Problems with a gitosis port

Adam Olsen arolsen at gmail.com
Mon Nov 24 22:00:15 GMT 2008 

On Mon, Nov 24, 2008 at 2:06 PM, Michael Hudson
<michael.hudson at canonical.com> wrote:
> The above won't help you with what you say you need here.  But I doubt
> you really need what you say here -- you're slightly suggesting a
> solution when I'd be more able to help if you explained the problem.
> Can you explain your problem in more detail?  Bearing in mind that I
> don't know much about gitosis.

Ah, ok, let me try to explain how gitosis works.  It allows multiple
users access multiple repositories on a remote server.  The remote
server only needs to have one actual UNIX account for all this to
work.  It also allows for some access control to each repository
hosted on the remote server - you can give some users read-only access
to one repostory, while other users have full write access to it.  The
configuration file looks like this:

[group developers]
members = todd bill
writable = project1 project2

[group webguys]
members = travis chris
readonly = project1

So, in this instance, travis and chris only have read access to the
project1 repository, where todd and bill have full write access to
project1 and project2.

Administration is all done via a git repository and git itself.  On
the client side, the administrator clones a branch of the admin
repository, adds user's ssh keys to the repository, and edits the
configuration file.  When the admin runs "git push", a post-push hook
on the server side sets up the various permissions and etc for the
repositories.

More specifically, on the server side, everything is done with the
authorized_keys file.  Each line in authorized_keys file for the git
user looks something like this:

command="gitosis-serve ruben",[ssh options here] ssh-rsa AA[..rest of
key here...]jw== ruben at ruben

This line causes every ssh connection from the machine that has
ruben's key to automatically execute gitosis-serve, no matter what
command was actually sent.  The command that was originally sent is
stored in the environment variable SSH_ORIGINAL_COMMAND.  In the
'gitosis-serve' script, the configuration file is read, it determines
if you have read and/or write permissions to the repository you're
requesting, and if you do, it launches the gitosis serve process for
the rest of the connection.  If not, it throws an error.

So, in order for the gitosis-serve (or bzr equivalent) to determine if
you have read or write access to the repository in question, it needs
to know which repository you're trying to access before any type of
server process it initiated.  This is what I'm trying to do...

I see that the guy that wrote bzr_access was kind of trying to do the
same thing - the script references SSH_ORIGINAL_COMMAND, but it never
actually uses it.

Anyway, hope that makes sense.

-- 
Adam Olsen
SendOutCards.com
http://www.vimtips.org
http://last.fm/user/synic

More information about the bazaar mailing list