document @shell feature, allow "info" for all,

...but still distinguish shell folks with a small extra line telling them they have shell access
rsrchboy · Dec 23, 2009 · b0ce84d · b0ce84d
1 parent 9c3abb2
commit b0ce84d
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/conf/example.conf b/conf/example.conf
@@ -212,3 +212,19 @@ repo gitolite
 # This does either a plain "git config section.key value" (for the first 3
 # examples above) or "git config --unset-all section.key" (for the last
 # example).  Other forms (--add, the value_regex, etc) are not supported.
+
+# SHELL ACCESS
+# ------------
+
+# It is possible to give certain users shell access as well as allow them to
+# use gitolite features for their git repo access.  The idea is to eliminate
+# the need for 2 keys when both shell and gitolite access are needed.
+
+# To give a user shell access, add the username to the special @SHELL group:
+
+@SHELL      =   sitaram
+
+# Do not add people to this group indiscriminately.  AUDITABILITY OF ACCESS
+# CONTROL CHANGES (AND OF REPO ACCESSES) WILL BE COMPROMISED IF ADMINS CAN
+# FIDDLE WITH THE ACTUAL (PLAIN TEXT) LOG FILES THAT GITOLITE KEEPS, WHICH
+# THEY CAN EASILY DO IF THEY HAVE A SHELL.
diff --git a/doc/6-ssh-troubleshooting.mkd b/doc/6-ssh-troubleshooting.mkd
@@ -1,5 +1,20 @@
 # ssh troubleshooting
 
+Update 2009-12-23: most of this document is now of historical interest and
+will be totally revamped when I have time.  For now, just note this amendment.
+
+The document below says "we can't use the same key for both [gitolite access
+and shell access]...".  We've managed (thanks to an idea from Jesse Keating)
+to get around this.  Now it *is* possible for a single key to allow both
+gitolite access *and* shell access.
+
+This is done by placing such a user in a special `@SHELL` group in the
+gitolite config file.  As usual, please see `conf/example.conf` for more info
+on this, since I'm using that as a central place to document anything
+concerned with the conf file.
+
+----
+
 Ssh has always been the biggest troublespot in all this.  While gitolite makes
 it as easy as possible, you might still run into trouble sometimes.
 

diff --git a/src/gl-auth-command b/src/gl-auth-command
@@ -82,8 +82,9 @@ unless ($ENV{SSH_ORIGINAL_COMMAND}) {
 
 my $cmd = $ENV{SSH_ORIGINAL_COMMAND};
 # people allowed to get a shell can get basic access info by asking nicely
-if ($shell_allowed and $cmd eq 'info') {
+if ($cmd eq 'info') {
     &report_basic($GL_ADMINDIR, $GL_CONF_COMPILED, $user);
+    print "you also have shell access\n\r" if $shell_allowed;
     exit 1;
 }