6e29365316
I got tired of being told "TL;DR". Now the online versions of most documents fit on a page or two, or at least most of them do. The rest has been split out (and you can see the links to the split out sections right where the text is in the raw Markdown). This is much more pleasant to read, and I've improved the linking so it's much less effort for me to keep the links correct.
77 lines
2.7 KiB
Markdown
77 lines
2.7 KiB
Markdown
# F=mob mob branches in gitolite
|
|
|
|
WARNING: This is hairy stuff. But what's life without a little danger?
|
|
|
|
WARNING 2: girocco does mob branches quite differently; the controls on what a
|
|
mob branch can do are much more fundamental. Here we just trick gitolite into
|
|
accepting anonymous ssh connections and pretending they're from a mythical
|
|
user called "mob". **This means all the access control is -- as you might
|
|
expect -- in the gitolite.conf file, so make sure you don't give the `mob`
|
|
user too many rights!**
|
|
|
|
(tested on Fedora 14; assumes your gitolite server userid is "gitolite" and
|
|
install was "non-root" method; adjust according to your environment. If you
|
|
need more than this, you should not be enabling mob branches anyway ;-)
|
|
|
|
[hah! Easy way out of being badgered with questions!]
|
|
|
|
* create a file called `/tmp/mobshell` (put it somewhere more permanent if
|
|
you wish). This file should be `chmod +x` and contain
|
|
|
|
#!/bin/sh
|
|
shift
|
|
export SSH_ORIGINAL_COMMAND
|
|
SSH_ORIGINAL_COMMAND="$*"
|
|
|
|
/home/gitolite/bin/gl-auth-command mob
|
|
# see one of the lines in ~gitolite/.ssh/authorized_keys for the
|
|
# precise location of the gl-auth-command script
|
|
|
|
* create a user called mob. Give it the same UID number and `$HOME` as your
|
|
gitolite server userid, and set the login shell to be the script you just
|
|
created. Also delete the password.
|
|
|
|
id -u gitolite
|
|
# returns 503 or something...
|
|
useradd -d /home/gitolite -s /tmp/mobshell -u 503 -o mob
|
|
passwd -d mob
|
|
|
|
* make sure you have a recent enough sshd and put these lines at the bottom,
|
|
then restart sshd
|
|
|
|
Match user mob
|
|
PermitEmptyPasswords yes
|
|
|
|
That's it. Now you can add stuff to your gitolite.conf file. Here's some
|
|
examples:
|
|
|
|
* This allows the mob user to do anything to the "mob" branch:
|
|
|
|
repo foo
|
|
RW+ = alice bob
|
|
R = eve
|
|
RW+ mob$ = mob
|
|
# only the mob branch, nothing more
|
|
|
|
* This is the same, except it can be any branch under "mob/" so you get some
|
|
flexibility:
|
|
|
|
RW+ mob/ = mob
|
|
|
|
* Girocco allows pushing to the mob branch only if it already exists (that
|
|
is, the mob user cannot *create* the mob branch, but if it already exists
|
|
he can push to it). Here's how you'd do that in gitolite:
|
|
|
|
repo foo
|
|
RW+C = alice bob
|
|
R = eve
|
|
RW+ mob$ = mob
|
|
|
|
* This gives *every* repo a mob branch (be careful!)
|
|
|
|
repo @all
|
|
RW+ mob$ = mob
|
|
|
|
How do mob users access it? The URLs just look like: `mob@server:repo`
|
|
instead of `gitolite@server:repo` That's it!
|