All:
The use case I'm trying to work on is Mercurial best practices
for setting up a multi-user repository. My assumptions are:
- I only want to support push via ssh (not http) because
of more secure authentication and optional compression
- I want control of exactly what kind of shell privileges
each user has
- Setting up ssh for password-less operation is understood [1]
- In reviewing the man page for "hg push" [2] it is clear
that a shell account is required for ssh pull/push to work.
- I'm a Mercurial newbie and may have missed the FAQ
entry for this on [3]
It would seem the most convenient way to handle multiuser
access then would be to add a local account for each authorized
remote user who will have commit access where each user is a member of
the same local UNIX group (for whatever nsswitch.conf authentication
mechanism is used on the Hg server) and (for Hg only users)
the shell is set to /bin/rbash [4]. The user(s) who will
administer Hg on the server must also be in the same UNIX
group and the .hg files must be set for group write permission.
An example of grabbing a mercurial snapshot, adding a file
and pushing it back to the server is shown below [5].
I'm assuming that adding many remote committers would be
fairly straightforward and scriptable. It seems that rbash
can sufficiently control shell account usage. What seems tricky
is exactly how group write permission must be maintained [6].
Should the umask be set to 002 in .bash_profile (i.e. fixed
via ssh)? Or should one of the Mercurial hooks be used?
Are there alternative best practices for multiuser
commit access via ssh?
Thanks!
--Tom
[1] passwordless ssh means I can do this (machine "tv" is remote):
[EMAIL PROTECTED] 9% exec ssh-agent tcsh
[EMAIL PROTECTED] 2% ssh-add
Enter passphrase for /home/testme/.ssh/id_dsa: my secret passphrase
Identity added: /home/testme/.ssh/id_dsa (/home/testme/.ssh/id_dsa)
[EMAIL PROTECTED] 3% ssh tv cal
June 2007
Su Mo Tu We Th Fr Sa
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
[EMAIL PROTECTED] 4%
[2] http://www.selenic.com/mercurial/hg.1.html
[3] http://www.selenic.com/mercurial/wiki/index.cgi/FAQ
[4] Setting up restricted commands
[EMAIL PROTECTED] 17# mkdir -p /usr/local/hg/bin
[EMAIL PROTECTED] 18# cd /usr/local/hg/bin
/usr/local/hg/bin
[EMAIL PROTECTED] 19# ln -s /bin/ls
[EMAIL PROTECTED] 20# ln -s /bin/date
[EMAIL PROTECTED] 21# ln -s /usr/bin/cal
[EMAIL PROTECTED] 22# ln -s /usr/bin/hg
[EMAIL PROTECTED] 23# ln -s /usr/bin/rsync
[EMAIL PROTECTED] 24# grep PATH ~testme/.bash_profile
export PATH=/usr/local/hg/bin
[EMAIL PROTECTED] 25#
[5] Example push via ssh
[EMAIL PROTECTED] 21% hg clone ssh://tv//data0/tmarble/mercurial/demohg
destination directory: demohg
requesting all changes
adding changesets
adding manifests
adding file changes
added 6 changesets with 5 changes to 4 files
3 files updated, 0 files merged, 0 files removed, 0 files unresolved
[EMAIL PROTECTED] 22% cd demohg
/home/testme/mercurial/demohg
[EMAIL PROTECTED] 23% date > testme.txt
[EMAIL PROTECTED] 24% hg add testme.txt
[EMAIL PROTECTED] 25% setenv EDITOR 'emacs -nw'
[EMAIL PROTECTED] 26% hg commit
No username found, using '[EMAIL PROTECTED]' instead
[EMAIL PROTECTED] 27% hg push ssh://tv//data0/tmarble/mercurial/demohg
pushing to ssh://tv//data0/tmarble/mercurial/demohg
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: added 1 changesets with 1 changes to 1 files
[EMAIL PROTECTED] 28%
[EMAIL PROTECTED] 100% pwd
/data0/tmarble/mercurial/demohg
[EMAIL PROTECTED] 101% hg update
1 files updated, 0 files merged, 1 files removed, 0 files unresolved
[EMAIL PROTECTED] 102% cat testme.txt
Tue Jun 5 18:08:40 CDT 2007
[EMAIL PROTECTED] 103% ls -l testme.txt
-rw-r--r-- 1 tmarble users 29 2007-06-05 18:08 testme.txt
[EMAIL PROTECTED] 104%
[6] complication of group permissions
[EMAIL PROTECTED]:~/mercurial/demohg$ hg pull
ssh://tv//data0/tmarble/mercurial/demohg
pulling from ssh://tv//data0/tmarble/mercurial/demohg
searching for changes
adding changesets
adding manifests
adding file changes
added 4 changesets with 3 changes to 3 files
(run 'hg update' to get a working copy)
[EMAIL PROTECTED]:~/mercurial/demohg$ hg update
3 files updated, 0 files merged, 1 files removed, 0 files unresolved
[EMAIL PROTECTED]:~/mercurial/demohg$ cal > testme.txt
[EMAIL PROTECTED]:~/mercurial/demohg$ hg commit
No username found, using '[EMAIL PROTECTED]' instead
[EMAIL PROTECTED]:~/mercurial/demohg$ hg push
ssh://tv//data0/tmarble/mercurial/demohg
pushing to ssh://tv//data0/tmarble/mercurial/demohg
searching for changes
remote: adding changesets
remote: adding manifests
remote: adding file changes
remote: abort: Permission denied -
/data0/tmarble/mercurial/demohg/.hg/data/testme.txt.i
remote: transaction abort!
remote: rollback completed
[EMAIL PROTECTED]:~/mercurial/demohg$
