I'm starting to learn how to use git and I'm very doubful with some questions about security.

I need to manage my codes (in the same GitHub account) between my personal computer and my computer from work, so I've installed git on both. When I clone my repository (personal or private), make changes to it, and push it back, it accepts the pushing without any verification of who is pushing it.

So my question is: How does git know who is pushing to my GitHub repository? If anyone uses "git clone https://github.com/username/myrepo.git", will them be able to push to it? How can I avoid that?

I read in other posts that is not possible, but I still don't understand in what step git verifies who is pushing.

CodePudding user response：

No, not anybody is allowed to push to a repository. Authentication on GitHub is either done via PAT (personal access token), browser login via credential manager, or with an SSH key. All 3 are bound to your GitHub account.

By default, only the owner of a repository can push to it, but you can add more users to your repo.

Further reading:

• GitHub authentication

CodePudding user response：

How does git know who is pushing to my GitHub repository?

The short answer is "it doesn't" or "Git has no idea".

Each commit in Git has two name email-address date-and-time-stamp fields, which Git calls the author and the committer. Whoever makes the commit controls these two fields, which contain nearly-arbitrary strings (which Git reads from your user.name and user.email settings, assuming you've set them¹). Once the commit is made, these two cannot be changed—if they're wrong, you have to stop using that commit and make a new and improved commit that has the right stuff in it. (The new-and-improved commit may otherwise look exactly the same, but it will have a different big ugly hash ID, and the old hash ID will still refer to the old commit. By using git commit --amend or similar, you can kick the old commit "off" the branch, so that only the new corrected commit shows up.)

As knittl answered, GitHub has GitHub-side access controls. You must first authenticate to GitHub, by whatever means GitHub provide for you. This authentication process enables GitHub to decide who they think you are, and that in turn controls whether they allow the git push to proceed. But this is not a Git thing, it's a GitHub thing.

Note that all² web hosting providers (e.g., Bitbucket and GitLab as well) use extremely similar authentication tricks, for the same rather obvious reason.

¹If you have not set them, Git has a compiled-in set of procedures it follows:

1. It checks user.useConfigOnly, a boolean configuration setting. If this is true or any other boolean equivlaent, it dies with a fatal error.
2. Otherwise, if Git is compiled to do so, it uses some OS and/or build specific method to guess your name and email address. If that works, it uses the guess.
3. Finally, all else having failed, it dies with the same fatal error you can choose in step 1.

The point of user.useConfigOnly is to enable you to force you to set user.name and user.email within each repository, in case you want to do this on a per-repository rather than global-for-your-user state.

²There could be some that don't, but I wonder who would use them.