On Thu, Sep 09, 2010 at 03:19:20PM +0100, Peter wrote:
Just remove the users= line and change groups from '*' to 'galaxy_admin', and you have a fine solution. ... Creating a trust block in your ~/.hgrc was a fine solution, just tweak it to trust as narrowly as possible and you're good to go.
Understood. Of course, any other developers/admins here will have to do the same in their ~/.hgrc but that isn't a great hardship as long as I document it.
You can do it system-wide in /etc/mercurial/hgrc if you'd like.
Oh good. Our administrator did not seem happy about making the galaxy user a login account - nice to know others are already using galaxy with a no login shell account.
Yeah, I like to think we've got a pretty locked-down galaxy environment here. I started putting together an app-armor profile but fell apart on that. When I get it done I'll post it. -- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu