+ cd repo_shell
+ make
+ sudo make install
+
+Please build from a repository clone, as the make script uses
+'git describe --tags' to generate the resulting executable's version string.
+
+= Configure /etc/repo_shell.conf
+
+The file /etc/repo_shell.conf must contain certain fields as shown in the
+example below. The spaces surrounding the equal sign ('=') are optional.
+
+ owner = repo
+ svn_root = /var/lib/svn/repositories
+ git_root = /var/lib/git
+ allowed_interactive =
+
+owner is the system account username which will own all repositories, and is
+preferaby a system account used for no other purpose. Use the adduser or
+another similar system script to assist in creating the user account. The
+account home directory can be one of the repository root paths
+
+svn_root and git_root are self-explanatory, being the longest filesystem path
+shared by repositories of that type, e.g. their shared root directory.
+
+allow_interactive contains a list of users that may log into the server via SSH,
+or that may issue arbitrary commands to the server via SSH. Instead of a list,
+the wildcard character '*' can be used to indicate all users. Note that this
+only affects users that have /usr/local/bin/repo_shell as their login shell.
+If the server is only hosting repositories, there is no reason for users to be
+allowed 'interactive' access.
+
+== allowed_interactive and sudo ==
+
+For users that use repo_shell as a login shell and that also need to run
+commands via sudo as other users, those other users must also be listed in the
+allowed_interactive user list. Otherwise, sudo functionality is effectively
+disabled for such users.
+
+= Create owner and paths
+
+In accordance with the settings in /etc/repo_shell.conf:
+
+ sudo adduser --system --group --home /var/lib/svn --shell /bin/false <owner>
+ sudo chsh -s /bin/bash <owner> # a shell is needed for 'sudo -iu'
+ sudo install -d -o <owner> -g <owner> -m 0750 <svn_root>/..
+ sudo install -d -o <owner> -g <owner> -m 0750 <svn_root>
+ sudo install -d -o <owner> -g <owner> -m 0750 <git_root>
+
+= Configure subversion repository ACLs
+
+Subversion repositories created with the svncreate command have their
+conf/svnserve.conf as a symbolic link pointing to the global
+{svn_root}/../svnserve.conf file, which then references internally the global
+authz.conf file. It is this file that is used to set access control permissions
+for repositories. Subversion's authz file allows path based control as well.
+For more information, please see the Subversion Red Bean guide at:
+http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
+
+A simple and secure svnserve.conf file:
+
+ [general]
+ anon-access = none
+ auth-access = write
+ authz-db = /var/lib/svn/authz.conf
+
+A simple and secure authz.conf file:
+
+ [groups]
+ devs = user1, user2, user3
+
+ [/] # All repositories, all paths
+ @devs = rw
+ * =
+
+For path-based controls, consider using the pre-commit hook that uses
+svnperms.py. The ability to prevent update of tags, which my definition is
+almost always an accident, is itself worth the price of admission.
+
+= Configure git repository ACLs
+
+Git repository access control is managed by the git acl file, located at
+{git_root}/.gitacls (git_root is defined in /etc/repo_shell.conf). This file
+has a format similar but not exactly like Subversion's authz file. The file
+defines one of three levels of access for various combinations of users and
+repositories, then compared to the git command arriving via SSH to determine if
+the access will be allowed. Please see README.gitacls for more information.
+A simple .gitacls might look like: