|
Size: 4114
Comment: default perms
|
Size: 4471
Comment: Tidied up, linked a few things, tried to make the text more style guide compliant.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| The traditional CVS-like model allows multiple different users to commit to the main [[Repository|repository]]. Indeed, it's about the only way to do things. | The traditional [[CvsLikePractice|CVS-like model]] allows multiple different users to commit to the main [[Repository|repository]]. Indeed, it's about the only way to do things. |
| Line 16: | Line 16: |
| == The Shared SSH method == | == The shared SSH method == |
| Line 18: | Line 18: |
| The typical way to do create a SSH reachable repository is to create a special account for that project, create the project under that account, then provide each user with an SSH key that's authorized to use that account. See [[SharedSSH]] for general setup details. | The typical way to create an SSH-reachable repository is to create a special account for that project, create the project under that account, then provide each user with an SSH key that's authorized to use that account. See the guide to [[SharedSSH|shared SSH]] for general setup details. |
| Line 20: | Line 20: |
| Another way is just to provide regular SSH access and setup the depot with the "filesystem method", below. | Another way to use SSH is just to provide regular SSH access and set up the depot with the "filesystem method", below. The only role of SSH in this case is that of a mechanism for reaching the remote repository. |
| Line 24: | Line 24: |
| The repository will be shared via a webserver cgi-script, which also allows pushing. The security is webserver security. See HgWebDirStepByStep for general setup details. |
The repository will be shared via a web server, which can also allow pushing. The security is handled by the web server. See the guide to [[PublishingRepositories|publishing repositories]] for some guidance. |
| Line 29: | Line 28: |
| The idea here is to create a repository that has a group ID that allows multiple users to access it. | The idea here is to create a repository that is accessible by members of a certain user group. Multiple users will be able to access it if they belong to this group. |
| Line 31: | Line 30: |
| The following steps apply to *nix operating systems. | The following steps apply to Unix-like operating systems: |
| Line 33: | Line 32: |
| The first step is to add a new group to {{{/etc/group}}}. The 'kosher' method for accomplishing this varies from system to system, but the end result is a new line in {{{/etc/group}}} like the following: | 1. Add a new group to `/etc/group`. The recommended method for accomplishing this varies from system to system, but the end result is a new line in `/etc/group` like the following: {{{ project:x:100001:alice,bob,charlie }}} Here, `project` is the name of the group. 2. Create a repository that's writable by that group: {{{ mkdir /home/mercurial/project cd /home/mercurial/project hg init chgrp project .hg .hg/* .hg/store/* chmod g+w .hg .hg/* .hg/store/* chmod g+s .hg .hg/store .hg/store/data }}} * The `chgrp` command marks the project as belonging to the `project` group. * The first `chmod` command marks the repository data writable by that group. * Finally, the second `chmod` command sets the 'setgid' bit on the project directories, which causes new files created in those directories to be marked as belonging to that group (rather than the user's default group). If you are using a version of Mercurial older than 1.0, it's important that each user's umask be set to `002` or something similar. If it's set to `022`, group write privileges will be masked off for files that users create, causing other users to be unable to modify them. You can change the default umask for a user by editing their `~/.profile` and adding the line... |
| Line 36: | Line 60: |
| project-x:x:100001:alice,bob,charlie | umask 002 |
| Line 38: | Line 62: |
| Then, we create a repository that's writable by that group: | |
| Line 40: | Line 63: |
| {{{ mkdir /home/mercurial/project-x cd /home/mercurial/project-x hg init chgrp project-x .hg .hg/* .hg/store/* chmod g+w .hg .hg/* .hg/store/* chmod g+s .hg .hg/store .hg/store/data }}} The chgrp command marks the project as belonging to the project-x group. The first chmod command marks the repository data writable by that group. And finally, the second chmod command sets the 'setgid' bit on the project directories, which causes new files created in those directories to be marked as belonging to that group (rather than the user's default group). |
Alternatively, you can edit `/etc/profile` to change the system-wide settings. Changing the `/etc/profile` will not work if people check in stuff with the `hg` command, as that file isn't read by non-interactive shells, `/etc/bash.bashrc` is a better place to put the system-wide settings. |
| Line 52: | Line 65: |
| If you are using an hg version older than 1.0, it's important that each user's umask be set to 002 or something similar. If it's set to 022, group write privileges will be masked off for files that users create, causing other users to be unable to modify them. You can change the default umask for a user by editing their ~/.profile and adding the line 'umask 002'. Alternatively, you can edit /etc/profile to change the system-wide settings. Changing the /etc/profile will not work if people check in stuff with the hg command, as that file isn't read by non-interactive shells, /etc/bash.bashrc is a better place to put the system-wide settings. Otherwise since hg 1.0, the default permission is inherited from .hg/store |
Otherwise since Mercurial 1.0, the default permission is inherited from `.hg/store`. |
| Line 61: | Line 70: |
| hg clone /home/mercurial/project-x cd project-x |
hg clone /home/mercurial/project cd project |
| Line 65: | Line 74: |
| hg push /home/mercurial/project-x | hg push /home/mercurial/project |
| Line 75: | Line 84: |
| This means you should pull the latest changes from project-x before pushing. | This means you should pull the latest changes from `project` before pushing. |
| Line 84: | Line 93: |
| As always, SyncEarlySyncOften. | As always, [[SyncEarlySyncOften|sync early, sync often]]! |
How To Handle Multiple Committers
The traditional CVS-like model allows multiple different users to commit to the main repository. Indeed, it's about the only way to do things.
But in Mercurial, in some sense there is no 'main' repository. Users each have their own private repository to commit to and they can pull commits in from other users. This is rather drastically different than the CVS model and it has a number of advantages:
- it's easier to review the work that's being pulled in before merging
- it's easier to time or reorder merges for testing or deployment
- no concept of permissions is needed
- everything is atomic, no need to wait for locks
It is, of course, also possible to push as well as pull, though this is generally used to publish changes in a public place.
However, it is possible (though not recommended) to set up Mercurial to allow multiple users to push to a single repository. This allows Mercurial to be used in a more CVS-like fashion. Below are a couple possible approaches.
1. The shared SSH method
The typical way to create an SSH-reachable repository is to create a special account for that project, create the project under that account, then provide each user with an SSH key that's authorized to use that account. See the guide to shared SSH for general setup details.
Another way to use SSH is just to provide regular SSH access and set up the depot with the "filesystem method", below. The only role of SSH in this case is that of a mechanism for reaching the remote repository.
2. The HTTPS method
The repository will be shared via a web server, which can also allow pushing. The security is handled by the web server. See the guide to publishing repositories for some guidance.
3. The filesystem method
The idea here is to create a repository that is accessible by members of a certain user group. Multiple users will be able to access it if they belong to this group.
The following steps apply to Unix-like operating systems:
Add a new group to /etc/group. The recommended method for accomplishing this varies from system to system, but the end result is a new line in /etc/group like the following:
project:x:100001:alice,bob,charlie
Here, project is the name of the group.
- Create a repository that's writable by that group:
mkdir /home/mercurial/project cd /home/mercurial/project hg init chgrp project .hg .hg/* .hg/store/* chmod g+w .hg .hg/* .hg/store/* chmod g+s .hg .hg/store .hg/store/data
The chgrp command marks the project as belonging to the project group.
The first chmod command marks the repository data writable by that group.
Finally, the second chmod command sets the 'setgid' bit on the project directories, which causes new files created in those directories to be marked as belonging to that group (rather than the user's default group).
If you are using a version of Mercurial older than 1.0, it's important that each user's umask be set to 002 or something similar. If it's set to 022, group write privileges will be masked off for files that users create, causing other users to be unable to modify them.
You can change the default umask for a user by editing their ~/.profile and adding the line...
umask 002
Alternatively, you can edit /etc/profile to change the system-wide settings. Changing the /etc/profile will not work if people check in stuff with the hg command, as that file isn't read by non-interactive shells, /etc/bash.bashrc is a better place to put the system-wide settings.
Otherwise since Mercurial 1.0, the default permission is inherited from .hg/store.
Now you're ready to go:
hg clone /home/mercurial/project cd project [make changes] hg commit hg push /home/mercurial/project
4. Keeping in sync
You may sometimes get a warning like this when you push:
abort: unsynced remote changes!
This means you should pull the latest changes from project before pushing.
You may also get a warning like this:
abort: push creates new remote branches!
This means you've probably forgotten to merge changes you've pulled with the changes you're trying to push.
As always, sync early, sync often!