AUR_PRIVILEGED allows people with privileged AUR accounts to evade the block on non-fast-forward commits. While valid in this case, we should not do so by default, since in at least one case a TU did this without realizing there was an existing package. ( https://aur.archlinux.org/packages/rtmidi/ ) Use .ssh/config "SendEnv" on the TU's side and and sshd_config "AcceptEnv" in the AUR server to specifically request privileged access. TUs should use: `export AUR_PRIVILEGED=1; git push` Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- INSTALL | 1 + aurweb/git/auth.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/INSTALL b/INSTALL index 8c9c4dd..22bbe33 100644 --- a/INSTALL +++ b/INSTALL @@ -76,6 +76,7 @@ read the instructions below. PasswordAuthentication no AuthorizedKeysCommand /usr/local/bin/aurweb-git-auth "%t" "%k" AuthorizedKeysCommandUser aur + AcceptEnv AUR_PRIVILEGED 9) If you want to enable smart HTTP support with nginx and fcgiwrap, you can use the following directives: diff --git a/aurweb/git/auth.py b/aurweb/git/auth.py index 022b0ff..9aab417 100755 --- a/aurweb/git/auth.py +++ b/aurweb/git/auth.py @@ -51,7 +51,7 @@ def main(): env_vars = { 'AUR_USER': user, - 'AUR_PRIVILEGED': '1' if account_type > 1 else '0', + 'AUR_PRIVILEGED': os.environ.get('AUR_PRIVILEGED', '0') if account_type > 1 else '0', } key = keytype + ' ' + keytext -- 2.13.3