246165537d
Previous implementations of "give shell access to some gitolite users" feature were crap. There was no easy/elegant way to ensure that someone who had repo admin access would not manage to get himself shell access. Giving someone shell access requires that you should have shell access in the first place, so the simplest way is to enable it from the server side only. So now that we decided to do that, we may as well prepare for other, future, commands by starting a server-side utility program with sub-commands (the only current one being "shell-add")
75 lines
2.1 KiB
Bash
Executable file
75 lines
2.1 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
# BEGIN USAGE
|
|
|
|
# $0 -- make some server side tasks easier
|
|
|
|
# Usage:
|
|
# $0 [sub-command [args]]
|
|
|
|
# Security notes: this program does not do any sanitisation of input. You're
|
|
# running it at the CLI on the server, so you already have the power to do
|
|
# whatever you want anyway.
|
|
|
|
# current sub-commands:
|
|
|
|
# (1) REPLACE THE OLD $SHELL_USERS MECHANISM
|
|
|
|
# $0 shell-add foo.pub
|
|
# adds the pubkey in foo.pub into the authkeys file with "-s" argument (shell
|
|
# access) and user "foo". The line will be added *before* the "# gitolite
|
|
# start" section, so that a gitolite-admin push will not affect it.
|
|
|
|
# Although there is no "shell-remove" sub-command, you can do that quite
|
|
# easily by editing ~/.ssh/authorized_keys and deleting the appropriate line.
|
|
|
|
# END USAGE
|
|
|
|
|
|
die() { echo "$@"; exit 1; }
|
|
|
|
if [ -z "$1" ]
|
|
then
|
|
perl -ne 's/\$0/$ARGV/ge; print if /BEGIN USAGE/../END USAGE/' $0 | grep -v USAGE | cut -c3-
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$1" = "shell-add" ]
|
|
then
|
|
# sanity checks
|
|
[ -z "$2" ] && exec $0
|
|
[ -f "$2" ] || die "$2 does not exist"
|
|
wc -l < $2 | grep '^1$' >/dev/null || die "$2 contains more than one line"
|
|
|
|
# must be kept consistent with what's in src/gl-compile-conf; on the plus
|
|
# side, it's not likely to change anytime soon!
|
|
AUTH_OPTIONS="no-port-forwarding,no-X11-forwarding,no-agent-forwarding"
|
|
|
|
bindir=`echo $0 | perl -lpe 's/^/$ENV{PWD}\// unless /^\//; s/\/[^\/]+$//;'`
|
|
|
|
pubkey_file=$2
|
|
user=`basename $pubkey_file .pub`
|
|
|
|
authline="command=\"$bindir/gl-auth-command -s $user\",$AUTH_OPTIONS `cat $pubkey_file`";
|
|
|
|
authkeys=$HOME/.ssh/authorized_keys
|
|
|
|
for i in 1
|
|
do
|
|
perl -lne "last if /# gitolite start/; print unless /gl-auth-command -s $user/; " $authkeys
|
|
echo $authline
|
|
perl -lne "print if /# gitolite start/ .. 0; " $authkeys
|
|
done > $authkeys.new
|
|
|
|
diff -u $authkeys $authkeys.new && die no change to authkey file
|
|
echo
|
|
echo If the above diff looks ok, press enter. Else press Ctrl-C.
|
|
read dummy
|
|
cat $authkeys > $authkeys.old
|
|
cat $authkeys.new > $authkeys
|
|
|
|
exit 0
|
|
fi
|
|
|
|
die "could not understand command $1"
|