2011-01-29 10:58:57 +01:00
|
|
|
## mob branches in gitolite
|
2010-08-09 19:18:59 +02:00
|
|
|
|
|
|
|
WARNING: This is hairy stuff. But what's life without a little danger?
|
|
|
|
|
|
|
|
WARNING 2: girocco does mob branches quite differently; the controls on what a
|
|
|
|
mob branch can do are much more fundamental. Here we just trick gitolite into
|
|
|
|
accepting anonymous ssh connections and pretending they're from a mythical
|
|
|
|
user called "mob". **This means all the access control is -- as you might
|
|
|
|
expect -- in the gitolite.conf file, so make sure you don't give the `mob`
|
|
|
|
user too many rights!**
|
|
|
|
|
2011-05-28 14:23:27 +02:00
|
|
|
(tested on Fedora 14; assumes your gitolite server userid is "gitolite" and
|
|
|
|
install was "non-root" method; adjust according to your environment. If you
|
|
|
|
need more than this, you should not be enabling mob branches anyway ;-)
|
2010-08-09 19:18:59 +02:00
|
|
|
|
|
|
|
[hah! Easy way out of being badgered with questions!]
|
|
|
|
|
|
|
|
* create a file called `/tmp/mobshell` (put it somewhere more permanent if
|
|
|
|
you wish). This file should be `chmod +x` and contain
|
|
|
|
|
|
|
|
#!/bin/sh
|
|
|
|
shift
|
|
|
|
export SSH_ORIGINAL_COMMAND
|
|
|
|
SSH_ORIGINAL_COMMAND="$*"
|
|
|
|
|
2011-05-28 14:23:27 +02:00
|
|
|
/home/gitolite/bin/gl-auth-command mob
|
2010-08-09 19:18:59 +02:00
|
|
|
# see one of the lines in ~gitolite/.ssh/authorized_keys for the
|
|
|
|
# precise location of the gl-auth-command script
|
|
|
|
|
|
|
|
* create a user called mob. Give it the same UID number and `$HOME` as your
|
|
|
|
gitolite server userid, and set the login shell to be the script you just
|
|
|
|
created. Also delete the password.
|
|
|
|
|
|
|
|
id -u gitolite
|
|
|
|
# returns 503 or something...
|
|
|
|
useradd -d /home/gitolite -s /tmp/mobshell -u 503 -o mob
|
|
|
|
passwd -d mob
|
|
|
|
|
|
|
|
* make sure you have a recent enough sshd and put these lines at the bottom,
|
|
|
|
then restart sshd
|
|
|
|
|
|
|
|
Match user mob
|
|
|
|
PermitEmptyPasswords yes
|
|
|
|
|
|
|
|
That's it. Now you can add stuff to your gitolite.conf file. Here's some
|
|
|
|
examples:
|
|
|
|
|
|
|
|
* This allows the mob user to do anything to the "mob" branch:
|
|
|
|
|
|
|
|
repo foo
|
|
|
|
RW+ = alice bob
|
|
|
|
R = eve
|
|
|
|
RW+ mob$ = mob
|
|
|
|
# only the mob branch, nothing more
|
|
|
|
|
|
|
|
* This is the same, except it can be any branch under "mob/" so you get some
|
|
|
|
flexibility:
|
|
|
|
|
|
|
|
RW+ mob/ = mob
|
|
|
|
|
|
|
|
* Girocco allows pushing to the mob branch only if it already exists (that
|
|
|
|
is, the mob user cannot *create* the mob branch, but if it already exists
|
|
|
|
he can push to it). Here's how you'd do that in gitolite:
|
|
|
|
|
|
|
|
repo foo
|
|
|
|
RW+C = alice bob
|
|
|
|
R = eve
|
|
|
|
RW+ mob$ = mob
|
|
|
|
|
|
|
|
* This gives *every* repo a mob branch (be careful!)
|
|
|
|
|
|
|
|
repo @all
|
|
|
|
RW+ mob$ = mob
|
|
|
|
|
|
|
|
How do mob users access it? The URLs just look like: `mob@server:repo`
|
|
|
|
instead of `gitolite@server:repo` That's it!
|