mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Merge branch 'master' of ssh://git-annex.branchable.com

Browse source
This commit is contained in:
Joey Hess 2016-04-04 16:10:39 -04:00
commit 4a9b021543
Failed to extract signature
3 changed files with 31 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
doc/bugs/git-annex-shell__58___bad_parameters_when_trying_to_configure_a_shell_sandbox.mdwn
View file

@ -125,3 +125,5 @@ git-annex: get: 1 failed
### Have you had any luck using git-annex before? (Sometimes we get tired of reading bug reports all day and a lil' positive end note does wonders)
I seem to recall I had that working in the past, and I feel I am probably doing something stupidly wrong, but here I am. Sorry about that, I'll be sure to fix the documentation more clearly (esp. in the [[git-annex-shell]] manpage when I figure it out! --[[anarcat]]
Well, it looks like this PEBKAC here - could have sworn I had tested the wrapper, but it seems I didn't do it properly. I'll fixup the documentation for things to be clearer, but this is basically fixed now, with a proper ~/.ssh/git-annex. I don't understand why the wrapper is necessary, but thanks for the feedback! [[done]]

7
doc/forum/Restricting_git-annex-shell_to_a_specific_repository/comment_6_b3a0db1c2f11770b7c6f13964f2d1784._comment Normal file
View file

@ -0,0 +1,7 @@
[[!comment format=mdwn
username="anarcat"
subject="clarified manpage"
date="2016-04-04T20:00:39Z"
content="""
i have (hopefully) clarified the [[git-annex-shell]] manpage to clearly state how to setup a restricted repository. hopefully, that will avoid further mistakes. :) i am still unclear as to why the wrapper script is necessary, but that's a different issue. --[[anarcat]]
"""]]

22
doc/git-annex-shell.mdwn
View file

@ -134,6 +134,28 @@ changed.
If set, git-annex-shell will refuse to run commands that do not operate
on the specified directory.
# EXAMPLES
git-annex-shell(1) is usually called through a wrapper installed by the git-annex-assistant(1) in the `~/.ssh/authorized_keys` file on the remote host. To make such a setup manually, you will need the following wrapper installed in `~/.ssh/git-annex-shell`:
#!/bin/sh
set -e
if [ "x$SSH_ORIGINAL_COMMAND" != "x" ]; then
exec /usr/bin/git-annex-shell -c "$SSH_ORIGINAL_COMMAND"
else
exec /usr/bin/git-annex-shell -c "$@"
fi
Then restrictions can be implemented to specific SSH keys using the
`command=` parameter. For example, the following forces the key to be
read-only, run only git-annex commands on the given directory:
command="GIT_ANNEX_SHELL_DIRECTORY=/srv/annex GIT_ANNEX_SHELL_LIMITED=true GIT_ANNEX_SHELL_READONLY=true ~/.ssh/git-annex-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1y[...] user@example.com
Obviously, `ssh-rsa AAAAB3NzaC1y[...] user@example.com` needs to
replaced with your SSH key.
# SEE ALSO
[[git-annex]](1)