| The program "kup-server" is expected to be the receiver of an ssh |
| shell, configured with the following options in authorized_keys or |
| similar: |
| |
| command="/path/to/kup-server",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding <pubkey> |
| |
| Each user should have their own UID, as Unix user permissions are used |
| for specific tree access control. |
| |
| |
| The following pathnames in kup-server need to be customized |
| appropriately. |
| |
| All of these paths should be disjoint! |
| |
| |
| my $data_path = '/var/lib/kup/pub'; |
| |
| This is the path under which files are uploaded. |
| |
| |
| my $git_path = '/var/lib/git'; |
| |
| This is the path where git trees (for the TAR and DIFF options) are |
| available. Those should be readonly for the uploaders. |
| |
| |
| my $lock_file = '/var/run/kup/lock'; |
| |
| A common lock file for $data_path. No program should modify the |
| content in $data_path without holding an flock on this file. Should |
| be readonly for the uploaders. |
| |
| |
| my $tmp_path = '/var/lib/kup/tmp/'; |
| |
| This can be either: |
| |
| a) a directory writable by every user and with the sticky bit set |
| (typically mode 1777 or 1770). In that case, DO NOT end the path |
| with a slash, or: |
| b) A directory containing an empty directory for each user (named for |
| that user), owned by that user and mode 700. In this case, DO end |
| the path with a slash. |
| |
| In either case, this directory tree MUST same filesystem as |
| $data_path, since the script expects to create files in this directory |
| and rename() them into $data_path. |
| |
| |
| my $pgp_path = '/var/lib/kup/pgp'; |
| |
| A directory containing a GnuPG public keyring for each user, named |
| <user>.gpg and readable (but not writable) by that user. |
| |