We have a git post-commit script that needs to be run with Git and Trac, when someone commits something a hook is a called that runs the command:
trac-admin /path/to/trac changeset added "reponame" $REV
Where $REV is dynamic depending on the revision of the push. The problem is that this command requires that the committing user have write permission to the trac database.
We have many users committing, they are all in a Linux group called "git", I can give rw to this group on the trac DB file(SQLite) and it works however then anyone in the "git" group could delete the database. It is currently owned by www-data,www-data.
I added a sudo config line of this:
%git ALL=(www-data) NOPASSWD: /usr/local/bin/trac-admin
This works, it allows the script to work, however now they have all the options that come with trac-admin, I want to limit the access of this command to include the arguments of /path/to/trac, and change set added.
I tried adding a Cmnd Alias with the /usr/local/bin/trac-admin /path/to/trac changeset added "reponame" but it does not work because the added $REV is breaking it, and that cant be added dynamicly into /etc/sudoers.
Is there a way to include wildcards in Cmnd Alias to allow this to work in sudoers?