose. Then you just have to change the default shell for the users you want to restrict. There are others like rssh, which is designed for SCP/SFTP operations. A bit of chrooting can help maybe.

Be aware that evasion techniques do exist. A write-up on the subject.

Also, SSH login should take place with public key authentication and each user should therefore have their own keys.

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.