Merge branch 'master' into pu (svnserve contrib code)
Conflicts: src/gl-auth-command
This commit is contained in:
Sitaram Chamarty
commit
3d9f230b41
|
|
@ -150,6 +150,20 @@ $RSYNC_BASE = "";
|
|||
# $RSYNC_BASE = "/home/git/up-down";
|
||||
# $RSYNC_BASE = "/tmp/up-down";
|
||||
|
||||
# --------------------------------------
|
||||
# EXTERNAL COMMAND HELPER -- SVNSERVE
|
||||
|
||||
# security note: runs an external command (svnserve) with specific arguments,
|
||||
# as specified below. %u is substituted with the username.
|
||||
|
||||
# This setting allows launching svnserve when requested by the ssh client.
|
||||
# This allows using the same SSH setup (hostname/username/public key) for both
|
||||
# SVN and git access. Leave it undefined or set to the empty string to disable
|
||||
# svnserve access.
|
||||
|
||||
$SVNSERVE = "";
|
||||
# $SVNSERVE = "/usr/bin/svnserve -r /var/svn/ -t --tunnel-user=%u";
|
||||
|
||||
# --------------------------------------
|
||||
# ALLOW REPO CONFIG TO USE WILDCARDS
|
||||
|
||||
|
|
|
|||
|
|
@ -650,14 +650,34 @@ powerful feature. See `doc/admin-defined-commands.mkd`.
|
|||
Gitolite now has a mechanism for allowing access control for arbitrary
|
||||
external commands, as long as they are invoked via ssh and present a
|
||||
server-side command that contains enough information to make an access control
|
||||
decision. The first (and only, so far) such command implemented is rsync.
|
||||
decision.
|
||||
|
||||
Note that this is incompatible with giving people shell access as described in
|
||||
`doc/6-ssh-troubleshooting.mkd` -- people who have shell access are not
|
||||
subject to this mechanism (it wouldn't make sense to try and control someone
|
||||
who has shell access anyway).
|
||||
|
||||
Please see the config files (both of them) for examples and usage.
|
||||
In general, external commands require changes in one or both the config files;
|
||||
the sample files in `conf/` double as documentation, so you should look there
|
||||
for examples and usage.
|
||||
|
||||
Commands implemented so far are:
|
||||
|
||||
* rsync
|
||||
* svnserve (see next section for a brief description; this has been
|
||||
contributed by Simon and Vladimir)
|
||||
|
||||
<a name="svnserve"></a>
|
||||
|
||||
##### svnserve
|
||||
|
||||
If you are transitioning from SVN to gitolite, and have a lot of users using
|
||||
public-key authentication with SVN, this feature may be useful to you. Once
|
||||
you migrate all users' public keys into gitolite, you can set the `$SVNSERVE`
|
||||
variable in `~/.gitolite.rc` to tie `svnserve` with gitolite's authentication
|
||||
system. Assuming you installed gitolite to the same user as the one you used
|
||||
for SVN, SVN connectivity will be retained, and users will be able to use
|
||||
both SVN and git using the same SSH configuration.
|
||||
|
||||
## design choices
|
||||
|
||||
|
|
|
|||
|
|
@ -411,7 +411,7 @@ sub cli_repo_rights {
|
|||
|
||||
sub special_cmd
|
||||
{
|
||||
my ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE) = @_;
|
||||
my ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE, $SVNSERVE) = @_;
|
||||
|
||||
my $cmd = $ENV{SSH_ORIGINAL_COMMAND};
|
||||
my $user = $ENV{GL_USER};
|
||||
|
|
@ -432,6 +432,8 @@ sub special_cmd
|
|||
&ext_cmd_htpasswd($HTPASSWD_FILE);
|
||||
} elsif ($RSYNC_BASE and $cmd =~ /^rsync /) {
|
||||
&ext_cmd_rsync($GL_CONF_COMPILED, $RSYNC_BASE, $cmd);
|
||||
} elsif ($SVNSERVE and $cmd eq 'svnserve -t') {
|
||||
&ext_cmd_svnserve($SVNSERVE);
|
||||
} else {
|
||||
# if the user is allowed a shell, just run the command
|
||||
&log_it("$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$ENV{GL_USER}\n");
|
||||
|
|
@ -528,4 +530,17 @@ EOFhtp
|
|||
die "htpasswd command seems to have failed with $rc return code...\n" if $rc;
|
||||
}
|
||||
|
||||
# ----------------------------------------------------------------------------
|
||||
# external command helper: svnserve
|
||||
# ----------------------------------------------------------------------------
|
||||
|
||||
sub ext_cmd_svnserve
|
||||
{
|
||||
my $SVNSERVE = shift;
|
||||
|
||||
$SVNSERVE =~ s/%u/$ENV{GL_USER}/g;
|
||||
exec $SVNSERVE;
|
||||
die "svnserve exec failed\n";
|
||||
}
|
||||
|
||||
1;
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ use warnings;
|
|||
# ----------------------------------------------------------------------------
|
||||
|
||||
# these are set by the "rc" file
|
||||
our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_ADC_PATH);
|
||||
our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS, $GL_ADC_PATH, $SVNSERVE);
|
||||
# and these are set by gitolite.pm
|
||||
our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT, $REPOPATT_PATT);
|
||||
our %repos;
|
||||
|
|
@ -167,7 +167,7 @@ if ($ENV{SSH_ORIGINAL_COMMAND} =~ $CUSTOM_COMMANDS) {
|
|||
my ($verb, $repo) = ($ENV{SSH_ORIGINAL_COMMAND} =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:\.git)?'/);
|
||||
unless ( $verb and ( $verb eq 'git-init' or $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) {
|
||||
# ok, it's not a normal git command; call the special command helper
|
||||
&special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE);
|
||||
&special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE, $SVNSERVE);
|
||||
exit;
|
||||
}
|
||||
die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/;
|
||||
|
|
|
|||
Loading…
Reference in a new issue