1 files changed, 127 insertions, 0 deletions

diff --git a/doc/bugs/git-annex-shell__58___bad_parameters_when_trying_to_configure_a_shell_sandbox.mdwn b/doc/bugs/git-annex-shell__58___bad_parameters_when_trying_to_configure_a_shell_sandbox.mdwn
new file mode 100644
index 000000000..1cfbbb714
--- /dev/null
+++ b/doc/bugs/git-annex-shell__58___bad_parameters_when_trying_to_configure_a_shell_sandbox.mdwn
@@ -0,0 +1,127 @@
+### Please describe the problem.
+
+I am trying to make an SSH key restricted to use git-annex and only git-annex, and only readonly on a specific repository (or many repositories, ideally, but let's start with that0>
+
+I am following [[forum/Restricting_git-annex-shell_to_a_specific_repository/]] and searched this wiki for similar problems, but couldn't figure out a solution.
+
+### What steps will reproduce the problem?
+
+1. install git-annex on an android machine (not sure it needs to be on android, but here it is)
+2. create passwordless SSH keys with `ssh-keygen` on the git-annex terminal there
+3. add the public part of that key to `~/.ssh/authorized_keys` on the git-annex server (note: without any command restriction for now)
+4. git clone the repository on the android device
+5. change the `authorized_keys` for this:
+
+    command="git-annex-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB[...]
+
+Expected result: I can operate on the git-annex repository without problem.
+
+Actual result: I get `git-annex-shell: bad parameters` whatever I do.
+
+I have tried variations of the above `authorized_keys` line:
+
+* `command="git-annex-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB[...]`
+* `command="/usr/bin/git-annex-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB[...]`
+* `command="~/.ssh/git-annex-shell",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB[...]`
+
+.. where `~/.ssh/git-annex-shell` is as described in [[forum/Restricting_git-annex-shell_to_a_specific_repository/]]:
+
+[[!format sh """
+#!/bin/sh
+set -e
+
+if [ "x$SSH_ORIGINAL_COMMAND" != "x" ]; then
+exec /usr/bin/git-annex-shell -c "$SSH_ORIGINAL_COMMAND"
+else
+exec /usr/bin/git-annex-shell -c "$@"
+fi
+"""]]
+
+### What version of git-annex are you using? On what operating system?
+
+The "client" side is:
+
+[[!format sh """
+# git annex version
+WARNING: linker: git-annex has text relocations. This is wasting memory and prevents security hardening. Please fix.
+git-annex version: 6.20160317-g204dbf5
+build flags: Assistant Webapp Testsuite S3(multipartupload) WebDAV Inotify XMPP TorrentParser Feeds Quvi
+key/value backends: SHA256E SHA256 SHA512E SHA512 SHA224E SHA224 SHA384E SHA384 SKEIN256E SKEIN256 SKEIN512E SKEIN512 SHA1E SHA1 MD5E MD5 WORM URL
+remote types: git gcrypt S3 bup directory rsync web bittorrent webdav tahoe glacier ddar hook external
+local repository version: 5
+supported repository versions: 5 6
+upgrade supported from repository versions: 0 1 2 4 5
+"""]]
+
+On cyanogenmod 12.1.
+
+The server side is my usual 5.20151208-1~bpo8+1 from backports on Debian jessie.
+
+### Please provide any additional information below.
+
+Example of a failed transfer:
+
+[[!format sh """
+# If you can, paste a complete transcript of the problem occurring here.
+# If the problem is with the git-annex assistant, paste in .git/annex/daemon.log
+
+# git annex get John\ Coltrane/Coltrane/02.\ John\ Coltrane\ -\ Soul\ eyes.mp3   --debug
+WARNING: linker: git-annex has text relocations. This is wasting memory and prevents security hardening. Please fix.
+[2016-04-04 10:38:18.710817] read: git ["--git-dir=.git","--work-tree=.","--literal-pathspecs","-c","core.bare=false","ls-files","--cached","-z","--","John Coltrane/Coltrane/02. John Coltrane - Soul eyes.mp3"]
+get John Coltrane/Coltrane/02. John Coltrane - Soul eyes.mp3 [2016-04-04 10:38:19.067234] read: git ["--git-dir=.git","--work-tree=.","--literal-pathspecs","-c","core.bare=false","show-ref","git-annex"]
+[2016-04-04 10:38:19.226703] process done ExitSuccess
+[2016-04-04 10:38:19.24413] read: git ["--git-dir=.git","--work-tree=.","--literal-pathspecs","-c","core.bare=false","show-ref","--hash","refs/heads/git-annex"]
+[2016-04-04 10:38:19.291315] process done ExitSuccess
+[2016-04-04 10:38:19.297724] read: git ["--git-dir=.git","--work-tree=.","--literal-pathspecs","-c","core.bare=false","log","refs/heads/git-annex..1bb927d3ff7ee7a15623c8798fa20d3ee180d8d6","-n1","--pretty=%H"]
+[2016-04-04 10:38:19.395572] process done ExitSuccess
+[2016-04-04 10:38:19.396091] read: git ["--git-dir=.git","--work-tree=.","--literal-pathspecs","-c","core.bare=false","log","refs/heads/git-annex..b7ab5e62053e838f15e38fc8e4e523da9591f89b","-n1","--pretty=%H"]
+[2016-04-04 10:38:19.443764] process done ExitSuccess
+[2016-04-04 10:38:19.444283] read: git ["--git-dir=.git","--work-tree=.","--literal-pathspecs","-c","core.bare=false","log","refs/heads/git-annex..ee9e429a3b847010adf65665e4dfe0194c46b819","-n1","--pretty=%H"]
+[2016-04-04 10:38:19.487988] process done ExitSuccess
+[2016-04-04 10:38:19.496808] chat: git ["--git-dir=.git","--work-tree=.","--literal-pathspecs","-c","core.bare=false","cat-file","--batch"]
+(from origin...)
+[2016-04-04 10:38:19.62301] read: rsync ["--progress","--inplace","-e","'ssh' '-S' '/data/data/ga.androidterm/tmp/ssh/anarcat@anarc.at' '-o' 'ControlMaster=auto' '-o' 'ControlPersist=yes' '-T' 'anarcat@anarc.at' 'git-annex-shell ''sendkey'' ''/srv/mp3'' ''--debug'' ''SHA256E-s7413367--bdbba13f0631704bcc96220e3b5f2dfd93b186eaf79ef4c8dcf1f6b3dd9b1397.mp3'' --uuid b7802161-c984-4c9f-8d05-787a29c41cfe ''--'' ''remoteuuid=6f812272-18c8-4346-b68a-f57ae50f657e'' ''unlocked='' ''direct='' ''associatedfile=John Coltrane/Coltrane/02. John Coltrane - Soul eyes.mp3'' ''--'''","--","dummy:",".git/annex/tmp/SHA256E-s7413367--bdbba13f0631704bcc96220e3b5f2dfd93b186eaf79ef4c8dcf1f6b3dd9b1397.mp3"]
+git-annex-shell: bad parameters
+
+Usage: git-annex-shell [-c] command [parameters ...] [option ...]
+
+Plumbing commands:
+
+commit        DIRECTORY          commits any staged changes to the git-annex branch
+configlist    DIRECTORY          outputs relevant git configuration
+dropkey       DIRECTORY KEY ...  drops annexed content for specified keys
+gcryptsetup   DIRECTORY VALUE    sets up gcrypt repository
+inannex       DIRECTORY KEY ...  checks if keys are present in the annex
+lockcontent   DIRECTORY KEY      locks key's content in the annex, preventing it being dropped
+notifychanges DIRECTORY          sends notification when git refs are changed
+recvkey       DIRECTORY KEY      runs rsync in server mode to receive content
+sendkey       DIRECTORY KEY      runs rsync in server mode to send content
+transferinfo  DIRECTORY KEY      updates sender on number of bytes of content received
+
+[2016-04-04 10:38:19.805156] process done ExitFailure 12
+
+  rsync failed -- run git annex again to resume file transfer
+
+  Unable to access these remotes: origin
+rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
+rsync error: error in rsync protocol data stream (code 12) at io.c(224) [Receiver=3.1.0dev]
+
+  Try making some of these repositories available:
+        0f9185ea-8462-4230-8cae-462a1ad0df36 -- anarcat@angela:~/mp3
+        22921df6-ff75-491c-b5d9-5a2aab33a689 -- anarcat@marcos:/media/anarcat/79884590-6445-4a6f-ae12-050b9a7c1912/mp3
+        3f6d8082-6f4b-4faa-a3d9-bd5db1891077 -- anarcat@lab-sc.no-ip.org:mp3
+        4249a4ea-343a-43a8-9bba-457d2ff87c7d -- rachel@topcrapn:~/Musique/MUSIC/anarcat
+        487dda55-d164-4bf1-9d85-66caaa9c0743 -- 300GB hard drive labeled VHS
+        b7802161-c984-4c9f-8d05-787a29c41cfe -- anarcat@marcos:/srv/mp3 [origin]
+        c2ca4a13-9a5f-461b-a44b-53255ed3e2f9 -- anarcat@desktop008:/srv/musique/anarcat/mp3
+        f867da6f-78cb-49be-a0db-d1c8e5f53664 -- n900
+        f8818d12-9882-4ca5-bc0f-04e987888a8d -- anarcat@marcos:/media/anarcat/green_crypt/mp3/
+failed
+git-annex: get: 1 failed
+
+# End of transcript or log.
+"""]]
+
+### Have you had any luck using git-annex before? (Sometimes we get tired of reading bug reports all day and a lil' positive end note does wonders)
+
+I seem to recall I had that working in the past, and I feel I am probably doing something stupidly wrong, but here I am. Sorry about that, I'll be sure to fix the documentation more clearly (esp. in the [[git-annex-shell]] manpage when I figure it out! --[[anarcat]]