README (1780B)
1 git-daemon(1) chroot(8) 2 ========================= 3 4 This script isolates git-daemon(1) inside a chroot. Without this, 5 git-daemon(1) has access to the entire file system. 6 7 Latest Release: 71 on April 29 2022 8 Install: # sh chroot_gitdaemon.sh 9 10 11 Protocols 12 ---------- 13 14 There are a few protocols to serve git(1) repositories: 15 16 - dumb http 17 - git 18 - others 19 20 The dumb http protocol is easy to set up if you are already running an HTTP 21 server, but the performance is not great: 22 23 $ time git clone http://www.0x30.net/git/citrun 24 Cloning into 'citrun'... 25 Fetching objects: 10233, done. 26 2m03.64s real 0m02.89s user 0m03.77s system 27 28 The performance of the native git-daemon(1) protocol is better: 29 30 $ time git clone git://www.0x30.net/citrun 31 Cloning into 'citrun'... 32 remote: Enumerating objects: 10233, done. 33 remote: Counting objects: 100% (10233/10233), done. 34 remote: Compressing objects: 100% (5236/5236), done. 35 remote: Total 10233 (delta 6802), reused 7596 (delta 4866), pack-reused 0 36 Receiving objects: 100% (10233/10233), 2.19 MiB | 615.00 KiB/s, done. 37 Resolving deltas: 100% (6802/6802), done. 38 0m08.89s real 0m01.09s user 0m00.18s system 39 40 This benchmark shows that the native git-daemon(1) protocol is about 10x 41 faster than dumb HTTP. 42 43 However git-daemon(1) has filesystem wide access permissions by default, 44 which makes running it risky. 45 46 Other people suggested a workaround was possible 47 https://marc.info/?l=openbsd-ports&m=146460119010262&w=2 . 48 49 50 Implementation 51 --------------- 52 53 This script creates a chroot(8) for git-daemon(1) to run inside. 54 55 It creates all of the necessary files and directories, copies 56 git-daemon and its dependencies into the root, and then modifies 57 the stock rc.d(8) script to start it correctly.