246165537d
Previous implementations of "give shell access to some gitolite users" feature were crap. There was no easy/elegant way to ensure that someone who had repo admin access would not manage to get himself shell access. Giving someone shell access requires that you should have shell access in the first place, so the simplest way is to enable it from the server side only. So now that we decided to do that, we may as well prepare for other, future, commands by starting a server-side utility program with sub-commands (the only current one being "shell-add")
169 lines
6.1 KiB
Plaintext
169 lines
6.1 KiB
Plaintext
# paths and configuration variables for gitolite
|
|
|
|
# please read comments before editing
|
|
|
|
# this file is meant to be pulled into a perl program using "do" or "require".
|
|
|
|
# You do NOT need to know perl to edit the paths; it should be fairly
|
|
# self-explanatory and easy to maintain perl syntax :-)
|
|
|
|
# --------------------------------------
|
|
|
|
# this is where the repos go. If you provide a relative path (not starting
|
|
# with "/"), it's relative to your $HOME. You may want to put in something
|
|
# like "/bigdisk" or whatever if your $HOME is too small for the repos, for
|
|
# example
|
|
|
|
$REPO_BASE="repositories";
|
|
|
|
# the default umask for repositories is 0077; change this if you run stuff
|
|
# like gitweb and find it can't read the repos. Please note the syntax; the
|
|
# leading 0 is required
|
|
|
|
$REPO_UMASK = 0077; # gets you 'rwx------'
|
|
# $REPO_UMASK = 0027; # gets you 'rwxr-x---'
|
|
# $REPO_UMASK = 0022; # gets you 'rwxr-xr-x'
|
|
|
|
# part of the setup of gitweb is a variable called $projects_list (please see
|
|
# gitweb documentation for more on this). Set this to the same value:
|
|
|
|
$PROJECTS_LIST = $ENV{HOME} . "/projects.list";
|
|
|
|
# --------------------------------------
|
|
|
|
# I see no reason anyone may want to change the gitolite admin directory, but
|
|
# feel free to do so. However, please note that it *must* be an *absolute*
|
|
# path (i.e., starting with a "/" character)
|
|
|
|
# gitolite admin directory, files, etc
|
|
|
|
$GL_ADMINDIR=$ENV{HOME} . "/.gitolite";
|
|
|
|
# --------------------------------------
|
|
|
|
# templates for location of the log files and format of their names
|
|
|
|
# I prefer this template (note the %y and %m placeholders)
|
|
# it produces files like `~/.gitolite/logs/gitolite-2009-09.log`
|
|
|
|
$GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m.log";
|
|
|
|
# other choices are below, or you can make your own -- but PLEASE MAKE SURE
|
|
# the directory exists and is writable; gitolite won't do that for you (unless
|
|
# it is the default, which is "$GL_ADMINDIR/logs")
|
|
|
|
# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y-%m-%d.log";
|
|
# $GL_LOGT="$GL_ADMINDIR/logs/gitolite-%y.log";
|
|
|
|
# --------------------------------------
|
|
|
|
# Please DO NOT change these three paths
|
|
|
|
$GL_CONF="$GL_ADMINDIR/conf/gitolite.conf";
|
|
$GL_KEYDIR="$GL_ADMINDIR/keydir";
|
|
$GL_CONF_COMPILED="$GL_ADMINDIR/conf/gitolite.conf-compiled.pm";
|
|
|
|
# --------------------------------------
|
|
|
|
# if git on your server is on a standard path (that is
|
|
# ssh git@server git --version
|
|
# works), leave this setting as is. Otherwise, choose one of the
|
|
# alternatives, or write your own
|
|
|
|
$GIT_PATH="";
|
|
# $GIT_PATH="/opt/bin/";
|
|
|
|
# --------------------------------------
|
|
|
|
|
|
|
|
# ----------------------------------------------------------------------
|
|
# SECURITY SENSITIVE SETTINGS
|
|
#
|
|
# Settings below this point may have security implications. That
|
|
# usually means that I have not thought hard enough about all the
|
|
# possible ways to crack security if these settings are enabled.
|
|
|
|
# Please see details on each setting for specifics, if any.
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
|
|
|
# --------------------------------------
|
|
# ALLOW REPO ADMIN TO SET GITCONFIG KEYS
|
|
#
|
|
# Gitolite allows you to set git repo options using the "config" keyword; see
|
|
# conf/example.conf for details and syntax.
|
|
#
|
|
# However, if you are in an installation where the repo admin does not (and
|
|
# should not) have shell access to the server, then allowing him to set
|
|
# arbitrary repo config options *may* be a security risk -- some config
|
|
# settings may allow executing arbitrary commands.
|
|
#
|
|
# You have 3 choices. By default $GL_GITCONFIG_KEYS is left empty, which
|
|
# completely disables this feature (meaning you cannot set git configs from
|
|
# the repo config).
|
|
$GL_GITCONFIG_KEYS = "";
|
|
#
|
|
# The second choice is to give it a space separated list of settings you
|
|
# consider safe. (These are actually treated as a set of regular expression
|
|
# patterns, and any one of them must match). For example:
|
|
# $GL_GITCONFIG_KEYS = "core\.logAllRefUpdates core\..*compression";
|
|
# allows repo admins to set one of those 3 config keys (yes, that second
|
|
# pattern matches two settings from "man git-config", if you look)
|
|
#
|
|
# The third choice (which you may have guessed already if you're familiar with
|
|
# regular expressions) is to allow anything and everything:
|
|
# $GL_GITCONFIG_KEYS = ".*";
|
|
|
|
# --------------------------------------
|
|
# EXTERNAL COMMAND HELPER -- HTPASSWD
|
|
|
|
# security note: runs an external command (htpasswd) with specific arguments,
|
|
# including a user-chosen "password".
|
|
|
|
# if you want to enable the "htpasswd" command, give this the absolute path to
|
|
# whatever file apache (etc) expect to find the passwords in.
|
|
|
|
$HTPASSWD_FILE = "";
|
|
|
|
# Look in doc/3 ("easier to link gitweb authorisation with gitolite" section)
|
|
# for more details on using this feature.
|
|
|
|
# --------------------------------------
|
|
# EXTERNAL COMMAND HELPER -- RSYNC
|
|
|
|
# security note: runs an external command (rsync) with specific arguments, all
|
|
# presumably filled in correctly by the client-side rsync.
|
|
|
|
# base path of all the files that are accessible via rsync. Must be an
|
|
# absolute path. Leave it undefined or set to the empty string to disable the
|
|
# rsync helper.
|
|
$RSYNC_BASE = "";
|
|
# $RSYNC_BASE = "/home/git/up-down";
|
|
# $RSYNC_BASE = "/tmp/up-down";
|
|
|
|
# --------------------------------------
|
|
# ALLOW REPO CONFIG TO USE WILDCARDS
|
|
|
|
# security note: this used to in a separate "wildrepos" branch. You can
|
|
# create repositories based on wild cards, give "ownership" to the specific
|
|
# user who created it, allow him/her to hand out R and RW permissions to other
|
|
# users to collaborate, etc. This is powerful stuff, and I've made it as
|
|
# secure as I can, but it hasn't had the kind of rigorous line-by-line
|
|
# analysis that the old "master" branch had.
|
|
|
|
# This has now been rolled into master, with all the functionality gated by
|
|
# this variable. Set this to 1 if you want to enable the wildrepos features.
|
|
# Please see doc/4-wildcard-repositories.mkd for details.
|
|
$GL_WILDREPOS = 0;
|
|
|
|
# --------------------------------------
|
|
# per perl rules, this should be the last line in such a file:
|
|
1;
|
|
|
|
# Local variables:
|
|
# mode: perl
|
|
# End:
|
|
# vim: set syn=perl:
|