how to run mercurial commands as another user with sudoers

StackOverflow https://stackoverflow.com/questions/7686653

  •  07-02-2021
  •  | 
  •  

Question

All our developers are able to log in to our staging server via ssh.

When they run any hg command on the staging servers it makes them the owner of the updated/new files. I need these files to be owned by the user/group www-data.

I tried editing the sudoers files to this

Cmnd_Alias WWW_DATA_CMDS = /usr/bin/svn, /usr/bin/hg

%developers  ALL=(www-data) NOPASSWD: WWW_DATA_CMDS

As you can see we have SVN on the server as well (we are moving away from SVN to HG) and this setup works fine for SVN, if we run the SVN command it creates files as www-data

How do I get the same to work for Mercurial?

Was it helpful?

Solution

First understand that there's no magic here. Mercurial always creates files as the user it runs as, end of story. It doesn't try (and doesn't even have permission) to do anything else.

That means that if you run hg only via sudo, and the permissions of the existing files are right, it WILL do what you want here.

But that also means that if users run hg without sudo, and they have the right permissions, they WILL make a mess. Mercurial is content to let you do whatever is allowed by the Unix permission model.

There are three approaches to dealing with this:

  • slap knuckles with a ruler until people use sudo consistently
  • use a wrapper like mercurial-server that funnels all users into one account
  • properly configure group, umask, ownerships, and permissions so things can actually be shared

This last works as follows:

  • make sure every user X has a matching default group X (most modern systems already do this)
  • add everyone (and wwwdata) to a secondary group project-foo
  • make sure everyone's umask is set at login to NOT mask group read/write (umask 007, not 077)
  • set all files in the project to be in group project foo (chgrp -R project-foo foo/)
  • make all files read/write by that group (chmod -R g+rw foo/)
  • make all directories traversable and setgid (find foo/ -type d | xargs chmod g+sx)

This will ensure that every time a user creates a file in the project, it will be read/write for everyone else in the group.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top