2010-12-30 20:52:24 +00:00
|
|
|
# NAME
|
|
|
|
|
|
|
|
git-annex-shell - Restricted login shell for git-annex only SSH access
|
|
|
|
|
|
|
|
# SYNOPSIS
|
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
git-annex-shell [-c] command [params ...]
|
2010-12-30 20:52:24 +00:00
|
|
|
|
|
|
|
# DESCRIPTION
|
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
git-annex-shell is a restricted shell, similar to git-shell, which
|
|
|
|
can be used as a login shell for SSH accounts.
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2011-03-04 01:55:56 +00:00
|
|
|
Since its syntax is identical to git-shell's, it can be used as a drop-in
|
|
|
|
replacement anywhere git-shell is used. For example it can be used as a
|
|
|
|
user's restricted login shell.
|
|
|
|
|
2010-12-30 20:52:24 +00:00
|
|
|
# COMMANDS
|
|
|
|
|
2011-04-09 18:15:38 +00:00
|
|
|
Any command not listed below is passed through to git-shell.
|
|
|
|
|
2011-10-15 23:06:35 +00:00
|
|
|
Note that the directory parameter should be an absolute path, otherwise
|
|
|
|
it is assumed to be relative to the user's home directory. Also the
|
|
|
|
first "/~/" or "/~user/" is expanded to the specified home directory.
|
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
* configlist directory
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2011-03-04 01:55:56 +00:00
|
|
|
This outputs a subset of the git configuration, in the same form as
|
2014-03-26 18:22:21 +00:00
|
|
|
`git config --list`. This is used to get the annex.uuid of the remote
|
|
|
|
repository.
|
|
|
|
|
|
|
|
When run in a repository that does not yet have an annex.uuid, one
|
|
|
|
will be created, as long as a git-annex branch has already been pushed to
|
2015-08-05 17:49:54 +00:00
|
|
|
the repository, or if the autoinit= flag is used to indicate
|
|
|
|
initialization is desired.
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
* inannex directory [key ...]
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
This checks if all specified keys are present in the annex,
|
|
|
|
and exits zero if so.
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2015-05-30 14:54:14 +00:00
|
|
|
Exits 1 if the key is certainly not present in the annex.
|
2015-05-19 18:35:56 +00:00
|
|
|
Exits 100 if it's unable to tell (perhaps the key is in the process of
|
|
|
|
being removed from the annex).
|
|
|
|
|
2015-10-08 18:47:46 +00:00
|
|
|
* lockcontent directory key
|
|
|
|
|
|
|
|
This locks a key's content in place in the annex, preventing it from
|
|
|
|
being dropped.
|
|
|
|
|
|
|
|
Once the content is successfully locked, outputs "OK". Then the content
|
|
|
|
remains locked until a newline is received from the caller or the
|
|
|
|
connection is broken.
|
|
|
|
|
|
|
|
Exits nonzero if the content is not present, or could not be locked.
|
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
* dropkey directory [key ...]
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
This drops the annexed data for the specified keys.
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
* recvkey directory key
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
This runs rsync in server mode to receive the content of a key,
|
|
|
|
and stores the content in the annex.
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
* sendkey directory key
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2010-12-31 00:08:22 +00:00
|
|
|
This runs rsync in server mode to transfer out the content of a key.
|
2010-12-30 20:52:24 +00:00
|
|
|
|
2012-09-22 03:25:06 +00:00
|
|
|
* transferinfo directory key
|
2012-09-21 20:23:25 +00:00
|
|
|
|
|
|
|
This is typically run at the same time as sendkey is sending a key
|
2012-09-22 03:25:06 +00:00
|
|
|
to the remote. Using it is optional, but is used to update
|
|
|
|
progress information for the transfer of the key.
|
2012-09-21 20:23:25 +00:00
|
|
|
|
|
|
|
It reads lines from standard input, each giving the number of bytes
|
2012-09-22 03:25:06 +00:00
|
|
|
that have been received so far.
|
2012-09-21 20:23:25 +00:00
|
|
|
|
2012-06-24 21:51:08 +00:00
|
|
|
* commit directory
|
2012-02-25 20:31:38 +00:00
|
|
|
|
|
|
|
This commits any staged changes to the git-annex branch.
|
2012-03-14 16:01:56 +00:00
|
|
|
It also runs the annex-content hook.
|
2012-02-25 20:31:38 +00:00
|
|
|
|
2015-08-05 13:42:43 +00:00
|
|
|
* notifychanges directory
|
2014-04-05 20:04:37 +00:00
|
|
|
|
2014-04-11 16:12:34 +00:00
|
|
|
This is used by `git-annex remotedaemon` to be notified when
|
2014-04-05 20:04:37 +00:00
|
|
|
refs in the remote repository are changed.
|
|
|
|
|
2015-08-05 13:42:43 +00:00
|
|
|
* gcryptsetup directory gcryptid
|
2013-10-01 21:20:51 +00:00
|
|
|
|
|
|
|
Sets up a repository as a gcrypt repository.
|
|
|
|
|
2018-03-08 20:21:16 +00:00
|
|
|
* p2pstdio directory uuid
|
2018-03-07 19:15:23 +00:00
|
|
|
|
|
|
|
This causes git-annex-shell to communicate using the git-annex p2p
|
|
|
|
protocol over stdio. When supported by git-annex-shell, this allows
|
|
|
|
multiple actions to be run over a single connection, improving speed.
|
|
|
|
|
2018-03-08 20:21:16 +00:00
|
|
|
The uuid is the one belonging to the repository that will be
|
|
|
|
communicating with git-annex-shell.
|
|
|
|
|
2011-05-14 16:26:06 +00:00
|
|
|
# OPTIONS
|
2011-04-09 18:15:38 +00:00
|
|
|
|
2011-10-15 23:06:35 +00:00
|
|
|
Most options are the same as in git-annex. The ones specific
|
|
|
|
to git-annex-shell are:
|
2011-04-09 18:15:38 +00:00
|
|
|
|
2011-10-15 23:06:35 +00:00
|
|
|
* --uuid=UUID
|
|
|
|
|
|
|
|
git-annex uses this to specify the UUID of the repository it was expecting
|
|
|
|
git-annex-shell to access, as a sanity check.
|
|
|
|
|
2012-07-02 04:53:00 +00:00
|
|
|
* -- fields=val fields=val.. --
|
|
|
|
|
2015-04-17 14:42:16 +00:00
|
|
|
Additional fields may be specified this way, to retain compatibility with
|
2012-07-02 04:53:00 +00:00
|
|
|
past versions of git-annex-shell (that ignore these, but would choke
|
|
|
|
on new dashed options).
|
|
|
|
|
2013-01-11 19:43:09 +00:00
|
|
|
Currently used fields include remoteuuid=, associatedfile=,
|
2015-12-26 17:59:27 +00:00
|
|
|
unlocked=, direct=, and autoinit=
|
2012-07-02 04:53:00 +00:00
|
|
|
|
2012-03-14 16:01:56 +00:00
|
|
|
# HOOK
|
|
|
|
|
|
|
|
After content is received or dropped from the repository by git-annex-shell,
|
|
|
|
it runs a hook, `.git/hooks/annex-content` (or `hooks/annex-content` on a bare
|
|
|
|
repository). The hook is not currently passed any information about what
|
|
|
|
changed.
|
|
|
|
|
2011-10-15 23:06:35 +00:00
|
|
|
# ENVIRONMENT
|
|
|
|
|
|
|
|
* GIT_ANNEX_SHELL_READONLY
|
|
|
|
|
2018-05-25 16:16:11 +00:00
|
|
|
If set, disallows any action that could modify the git-annex
|
|
|
|
repository.
|
2011-10-15 23:06:35 +00:00
|
|
|
|
2014-04-11 16:08:31 +00:00
|
|
|
Note that this does not prevent passing commands on to git-shell.
|
|
|
|
For that, you also need ...
|
|
|
|
|
2011-10-15 23:06:35 +00:00
|
|
|
* GIT_ANNEX_SHELL_LIMITED
|
|
|
|
|
|
|
|
If set, disallows running git-shell to handle unknown commands.
|
2011-01-04 21:33:24 +00:00
|
|
|
|
2018-05-25 17:17:56 +00:00
|
|
|
* GIT_ANNEX_SHELL_APPENDONLY
|
|
|
|
|
|
|
|
If set, allows data to be written to the git-annex repository,
|
|
|
|
but does not allow data to be removed from it.
|
|
|
|
|
|
|
|
Note that this does not prevent passing commands on to git-shell,
|
|
|
|
so you will have to separately configure git to reject pushes that
|
|
|
|
overwrite branches or are otherwise not appends. The git pre-receive
|
|
|
|
hook may be useful for accomplishing this.
|
|
|
|
|
|
|
|
It's a good idea to enable annex.securehashesonly in a repository
|
|
|
|
that's set up this way.
|
|
|
|
|
2012-11-05 15:29:12 +00:00
|
|
|
* GIT_ANNEX_SHELL_DIRECTORY
|
|
|
|
|
|
|
|
If set, git-annex-shell will refuse to run commands that do not operate
|
|
|
|
on the specified directory.
|
|
|
|
|
2016-04-04 19:58:43 +00:00
|
|
|
# EXAMPLES
|
|
|
|
|
2016-04-04 20:57:13 +00:00
|
|
|
To make a `~/.ssh/authorized_keys` file that only allows git-annex-shell
|
|
|
|
to be run, and not other commands, pass the original command to the -c
|
|
|
|
option:
|
|
|
|
|
|
|
|
command="git-annex-shell -c \"$SSH_ORIGINAL_COMMAND\"",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1y[...] user@example.com
|
2016-04-04 19:58:43 +00:00
|
|
|
|
2016-04-04 20:57:13 +00:00
|
|
|
To further restrict git-annex-shell to a particular repository,
|
|
|
|
and fully lock it down to read-only mode:
|
2016-04-04 19:58:43 +00:00
|
|
|
|
2016-04-04 20:57:13 +00:00
|
|
|
command="GIT_ANNEX_SHELL_DIRECTORY=/srv/annex GIT_ANNEX_SHELL_LIMITED=true GIT_ANNEX_SHELL_READONLY=true git-annex-shell -c \"$SSH_ORIGINAL_COMMAND\"",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1y[...] user@example.com
|
2016-04-04 19:58:43 +00:00
|
|
|
|
|
|
|
Obviously, `ssh-rsa AAAAB3NzaC1y[...] user@example.com` needs to
|
2016-04-04 20:33:02 +00:00
|
|
|
replaced with your SSH key. The above also assumes `git-annex-shell`
|
2017-02-11 09:14:27 +00:00
|
|
|
is available in your `$PATH`, use an absolute path if it is not the
|
2016-04-04 20:33:02 +00:00
|
|
|
case.
|
2016-04-04 19:58:43 +00:00
|
|
|
|
2010-12-30 20:52:24 +00:00
|
|
|
# SEE ALSO
|
|
|
|
|
|
|
|
[[git-annex]](1)
|
|
|
|
|
|
|
|
git-shell(1)
|
|
|
|
|
|
|
|
# AUTHOR
|
|
|
|
|
2015-01-21 16:50:09 +00:00
|
|
|
Joey Hess <id@joeyh.name>
|
2010-12-30 20:52:24 +00:00
|
|
|
|
|
|
|
<http://git-annex.branchable.com/>
|
|
|
|
|
2011-12-07 17:17:00 +00:00
|
|
|
Warning: Automatically converted into a man page by mdwn2man. Edit with care
|