In accordance with the settings in /etc/repo_shell.conf:
sudo adduser --system --group --home /var/lib/svn --shell /bin/false <owner>
- sudo chsh -s /bin/sh <owner> # a shell is needed for 'sudo -iu'
+ sudo chsh -s /bin/bash <owner> # a shell is needed for 'sudo -iu'
sudo install -d -o <owner> -g <owner> -m 0750 <svn_root>/..
sudo install -d -o <owner> -g <owner> -m 0750 <svn_root>
sudo install -d -o <owner> -g <owner> -m 0750 <git_root>
gitcreate is a helper script installed by make install. To create a new git
repository, simply type:
- sudo -u repo gitcreate <repopath>
+ sudo -u repo gitcreate <repopath> ["Short description"]
Git repositories may be placed in subdirectories under {git_root}. A
subdirectory may be part of <repopath>. So, for example, if one wishes to
sudo -u repo gitcreate -y mirrors/tinyos/tinyos-main.git
+If the optional extra argument is provided, it will be used to populate the
+description file of the new repository. Because the script takes only one
+argument for this purpose, enclose the description in double quotes.
+
= Configuring user accounts
Each user to access repositories via client side tools need an account on the
git clone server:my_repository.git
git clone server:mirrors/tinyos/tinyos-main.git
+= Repository access for gitweb
+
+The following steps can allow gitweb to filter the available repositories
+according to the authenticated user and the contents of the .gitacl file.
+
+- The web server must require authorization and a valid user for URI's starting
+ with /gitweb. Recommend using a PAM module, since repo_shell also works of
+ the system user credentials.
+- The web server needs to pass the REMOTE_USER environment variable to
+ gitweb.cgi.
+- The contents of the file gitweb.conf.addon must be added to the server's
+ gitweb.conf file, usually found in /etc.
+
+The contents of gitweb.conf.addon essentially define an $export_auth_hook that
+uses repo_shell's test mode to validate read access for the web server
+authenticated user for each repository gitweb can see.
+
= Repository access for other applications
Local system applications, such as web based viewers, may gain read-only access
This command returns one of three results. An empty return string means no
access, an "r" means read-only, and "rw" means read-write access.
+= Allow other users to create repositories
+
+With the following configuration, other users could be configured to run the
+`gitcreate` command using sudo.
+
+First, run `visudo` as root to edit the `/etc/sudoers` file. These entries
+should appear before less specific rules. The Runas_Alias REPOUSER should be
+set to the value of the `owner` variable defined in `/etc/repo_shell.conf`.
+
+ # Allow select users to run gitcreate
+ User_Alias REPOCREATORS = user1, user2, user3
+ Runas_Alias REPOUSER = repo
+ REPOCREATORS ALL = (REPOUSER) NOPASSWD: /usr/local/bin/gitcreate
+
+Now any users listed in the User_Alias REPOCREATORS can run the gitcreate
+command. The command would be invoked as follows:
+
+ ssh <repohost>
+ sudo -u repo gitcreate path/to/newrepo.git
+
+Note that as of right now, repo_shell cannot be used to run this command in a
+single ssh invocation, such as:
+
+ ssh <repohost> sudo gitcreate path/to/newrepo.git
+
+This is because repo_shell does not implement a full tty needed by sudo if it
+must ask the user for a password to authenticate the action.
+
= References and links
repo_shell owes great thanks to work shared by two other projects: