From bcc0e47c0c7bebbcc6abc30390894fa2ca93f5c8 Mon Sep 17 00:00:00 2001 From: "R. Steve McKown" Date: Fri, 28 Sep 2012 11:54:48 -0600 Subject: [PATCH] git_acl_file is always {git_root}/.gitacls --- README | 17 ++++++----------- README.gitacls | 8 +++----- repo_shell.c | 12 ++++++------ scripts/gitcreate | 8 +++++--- 4 files changed, 20 insertions(+), 25 deletions(-) diff --git a/README b/README index 33cb71c..4befc7e 100644 --- a/README +++ b/README @@ -33,7 +33,6 @@ example below. The spaces surrounding the equal sign ('=') are optional. owner = repo svn_root = /var/lib/svn/repositories git_root = /var/lib/git - git_acl_file = /var/lib/git/.gitacls allowed_interactive = owner is the system account username which will own all repositories, and is @@ -44,10 +43,6 @@ account home directory can be one of the repository root paths svn_root and git_root are self-explanatory, being the longest filesystem path shared by repositories of that type, e.g. their shared root directory. -git_acl_file is the pathname of a file providing ACL information for git -repository access, as implemented internally bit repo_shell. A recommended -pathname is /var/lib/git/.gitacls - allow_interactive contains a list of users that may log into the server via SSH, or that may issue arbitrary commands to the server via SSH. Instead of a list, the wildcard character '*' can be used to indicate all users. Note that this @@ -75,12 +70,12 @@ http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html = Configure git repository ACLs -Git repository access control is managed by the git acl file, nominally located -at {git_root}/.gitacls. This file has a format similar but not exactly like -Subversion's authz file. The file defines one of three levels of access for -various combinations of users and repositories, then compared to the git command -arriving via SSH to determine if the access will be allowed. Please see -README.gitacls for more information. +Git repository access control is managed by the git acl file, located at +{git_root}/.gitacls (git_root is defined in /etc/repo_shell.conf). This file +has a format similar but not exactly like Subversion's authz file. The file +defines one of three levels of access for various combinations of users and +repositories, then compared to the git command arriving via SSH to determine if +the access will be allowed. Please see README.gitacls for more information. = Create a subversion repository diff --git a/README.gitacls b/README.gitacls index 5a44f27..df40423 100644 --- a/README.gitacls +++ b/README.gitacls @@ -1,7 +1,5 @@ -Git ACLs are defined in the git_acl_file, whose location is defined within the -/etc/repo_shell.conf configuration file. This file is similar in passing to the -Subversion authz.conf file format as defined in -http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html. +Git ACLs are defined in the .gitacls file, which must exist in the {git_root} +directory specified in the /etc/repo_shell.conf file. The file has three section types: @@ -112,4 +110,4 @@ irrevelevant: Note that while the last example above is valid, it seems an unlikely use case where one would want to define access permissions to a repsitory based - upo the first letter of the username. + upon the first letter of the username. diff --git a/repo_shell.c b/repo_shell.c index f6ef69f..f5ec268 100644 --- a/repo_shell.c +++ b/repo_shell.c @@ -16,6 +16,7 @@ #define CFG_FILE "/etc/repo_shell.conf" #define SHELL "/bin/bash" +#define GIT_ACL_FILE ".gitacls" typedef struct { char *user; @@ -53,9 +54,9 @@ static char *dequote(char *arg) return narg; } -static char *add_prefix(char *prefix, char* arg) +static char *add_prefix(const char *prefix, const char* arg) { - char *narg = arg; + char *narg; int i; if (arg && prefix && (i = strlen(prefix))) { @@ -145,12 +146,11 @@ static int ini_handler(void* user, const char* section, const char* name, if (!strcmp(name, "svn_root")) pconfig->svn_root = xstrdup(value); - else if (!strcmp(name, "git_root")) + else if (!strcmp(name, "git_root")) { pconfig->git_root = xstrdup(value); - else if (!strcmp(name, "owner")) + pconfig->git_acl_file = add_prefix(value, GIT_ACL_FILE); + } else if (!strcmp(name, "owner")) pconfig->owner = xstrdup(value); - else if (!strcmp(name, "git_acl_file")) - pconfig->git_acl_file = xstrdup(value); else if (!strcmp(name, "allow_interactive")) pconfig->allow_interactive = str_has_word(value, pconfig->user); else diff --git a/scripts/gitcreate b/scripts/gitcreate index 16e80ec..cab983e 100755 --- a/scripts/gitcreate +++ b/scripts/gitcreate @@ -2,9 +2,10 @@ # gitcreate is part of the repo_shell distribution. eval $(sed -e 's| ||g' < /etc/repo_shell.conf) -if [ -z "$owner" -o -z "$git_root" -o -z "$git_acl_file" ]; then +if [ -z "$owner" -o -z "$git_root" ]; then echo "$0: please configure /etc/repo_shell.conf" fi +gitacls="$git_root/.gitacls" if [ "$(whoami)" != "$owner" ]; then echo "$0: must run as user $owner" >&2 @@ -26,6 +27,7 @@ umask 027 git --git-dir "$git_root/$1" init --bare [ $? -ne 0 ] && exit 1 -echo "Repository created. -Be sure to edit $git_acl_file to allow user access, if needed." +[ -f "$gitacls" ] && echo "Check $gitacls for proper access permissions" +echo "Repository created." +[ ! -f "$gitacls" ] && echo "WARNING: $gitacls DOES NOT EXIST!" exit 0 -- 2.39.2