GIT, SSH, and GIT-SHELL
You will find a similar mechanism with gitolite, based on ssh and forced command.
(including ldap queries).
It don't allow interactive shell however, which could be your issue there.
The OP Frank Brenner adds:
Ah, I figured it out - the command has to be in single quotes. I suppose
$SSH_ORIGINAL_COMMANDwas getting expanded before git-shell was started.
That is confirmed in the gitolite forced command script is a Perl one, ending with:
# ----------------------------------------------------------------------------
# over to git now
# ----------------------------------------------------------------------------
if ($ENV{REQUEST_URI}) {
log_it($ENV{REQUEST_URI});
exec $ENV{GIT_HTTP_BACKEND};
# the GIT_HTTP_BACKEND env var should be set either by the rc file, or as
# a SetEnv in the apache config somewhere
}
log_it();
$repo = "'$REPO_BASE/$repo.git'";
exec("git", "shell", "-c", "$verb $repo") unless $verb eq 'git-init';
Note the $repo = "'$REPO_BASE/$repo.git'" line: it does contains single quotes.
I've made a solution using LDAP, OpenSSH (>4.9) and git-shell.
OpenSSH's ForceCommand is perfect for the job. Consider the following configuration (everyone except admins have to use git-shell):
Match group *,!admin
ForceCommand /usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"
Access control is defined using ACL-s and reponame access groups.
setfacl -bR -m default:group:$REPONAME:rwX -m group:$REPONAME:rwX $GITROOT/$REPONAME
setfacl -R -m default:group:$REPONAME-ro:r-X -m group:$REPONAME-ro:r-X $GITROOT/$REPONAME
Don't forget to run "nscd -i group", after each change.
Andor