blob: 572aba672fc05238af4eb2832cc28fea1a07517b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
#!/usr/bin/perl
use lib $ENV{GL_LIBDIR};
use Gitolite::Easy;
# This command requires unrestricted arguments, so add it to the ENABLE list
# like this:
# 'git-annex-shell ua',
# This requires git-annex version 20111016 or newer. Older versions won't
# be secure.
use strict;
use warnings;
# ignore @ARGV and look at the original unmodified command
my $cmd = $ENV{SSH_ORIGINAL_COMMAND};
# Expect commands like:
# git-annex-shell 'configlist' '/~/repo'
# git-annex-shell 'configlist' '/repo'
# git-annex-shell 'sendkey' '/~/repo' 'key'
# The parameters are always single quoted, and the repo path is always
# the second parameter.
# Further parameters are not validated here (see below).
die "bad git-annex-shell command: $cmd"
unless $cmd =~ m#^(git-annex-shell '\w+' ')/(?:\~/)?([0-9a-zA-Z][0-9a-zA-Z._\@/+-]*)('( .*|))$#;
my $start = $1;
my $repo = $2;
my $end = $3;
$repo =~ s/\.git$//;
die "I dont like some of the characters in $repo\n" unless $repo =~ $Gitolite::Rc::REPONAME_PATT;
die "I dont like absolute paths in $cmd\n" if $repo =~ /^\//;
die "I dont like '..' paths in $cmd\n" if $repo =~ /\.\./;
# Modify $cmd, fixing up the path to the repo to include GL_REPO_BASE.
my $newcmd = "$start$rc{GL_REPO_BASE}/$repo$end";
# Rather than keeping track of which git-annex-shell commands
# require write access and which are readonly, we tell it
# when readonly access is needed.
if ( can_write($repo) ) {
} elsif ( can_read($repo) ) {
$ENV{GIT_ANNEX_SHELL_READONLY} = 1;
} else {
die "$repo $ENV{GL_USER} DENIED\n";
}
# Further limit git-annex-shell to safe commands (avoid it passing
# unknown commands on to git-shell)
$ENV{GIT_ANNEX_SHELL_LIMITED} = 1;
# Note that $newcmd does *not* get evaluated by the unix shell.
# Instead it is passed as a single parameter to git-annex-shell for
# it to parse and handle the command. This is why we do not need to
# fully validate $cmd above.
Gitolite::Common::gl_log( $ENV{SSH_ORIGINAL_COMMAND} );
exec "git-annex-shell", "-c", $newcmd;
__END__
INSTRUCTIONS... (NEED TO BE VALIDATED BY SOMEONE WHO KNOWS GIT-ANNEX WELL).
based on http://git-annex.branchable.com/tips/using_gitolite_with_git-annex/
ONLY VARIATIONS FROM THAT PAGE ARE WRITTEN HERE.
setup
* in the ENABLE list in the rc file, add an entry like this:
'git-annex-shell ua',
That should be it; everything else should be as in that page.
|
