[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Automatic updating on a checkin

From: Duncan Booth <duncan.booth_at_suttoncourtenay.org.uk>
Date: 2006-05-04 09:29:44 CEST

Mads B. Tandrup wrote:

> Duncan Booth wrote:
>>
>> The hook would be running as the apache user on the subversion
>> server, so the 'svn up' needs to be kicked off as a different user. I
>> would rather not trust the apache user from the svn server further
>> than necessary, so I would like some solution which allows a specific
>> command to be run but not others: maybe ssh+sudo, or should that be
>> sudo+ssh?
>>
>
> Have a look at the OpenSSH sshd documentation. Under "AUTHORIZED_KEYS
> FILE FORMAT" you'll find the following option:
>
> command="command"
> Specifies that the command is executed whenever this key is used
> for authentication. The command supplied by the user (if any) is
> ignored. The command is run on a pty if the client requests a
> pty; otherwise it is run without a tty. If an 8-bit clean chan-
> nel is required, one must not request a pty or should specify no-
> pty. A quote may be included in the command by quoting it with a
> backslash. This option might be useful to restrict certain pub-
> lic keys to perform just a specific operation. An example might
> be a key that permits remote backups but nothing else. Note that
> the client may specify TCP and/or X11 forwarding unless they are
> explicitly prohibited. Note that this option applies to shell,
> command or subsystem execution.
>
> So you will be able to generate an SSH key for your Apache server
> which only supports doing an "svn up /foo/bar".
>
Ah, thanks for that, I didn't know about that option. I think that I should
be able to do something with that.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu May 4 09:31:03 2006

This is an archived mail posted to the Subversion Users mailing list.