[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Automatic updating on a checkin

From: Duncan Booth <duncan.booth_at_suttoncourtenay.org.uk>
Date: 2006-05-05 11:43:29 CEST

Mads B. Tandrup wrote:

> Duncan Booth wrote:
>> The hook would be running as the apache user on the subversion
>> server, so the 'svn up' needs to be kicked off as a different user. I
>> would rather not trust the apache user from the svn server further
>> than necessary, so I would like some solution which allows a specific
>> command to be run but not others: maybe ssh+sudo, or should that be
>> sudo+ssh?
> Have a look at the OpenSSH sshd documentation. Under "AUTHORIZED_KEYS
> FILE FORMAT" you'll find the following option:
> command="command"
> Specifies that the command is executed whenever this key is used
> for authentication. The command supplied by the user (if any) is
> ignored. The command is run on a pty if the client requests a
> pty; otherwise it is run without a tty. If an 8-bit clean chan-
> nel is required, one must not request a pty or should specify no-
> pty. A quote may be included in the command by quoting it with a
> backslash. This option might be useful to restrict certain pub-
> lic keys to perform just a specific operation. An example might
> be a key that permits remote backups but nothing else. Note that
> the client may specify TCP and/or X11 forwarding unless they are
> explicitly prohibited. Note that this option applies to shell,
> command or subsystem execution.
> So you will be able to generate an SSH key for your Apache server
> which only supports doing an "svn up /foo/bar".
Ok, I think I now have this working. The post-commit hook script uses the
following ssh command:

/usr/bin/ssh -x -n -o BatchMode=yes -i <path to id file> <user>@<remote
host> post-commit $REPOS $REV

(with obvious substitutions for bits in angle brackets). For some reason I
don't quite understand, until I added the BatchMode option the commit kept
hanging even though it shouldn't be prompting for a password.

On the remote system, /home/<user>/.ssh/authorized_keys looks like:

forwarding ssh-dss ...

and the hook script itself can get at the arguments (if it should need

That seems to meet my wishes quite nicely: the explicit id file means I can
link different repositories to different hook scripts on the remote machine
and tie each one down to a specific command.


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri May 5 11:45:02 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.