git daemon

The simplest possible Git server. No auth, no encryption.

🎯 What & why

git daemon is the reference server for the git:// protocol — a tiny TCP listener that speaks the native pack protocol on port 9418. No auth, no encryption.

🧠 Mental model

Think 'anonymous read-only mirror'. The daemon multiplexes upload-pack (and optionally receive-pack) over a raw TCP socket; transport security, if you want any, is somebody else's problem (VPN, SSH tunnel, firewall).

🛠️ Synopsis

git daemon [--verbose] [--syslog] [--export-all] [--timeout=<n>]
           [--init-timeout=<n>] [--max-connections=<n>] [--strict-paths]
           [--base-path=<path>] [--base-path-relaxed] [--user-path[=<path>]]
           [--interpolated-path=<fmt>] [--reuseaddr] [--detach]
           [--pid-file=<file>] [--user=<user> [--group=<group>]]
           [--enable=<service>] [--disable=<service>]
           [--allow-override=<service>] [--forbid-override=<service>]
           [--access-hook=<path>] [--[no-]informative-errors]
           [--inetd | [--listen=<host>] [--port=<n>]]
           [--log-destination=(stderr|syslog|none)] [<directory>...]

🎚️ Switches & options

Flag	What it does
`--export-all`	Serve every repo under base-path, not just those with git-daemon-export-ok
`--base-path=<path>`	Treat <path> as the root for all incoming repo paths
`--listen=<addr>`	Bind to a specific interface (default: all)
`--port=<n>`	Listen on this TCP port (default: 9418)
`--enable=<service>`	Enable a service (e.g. receive-pack — usually a bad idea)
`--disable=<service>`	Disable a service (upload-pack, upload-archive, receive-pack)
`--inetd`	Run as an inetd-managed service (one connection per invocation)
`--detach`	Detach from the controlling terminal — daemonize
`--pid-file=<file>`	Write the daemon PID here for init scripts
`--user=<user>`	Drop privileges to this user after binding
`--group=<group>`	Drop to this group (requires --user)
`--syslog`	Log to syslog instead of stderr
`--log-destination=<dest>`	Pick stderr, syslog, or none explicitly
`--enable=receive-pack`	⚠️ Allow anonymous push — almost never what you want

💡 Use cases

Stand up a quick read-only mirror on a trusted LAN
Run a temporary daemon to clone between two machines without configuring SSH
Back a CI fleet with a fast anonymous git:// mirror inside the network perimeter
Serve a frozen archive of repos over inetd/systemd socket activation

🧪 Examples

Quick read-only server on 127.0.0.1

git daemon --reuseaddr --base-path=/srv/git --export-all --listen=127.0.0.1 --port=9418

Verbose foreground for debugging

git daemon --verbose --base-path=/srv/git --export-all --listen=127.0.0.1

Detached, drop privileges, syslog

git daemon --detach --user=git --group=git --syslog --pid-file=/run/git-daemon.pid --base-path=/srv/git --export-all

Clone from it

git clone git://127.0.0.1/myrepo.git

🎓 Recommendations

Use git:// only on networks you trust — there is no authentication and no integrity protection of the transport
Prefer --base-path with explicit repo directories over --strict-paths off; never expose your whole filesystem
If you want HTTPS or SSH, use git http-backend or sshd instead — git daemon is the wrong tool

🪤 Common pitfalls

Enabling receive-pack turns the daemon into an anonymous-write server — anyone on the network can push
git:// has no encryption: a passive observer sees every byte of your repo, including secrets in history
Forgetting --export-all (or the git-daemon-export-ok marker) makes every clone fail with 'access denied'

🔗 Related modules

📝 Quiz

Hit each option, then Check answers. Score is recorded; Next is always open.