File: Restricting_git-annex-shell_to_a_specific_repository.mdwn

package info (click to toggle)
git-annex 6.20170101-1%2Bdeb9u2
  • links: PTS
  • area: main
  • in suites: stretch
  • size: 50,088 kB
  • sloc: haskell: 53,116; sh: 1,582; ansic: 341; makefile: 292; perl: 144
file content (25 lines) | stat: -rw-r--r-- 799 bytes parent folder | download | duplicates (11) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
Is there a way to restrict git-annex-shell to a specific directory?
Currently, if git-annex is paired to a remote repository, it adds this to the authorized_keys:


    $ cat ~/.ssh/authorized_keys
    command="~/.ssh/git-annex-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3...

    $ cat ~/.ssh/git-annex-shell 
    #!/bin/sh
    set -e
    exec git-annex-shell -c "$SSH_ORIGINAL_COMMAND"

That gives whoever has the pubkey the right to access all repositories of one user.
It would be nice to have a manual way to limit the access to a specific repository like 


    $ cat ~/.ssh/git-annex-shell 
    #!/bin/sh
    set -e
    export GIT_ANNEX_SHELL_REPO=~/annex
    exec git-annex-shell -c "$SSH_ORIGINAL_COMMAND"


Or maybe some chroot hackery is the way to go?