--- a/src/hg-ssh	Fri Nov 13 14:58:55 2009 +0000
+++ b/src/hg-ssh	Fri Nov 13 16:39:34 2009 +0000
@@ -67,7 +67,7 @@
     checkParents(repo)
     return repo
 
-config.setExePath()
+config.initExe()
 
 if len(sys.argv) == 3 and sys.argv[1] == "--base64":
     ruleset.rules.set(user = base64.b64decode(sys.argv[2]))

--- a/src/mercurialserver/config.py	Fri Nov 13 14:58:55 2009 +0000
+++ b/src/mercurialserver/config.py	Fri Nov 13 16:39:34 2009 +0000
@@ -1,7 +1,9 @@
 # Copyright 2008-2009 LShift Ltd
 
 import sys
+import os
 import os.path
+import pwd
 import ConfigParser
 
 globalconfig = None
@@ -36,9 +38,11 @@
 def getEnv(): return _getConf().items("env")
 
 # Work out where we are, don't use config.
-def setExePath():
+def initExe():
     global _exePath
     _exePath = os.path.dirname(os.path.abspath(sys.argv[0]))
+    # Fix $HOME in case of "sudo -u hg refresh-auth"
+    os.environ['HOME'] = pwd.getpwuid(os.geteuid()).pw_dir
 
 def getExePath():
     return _exePath

--- a/src/refresh-auth	Fri Nov 13 14:58:55 2009 +0000
+++ b/src/refresh-auth	Fri Nov 13 16:39:34 2009 +0000
@@ -14,11 +14,12 @@
     sys.stderr.write("refresh-auth: must be called with no arguments (%s)\n" % sys.argv)
     sys.exit(-1)
 
+config.initExe()
+
 # To protect the authorized_keys file for innocent users, you have to have
 # a ~/.mercurial-server file to run this.
 if not config.configExists():
     print >>sys.stderr, "Must be run as the 'hg' user"
     sys.exit(-1)
 
-config.setExePath()
 refreshauth.refreshAuth()