|  | '\" t | 
|  | .\"     Title: git-daemon | 
|  | .\"    Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author] | 
|  | .\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> | 
|  | .\"      Date: 2025-09-15 | 
|  | .\"    Manual: Git Manual | 
|  | .\"    Source: Git 2.51.0.268.ga483264b01 | 
|  | .\"  Language: English | 
|  | .\" | 
|  | .TH "GIT\-DAEMON" "1" "2025-09-15" "Git 2\&.51\&.0\&.268\&.ga48326" "Git Manual" | 
|  | .\" ----------------------------------------------------------------- | 
|  | .\" * Define some portability stuff | 
|  | .\" ----------------------------------------------------------------- | 
|  | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|  | .\" http://bugs.debian.org/507673 | 
|  | .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html | 
|  | .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 
|  | .ie \n(.g .ds Aq \(aq | 
|  | .el       .ds Aq ' | 
|  | .\" ----------------------------------------------------------------- | 
|  | .\" * set default formatting | 
|  | .\" ----------------------------------------------------------------- | 
|  | .\" disable hyphenation | 
|  | .nh | 
|  | .\" disable justification (adjust text to left margin only) | 
|  | .ad l | 
|  | .\" ----------------------------------------------------------------- | 
|  | .\" * MAIN CONTENT STARTS HERE * | 
|  | .\" ----------------------------------------------------------------- | 
|  | .SH "NAME" | 
|  | git-daemon \- A really simple server for Git repositories | 
|  | .SH "SYNOPSIS" | 
|  | .sp | 
|  | .nf | 
|  | \fBgit\fR \fBdaemon\fR [\fB\-\-verbose\fR] [\fB\-\-syslog\fR] [\fB\-\-export\-all\fR] | 
|  | [\fB\-\-timeout=\fR\fI<n>\fR] [\fB\-\-init\-timeout=\fR\fI<n>\fR] [\fB\-\-max\-connections=\fR\fI<n>\fR] | 
|  | [\fB\-\-strict\-paths\fR] [\fB\-\-base\-path=\fR\fI<path>\fR] [\fB\-\-base\-path\-relaxed\fR] | 
|  | [\fB\-\-user\-path\fR | \fB\-\-user\-path=\fR\fI<path>\fR] | 
|  | [\fB\-\-interpolated\-path=\fR\fI<pathtemplate>\fR] | 
|  | [\fB\-\-reuseaddr\fR] [\fB\-\-detach\fR] [\fB\-\-pid\-file=\fR\fI<file>\fR] | 
|  | [\fB\-\-enable=\fR\fI<service>\fR] [\fB\-\-disable=\fR\fI<service>\fR] | 
|  | [\fB\-\-allow\-override=\fR\fI<service>\fR] [\fB\-\-forbid\-override=\fR\fI<service>\fR] | 
|  | [\fB\-\-access\-hook=\fR\fI<path>\fR] [\fB\-\-\fR[\fBno\-\fR]\fBinformative\-errors\fR] | 
|  | [\fB\-\-inetd\fR | | 
|  | [\fB\-\-listen=\fR\fI<host\-or\-ipaddr>\fR] [\fB\-\-port=\fR\fI<n>\fR] | 
|  | [\fB\-\-user=\fR\fI<user>\fR [\fB\-\-group=\fR\fI<group>\fR]]] | 
|  | [\fB\-\-log\-destination=\fR(\fBstderr\fR|\fBsyslog\fR|\fBnone\fR)] | 
|  | [\fI<directory>\fR\&...\:] | 
|  | .fi | 
|  | .SH "DESCRIPTION" | 
|  | .sp | 
|  | A really simple TCP Git daemon that normally listens on port "DEFAULT_GIT_PORT" aka 9418\&. It waits for a connection asking for a service, and will serve that service if it is enabled\&. | 
|  | .sp | 
|  | It verifies that the directory has the magic file "git\-daemon\-export\-ok", and it will refuse to export any Git directory that hasn\(cqt explicitly been marked for export this way (unless the \fB\-\-export\-all\fR parameter is specified)\&. If you pass some directory paths as \fBgit\fR \fBdaemon\fR arguments, the offers are limited to repositories within those directories\&. | 
|  | .sp | 
|  | By default, only \fBupload\-pack\fR service is enabled, which serves \fBgit\fR \fBfetch\-pack\fR and \fBgit\fR \fBls\-remote\fR clients, which are invoked from \fBgit\fR \fBfetch\fR, \fBgit\fR \fBpull\fR, and \fBgit\fR \fBclone\fR\&. | 
|  | .sp | 
|  | This is ideally suited for read\-only updates, i\&.e\&., pulling from Git repositories\&. | 
|  | .sp | 
|  | An \fBupload\-archive\fR also exists to serve \fBgit\fR \fBarchive\fR\&. | 
|  | .SH "OPTIONS" | 
|  | .PP | 
|  | \fB\-\-strict\-paths\fR | 
|  | .RS 4 | 
|  | Match paths exactly (i\&.e\&. don\(cqt allow "/foo/repo" when the real path is "/foo/repo\&.git" or "/foo/repo/\&.git") and don\(cqt do user\-relative paths\&. | 
|  | \fBgit\fR | 
|  | \fBdaemon\fR | 
|  | will refuse to start when this option is enabled and no directory arguments are provided\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-base\-path=\fR\fI<path>\fR | 
|  | .RS 4 | 
|  | Remap all the path requests as relative to the given path\&. This is sort of "Git root" \- if you run | 
|  | \fBgit\fR | 
|  | \fBdaemon\fR | 
|  | with | 
|  | \fB\-\-base\-path=/srv/git\fR | 
|  | on | 
|  | \fBexample\&.com\fR, then if you later try to pull from | 
|  | \fBgit://example\&.com/hello\&.git\fR, | 
|  | \fBgit\fR | 
|  | \fBdaemon\fR | 
|  | will interpret the path as | 
|  | \fB/srv/git/hello\&.git\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-base\-path\-relaxed\fR | 
|  | .RS 4 | 
|  | If | 
|  | \fB\-\-base\-path\fR | 
|  | is enabled and repo lookup fails, with this option | 
|  | \fBgit\fR | 
|  | \fBdaemon\fR | 
|  | will attempt to lookup without prefixing the base path\&. This is useful for switching to | 
|  | \fB\-\-base\-path\fR | 
|  | usage, while still allowing the old paths\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-interpolated\-path=\fR\fI<pathtemplate>\fR | 
|  | .RS 4 | 
|  | To support virtual hosting, an interpolated path template can be used to dynamically construct alternate paths\&. The template supports | 
|  | \fB%H\fR | 
|  | for the target hostname as supplied by the client but converted to all lowercase, | 
|  | \fB%CH\fR | 
|  | for the canonical hostname, | 
|  | \fB%IP\fR | 
|  | for the server\(cqs IP address, | 
|  | \fB%P\fR | 
|  | for the port number, and | 
|  | \fB%D\fR | 
|  | for the absolute path of the named repository\&. After interpolation, the path is validated against the directory list\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-export\-all\fR | 
|  | .RS 4 | 
|  | Allow pulling from all directories that look like Git repositories (have the | 
|  | \fIobjects\fR | 
|  | and | 
|  | \fIrefs\fR | 
|  | subdirectories), even if they do not have the | 
|  | \fBgit\-daemon\-export\-ok\fR | 
|  | file\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-inetd\fR | 
|  | .RS 4 | 
|  | Have the server run as an inetd service\&. Implies | 
|  | \fB\-\-syslog\fR | 
|  | (may be overridden with | 
|  | \fB\-\-log\-destination=\fR)\&. Incompatible with | 
|  | \fB\-\-detach\fR, | 
|  | \fB\-\-port\fR, | 
|  | \fB\-\-listen\fR, | 
|  | \fB\-\-user\fR | 
|  | and | 
|  | \fB\-\-group\fR | 
|  | options\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-listen=\fR\fI<host\-or\-ipaddr>\fR | 
|  | .RS 4 | 
|  | Listen on a specific IP address or hostname\&. IP addresses can be either an IPv4 address or an IPv6 address if supported\&. If IPv6 is not supported, then | 
|  | \fB\-\-listen=\fR\fI<hostname>\fR | 
|  | is also not supported and | 
|  | \fB\-\-listen\fR | 
|  | must be given an IPv4 address\&. Can be given more than once\&. Incompatible with | 
|  | \fB\-\-inetd\fR | 
|  | option\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-port=\fR\fI<n>\fR | 
|  | .RS 4 | 
|  | Listen on an alternative port\&. Incompatible with | 
|  | \fB\-\-inetd\fR | 
|  | option\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-init\-timeout=\fR\fI<n>\fR | 
|  | .RS 4 | 
|  | Timeout (in seconds) between the moment the connection is established and the client request is received (typically a rather low value, since that should be basically immediate)\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-timeout=\fR\fI<n>\fR | 
|  | .RS 4 | 
|  | Timeout (in seconds) for specific client sub\-requests\&. This includes the time it takes for the server to process the sub\-request and the time spent waiting for the next client\(cqs request\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-max\-connections=\fR\fI<n>\fR | 
|  | .RS 4 | 
|  | Maximum number of concurrent clients, defaults to 32\&. Set it to zero for no limit\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-syslog\fR | 
|  | .RS 4 | 
|  | Short for | 
|  | \fB\-\-log\-destination=syslog\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-log\-destination=\fR\fI<destination>\fR | 
|  | .RS 4 | 
|  | Send log messages to the specified destination\&. Note that this option does not imply | 
|  | \fB\-\-verbose\fR, thus by default only error conditions will be logged\&. The | 
|  | \fI<destination>\fR | 
|  | must be one of: | 
|  | .PP | 
|  | \fBstderr\fR | 
|  | .RS 4 | 
|  | Write to standard error\&. Note that if | 
|  | \fB\-\-detach\fR | 
|  | is specified, the process disconnects from the real standard error, making this destination effectively equivalent to | 
|  | \fBnone\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | \fBsyslog\fR | 
|  | .RS 4 | 
|  | Write to syslog, using the | 
|  | \fBgit\-daemon\fR | 
|  | identifier\&. | 
|  | .RE | 
|  | .PP | 
|  | \fBnone\fR | 
|  | .RS 4 | 
|  | Disable all logging\&. | 
|  | .RE | 
|  | .sp | 
|  | The default destination is | 
|  | \fBsyslog\fR | 
|  | if | 
|  | \fB\-\-inetd\fR | 
|  | or | 
|  | \fB\-\-detach\fR | 
|  | is specified, otherwise | 
|  | \fBstderr\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-user\-path\fR, \fB\-\-user\-path=\fR\fI<path>\fR | 
|  | .RS 4 | 
|  | Allow ~user notation to be used in requests\&. When specified with no parameter, a request to git://host/~alice/foo is taken as a request to access | 
|  | \fIfoo\fR | 
|  | repository in the home directory of user | 
|  | \fBalice\fR\&. If | 
|  | \fB\-\-user\-path=\fR\fI<path>\fR | 
|  | is specified, the same request is taken as a request to access | 
|  | \fI<path>\fR\fB/foo\fR | 
|  | repository in the home directory of user | 
|  | \fBalice\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-verbose\fR | 
|  | .RS 4 | 
|  | Log details about the incoming connections and requested files\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-reuseaddr\fR | 
|  | .RS 4 | 
|  | Use | 
|  | \fBSO_REUSEADDR\fR | 
|  | when binding the listening socket\&. This allows the server to restart without waiting for old connections to time out\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-detach\fR | 
|  | .RS 4 | 
|  | Detach from the shell\&. Implies | 
|  | \fB\-\-syslog\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-pid\-file=\fR\fI<file>\fR | 
|  | .RS 4 | 
|  | Save the process id in | 
|  | \fI<file>\fR\&. Ignored when the daemon is run under | 
|  | \fB\-\-inetd\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-user=\fR\fI<user>\fR, \fB\-\-group=\fR\fI<group>\fR | 
|  | .RS 4 | 
|  | Change daemon\(cqs uid and gid before entering the service loop\&. When only | 
|  | \fB\-\-user\fR | 
|  | is given without | 
|  | \fB\-\-group\fR, the primary group ID for the user is used\&. The values of the option are given to | 
|  | \fBgetpwnam\fR(\fB3\fR) and | 
|  | \fBgetgrnam\fR(\fB3\fR) and numeric IDs are not supported\&. | 
|  | .sp | 
|  | Giving these options is an error when used with | 
|  | \fB\-\-inetd\fR; use the facility of inet daemon to achieve the same before spawning | 
|  | \fBgit\fR | 
|  | \fBdaemon\fR | 
|  | if needed\&. | 
|  | .sp | 
|  | Like many programs that switch user id, the daemon does not reset environment variables such as | 
|  | \fBHOME\fR | 
|  | when it runs git programs, e\&.g\&. | 
|  | \fBupload\-pack\fR | 
|  | and | 
|  | \fBreceive\-pack\fR\&. When using this option, you may also want to set and export | 
|  | \fBHOME\fR | 
|  | to point at the home directory of | 
|  | \fI<user>\fR | 
|  | before starting the daemon, and make sure any Git configuration files in that directory are readable by | 
|  | \fI<user>\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-enable=\fR\fI<service>\fR, \fB\-\-disable=\fR\fI<service>\fR | 
|  | .RS 4 | 
|  | Enable/disable the service site\-wide per default\&. Note that a service disabled site\-wide can still be enabled per repository if it is marked overridable and the repository enables the service with a configuration item\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-allow\-override=\fR\fI<service>\fR, \fB\-\-forbid\-override=\fR\fI<service>\fR | 
|  | .RS 4 | 
|  | Allow/forbid overriding the site\-wide default with per repository configuration\&. By default, all the services may be overridden\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-informative\-errors\fR, \fB\-\-no\-informative\-errors\fR | 
|  | .RS 4 | 
|  | When informative errors are turned on, git\-daemon will report more verbose errors to the client, differentiating conditions like "no such repository" from "repository not exported"\&. This is more convenient for clients, but may leak information about the existence of unexported repositories\&. When informative errors are not enabled, all errors report "access denied" to the client\&. The default is | 
|  | \fB\-\-no\-informative\-errors\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | \fB\-\-access\-hook=\fR\fI<path>\fR | 
|  | .RS 4 | 
|  | Every time a client connects, first run an external command specified by the <path> with service name (e\&.g\&. "upload\-pack"), path to the repository, hostname (\fB%H\fR), canonical hostname (\fB%CH\fR), IP address (\fB%IP\fR), and TCP port (\fB%P\fR) as its command\-line arguments\&. The external command can decide to decline the service by exiting with a non\-zero status (or to allow it by exiting with a zero status)\&. It can also look at the $REMOTE_ADDR and | 
|  | \fB$REMOTE_PORT\fR | 
|  | environment variables to learn about the requestor when making this decision\&. | 
|  | .sp | 
|  | The external command can optionally write a single line to its standard output to be sent to the requestor as an error message when it declines the service\&. | 
|  | .RE | 
|  | .PP | 
|  | \fI<directory>\fR | 
|  | .RS 4 | 
|  | The remaining arguments provide a list of directories\&. If any directories are specified, then the | 
|  | \fBgit\-daemon\fR | 
|  | process will serve a requested directory only if it is contained in one of these directories\&. If | 
|  | \fB\-\-strict\-paths\fR | 
|  | is specified, then the requested directory must match one of these directories exactly\&. | 
|  | .RE | 
|  | .SH "SERVICES" | 
|  | .sp | 
|  | These services can be globally enabled/disabled using the command\-line options of this command\&. If finer\-grained control is desired (e\&.g\&. to allow \fBgit\fR \fBarchive\fR to be run against only in a few selected repositories the daemon serves), the per\-repository configuration file can be used to enable or disable them\&. | 
|  | .PP | 
|  | upload\-pack | 
|  | .RS 4 | 
|  | This serves | 
|  | \fBgit\fR | 
|  | \fBfetch\-pack\fR | 
|  | and | 
|  | \fBgit\fR | 
|  | \fBls\-remote\fR | 
|  | clients\&. It is enabled by default, but a repository can disable it by setting | 
|  | \fBdaemon\&.uploadpack\fR | 
|  | configuration item to | 
|  | \fBfalse\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | upload\-archive | 
|  | .RS 4 | 
|  | This serves | 
|  | \fBgit\fR | 
|  | \fBarchive\fR | 
|  | \fB\-\-remote\fR\&. It is disabled by default, but a repository can enable it by setting | 
|  | \fBdaemon\&.uploadarch\fR | 
|  | configuration item to | 
|  | \fBtrue\fR\&. | 
|  | .RE | 
|  | .PP | 
|  | receive\-pack | 
|  | .RS 4 | 
|  | This serves | 
|  | \fBgit\fR | 
|  | \fBsend\-pack\fR | 
|  | clients, allowing anonymous push\&. It is disabled by default, as there is | 
|  | \fIno\fR | 
|  | authentication in the protocol (in other words, anybody can push anything into the repository, including removal of refs)\&. This is solely meant for a closed LAN setting where everybody is friendly\&. This service can be enabled by setting | 
|  | \fBdaemon\&.receivepack\fR | 
|  | configuration item to | 
|  | \fBtrue\fR\&. | 
|  | .RE | 
|  | .SH "EXAMPLES" | 
|  | .PP | 
|  | We assume the following in /etc/services | 
|  | .RS 4 | 
|  | .sp | 
|  | .if n \{\ | 
|  | .RS 4 | 
|  | .\} | 
|  | .nf | 
|  | $ grep 9418 /etc/services | 
|  | git             9418/tcp                # Git Version Control System | 
|  | .fi | 
|  | .if n \{\ | 
|  | .RE | 
|  | .\} | 
|  | .RE | 
|  | .PP | 
|  | \fIgit daemon\fR as inetd server | 
|  | .RS 4 | 
|  | To set up | 
|  | \fIgit daemon\fR | 
|  | as an inetd service that handles any repository within | 
|  | \fB/pub/foo\fR | 
|  | or | 
|  | \fB/pub/bar\fR, place an entry like the following into | 
|  | \fB/etc/inetd\fR | 
|  | all on one line: | 
|  | .sp | 
|  | .if n \{\ | 
|  | .RS 4 | 
|  | .\} | 
|  | .nf | 
|  | git stream tcp nowait nobody  /usr/bin/git | 
|  | git daemon \-\-inetd \-\-verbose \-\-export\-all | 
|  | /pub/foo /pub/bar | 
|  | .fi | 
|  | .if n \{\ | 
|  | .RE | 
|  | .\} | 
|  | .RE | 
|  | .PP | 
|  | \fIgit daemon\fR as inetd server for virtual hosts | 
|  | .RS 4 | 
|  | To set up | 
|  | \fIgit daemon\fR | 
|  | as an inetd service that handles repositories for different virtual hosts, | 
|  | \fBwww\&.example\&.com\fR | 
|  | and | 
|  | \fBwww\&.example\&.org\fR, place an entry like the following into | 
|  | \fB/etc/inetd\fR | 
|  | all on one line: | 
|  | .sp | 
|  | .if n \{\ | 
|  | .RS 4 | 
|  | .\} | 
|  | .nf | 
|  | git stream tcp nowait nobody /usr/bin/git | 
|  | git daemon \-\-inetd \-\-verbose \-\-export\-all | 
|  | \-\-interpolated\-path=/pub/%H%D | 
|  | /pub/www\&.example\&.org/software | 
|  | /pub/www\&.example\&.com/software | 
|  | /software | 
|  | .fi | 
|  | .if n \{\ | 
|  | .RE | 
|  | .\} | 
|  | .sp | 
|  | In this example, the root\-level directory | 
|  | \fB/pub\fR | 
|  | will contain a subdirectory for each virtual host name supported\&. Further, both hosts advertise repositories simply as | 
|  | \fBgit://www\&.example\&.com/software/repo\&.git\fR\&. For pre\-1\&.4\&.0 clients, a symlink from | 
|  | \fB/software\fR | 
|  | into the appropriate default repository could be made as well\&. | 
|  | .RE | 
|  | .PP | 
|  | \fIgit daemon\fR as regular daemon for virtual hosts | 
|  | .RS 4 | 
|  | To set up | 
|  | \fBgit\fR | 
|  | \fBdaemon\fR | 
|  | as a regular, non\-inetd service that handles repositories for multiple virtual hosts based on their IP addresses, start the daemon like this: | 
|  | .sp | 
|  | .if n \{\ | 
|  | .RS 4 | 
|  | .\} | 
|  | .nf | 
|  | git daemon \-\-verbose \-\-export\-all | 
|  | \-\-interpolated\-path=/pub/%IP/%D | 
|  | /pub/192\&.168\&.1\&.200/software | 
|  | /pub/10\&.10\&.220\&.23/software | 
|  | .fi | 
|  | .if n \{\ | 
|  | .RE | 
|  | .\} | 
|  | .sp | 
|  | In this example, the root\-level directory | 
|  | \fB/pub\fR | 
|  | will contain a subdirectory for each virtual host IP address supported\&. Repositories can still be accessed by hostname though, assuming they correspond to these IP addresses\&. | 
|  | .RE | 
|  | .PP | 
|  | selectively enable/disable services per repository | 
|  | .RS 4 | 
|  | To enable | 
|  | \fBgit\fR | 
|  | \fBarchive\fR | 
|  | \fB\-\-remote\fR | 
|  | and disable | 
|  | \fBgit\fR | 
|  | \fBfetch\fR | 
|  | against a repository, have the following in the configuration file in the repository (that is the file | 
|  | \fIconfig\fR | 
|  | next to | 
|  | \fBHEAD\fR, | 
|  | \fIrefs\fR | 
|  | and | 
|  | \fIobjects\fR)\&. | 
|  | .sp | 
|  | .if n \{\ | 
|  | .RS 4 | 
|  | .\} | 
|  | .nf | 
|  | [daemon] | 
|  | uploadpack = false | 
|  | uploadarch = true | 
|  | .fi | 
|  | .if n \{\ | 
|  | .RE | 
|  | .\} | 
|  | .RE | 
|  | .SH "ENVIRONMENT" | 
|  | .sp | 
|  | \fBgit\fR \fBdaemon\fR will set \fBREMOTE_ADDR\fR to the IP address of the client that connected to it, if the IP address is available\&. \fBREMOTE_ADDR\fR will be available in the environment of hooks called when services are performed\&. | 
|  | .SH "GIT" | 
|  | .sp | 
|  | Part of the \fBgit\fR(1) suite |