From: Jeff King <peff@peff.net>
To: Paul Sokolovsky <paul.sokolovsky@linaro.org>
Cc: Junio C Hamano <gitster@pobox.com>, git@vger.kernel.org
Subject: Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"
Date: Mon, 5 Jan 2015 22:47:02 -0500 [thread overview]
Message-ID: <20150106034702.GA11503@peff.net> (raw)
In-Reply-To: <20150105210724.032e9718@x230>
On Mon, Jan 05, 2015 at 09:07:24PM +0200, Paul Sokolovsky wrote:
> So, after the upgrade, users started to report that accessing
> info/refs file of a repo, as required for HTTP dump protocol, leads to
> 403 Forbidden HTTP error. We traced that to 0600 filesystem permissions
> for such files (for objects/info/packs too) (owner is gerrit user, to
> remind). After resetting permissions to 0644, they get back to 0600
> after some time (we have a cronjob in addition to a hook to run "git
> update-server-info"). umask is permissive when running cronjob (0002).
>
> I traced the issue to:
> https://github.com/git/git/commit/d38379ece9216735ecc0ffd76c4c4e3da217daec
Yeah, I didn't consider the mode impact of using mkstemp. That is
definitely a regression that should be fixed. Though of course if you
really do want 0644, you should set your umask to 0022. :)
> It says: "Let's instead switch to using a unique tempfile via mkstemp."
> Reading man mkstemp: "The file is created with permissions 0600".
> So, that's it. The patch above contains call to adjust_shared_perm(),
> but apparently it doesn't promote restrictive msktemp permissions to
> something more accessible.
If you haven't set core.sharedrepository, then adjust_shared_perm is a
noop. But you shouldn't have to do that. Git should just respect your
umask in this case.
> Hope this issue can be addressed.
Patches to follow. Thanks for the report.
[1/2]: t1301: set umask in reflog sharedrepository=group test
[2/2]: update-server-info: create info/* with mode 0666
-Peff
next prev parent reply other threads:[~2015-01-06 3:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-05 19:07 git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info" Paul Sokolovsky
2015-01-05 22:23 ` Torsten Bögershausen
2015-01-06 3:47 ` Jeff King [this message]
2015-01-06 3:49 ` [PATCH 1/2] t1301: set umask in reflog sharedrepository=group test Jeff King
2015-01-06 3:50 ` [PATCH 2/2] update-server-info: create info/* with mode 0666 Jeff King
2015-01-06 18:47 ` Junio C Hamano
2015-01-06 19:39 ` Jeff King
2015-01-06 21:43 ` Junio C Hamano
2015-01-06 21:47 ` Jeff King
2015-01-06 10:08 ` git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info" Junio C Hamano
2015-01-06 12:43 ` Paul Sokolovsky
2015-01-06 18:44 ` Junio C Hamano
2015-01-06 19:37 ` Jeff King
2015-01-06 12:12 ` Paul Sokolovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150106034702.GA11503@peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=paul.sokolovsky@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.