禁止访问Web服务器中的某些文件-Mercurial/SSH [英] Prevent access to some files in webserver - mercurial/ssh
问题描述
我有一台centos服务器,其中的代码使用Mercurial存储库维护. 为了允许新用户将代码提交给Mercurial,我创建了一个新用户,将其添加到webdev组中,他们可以通过
I have a centos server with code maintained using a mercurial repo. To allow a new person to commit code to mercurial, I create a new user, add them to the webdev group, and they can push / pull code by
hg pull ssh://name@server.com.
但是,有些文件(配置文件)我不希望新用户访问.已要求Mercurial不要跟踪这些文件,因此访问它们的唯一方法是ssh进入系统并查看文件.我不希望新用户能够这样做.
However, there are some files (config files) that I would not like new users to have access to. Mercurial has been asked not to track these files, so the only way to access them is to ssh into the system and look at the files. Which I dont want new users to be able to do.
从本质上讲,我希望我的新开发人员仅通过hg拉/推文件,并禁止直接将ssh-sing到系统中.最好的方法是什么?我可以提供对回购协议的hg访问而无需提供对文件的ssh访问吗?
In essence, I want my new developers to only pull/push files through hg and disallow ssh-ing directly into the system. What the best way to do this? Can I provide hg access to a repo without providing ssh access to the files?
(或者我的问题解决方法有缺陷吗?)
(or is my approach to the problem flawed?)
谢谢!
推荐答案
通过利用.ssh\authorized_keys文件中可用的command选项,可以很容易地做到这一点.当您在文件中授予他们的密钥访问权限时,可以在其密钥前添加一个"command = ...."参数,这是他们可以运行的唯一命令.
This can be really easily done by taking advantage of the command option available in .ssh\authorized_keys files. When you're granting their key access in that file you can prepend a "command=...." argument to their key and that's the only command they can run.
Mercurial附带了一个方便的脚本,可以准确地完成此任务.里面有说明:
Mercurial ships with a handy script for doing exactly that. It has instructions inside:
https://www.mercurial-scm .org/repo/hg/file/tip/contrib/hg-ssh
这篇关于禁止访问Web服务器中的某些文件-Mercurial/SSH的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
