From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS53758 23.128.96.0/24 X-Spam-Status: No, score=-3.8 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_PASS, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by dcvr.yhbt.net (Postfix) with ESMTP id 950C11F9E3 for ; Fri, 1 May 2020 07:33:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728357AbgEAHdM (ORCPT ); Fri, 1 May 2020 03:33:12 -0400 Received: from cloud.peff.net ([104.130.231.41]:33418 "HELO cloud.peff.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726452AbgEAHdM (ORCPT ); Fri, 1 May 2020 03:33:12 -0400 Received: (qmail 2460 invoked by uid 109); 1 May 2020 07:33:11 -0000 Received: from Unknown (HELO peff.net) (10.0.1.2) by cloud.peff.net (qpsmtpd/0.94) with SMTP; Fri, 01 May 2020 07:33:11 +0000 Authentication-Results: cloud.peff.net; auth=none Received: (qmail 16007 invoked by uid 111); 1 May 2020 07:33:11 -0000 Received: from coredump.intra.peff.net (HELO sigill.intra.peff.net) (10.0.0.2) by peff.net (qpsmtpd/0.94) with (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS; Fri, 01 May 2020 03:33:11 -0400 Authentication-Results: peff.net; auth=none Date: Fri, 1 May 2020 03:33:11 -0400 From: Jeff King To: Junio C Hamano Cc: douglas.fuller@gmail.com, git@vger.kernel.org Subject: [PATCH v2 2/2] gitcredentials(7): make shell-snippet example more realistic Message-ID: <20200501073311.GB27675@coredump.intra.peff.net> References: <20200501073222.GB27392@coredump.intra.peff.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20200501073222.GB27392@coredump.intra.peff.net> Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org There's an example of using your own bit of shell to act as a credential helper, but it's not very realistic: - It's stupid to hand out your secret password to _every_ host. In the real world you'd use the config-matcher to limit it to a particular host. - We never provided a username. We can easily do that in another config option (you can do it in the helper, too, but this is much more readable). - We were sending the secret even for store/erase operations. This is OK because Git would just ignore it, but a real system would probably be unlocking a password store, which you wouldn't want to do more than necessary. Signed-off-by: Jeff King --- Documentation/gitcredentials.txt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Documentation/gitcredentials.txt b/Documentation/gitcredentials.txt index 8127dfcd2f..0d0f7149bd 100644 --- a/Documentation/gitcredentials.txt +++ b/Documentation/gitcredentials.txt @@ -233,8 +233,9 @@ Here are some example specifications: helper = "/path/to/my/helper --with-arguments" # or you can specify your own shell snippet -[credential] - helper = "!f() { echo \"password=$(cat $HOME/.secret)\"; }; f" +[credential "https://example.com"] + username = your_user + helper = "!f() { test \"$1\" = get && echo \"password=$(cat $HOME/.secret)\"; }; f" ---------------------------------------------------- Generally speaking, rule (3) above is the simplest for users to specify. -- 2.26.2.933.gdf62622942