Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul Sokolovsky <paul.sokolovsky@linaro.org>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>, git@vger.kernel.org
Subject: Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"
Date: Tue, 6 Jan 2015 14:12:11 +0200	[thread overview]
Message-ID: <20150106141211.2ad83df4@x230> (raw)
In-Reply-To: <20150106034702.GA11503@peff.net>

Hello,

On Mon, 5 Jan 2015 22:47:02 -0500
Jeff King <peff@peff.net> wrote:

> On Mon, Jan 05, 2015 at 09:07:24PM +0200, Paul Sokolovsky wrote:
> 
> > So, after the upgrade, users started to report that accessing
> > info/refs file of a repo, as required for HTTP dump protocol, leads
> > to 403 Forbidden HTTP error. We traced that to 0600 filesystem
> > permissions for such files (for objects/info/packs too) (owner is
> > gerrit user, to remind). After resetting permissions to 0644, they
> > get back to 0600 after some time (we have a cronjob in addition to
> > a hook to run "git update-server-info"). umask is permissive when
> > running cronjob (0002).
> > 
> > I traced the issue to:
> > https://github.com/git/git/commit/d38379ece9216735ecc0ffd76c4c4e3da217daec
> 
> Yeah, I didn't consider the mode impact of using mkstemp. That is
> definitely a regression that should be fixed. Though of course if you
> really do want 0644, you should set your umask to 0022. :)

Well, group permissions are ok - we just need it to be world-readable,
and that's not random, but complies with hosting requirements - our
repos are public otherwise.

> > It says: "Let's instead switch to using a unique tempfile via
> > mkstemp." Reading man mkstemp: "The  file  is  created  with
> > permissions 0600". So, that's it. The patch above contains call to
> > adjust_shared_perm(), but apparently it doesn't promote restrictive
> > msktemp permissions to something more accessible.
> 
> If you haven't set core.sharedrepository, then adjust_shared_perm is a
> noop. But you shouldn't have to do that. Git should just respect your
> umask in this case.

My reference to adjust_shared_perm() was because I initially wanted to
write "apparently, it makes sense to do chmod after mkstemp()", but I
spotted that there's adjust_shared_perm() already, which does some
shuffling of permissions.

> > Hope this issue can be addressed.
> 
> Patches to follow. Thanks for the report.
> 
>   [1/2]: t1301: set umask in reflog sharedrepository=group test
>   [2/2]: update-server-info: create info/* with mode 0666

Thanks much for the prompt reply and patches!

> 
> -Peff



-- 
Best Regards,
Paul

Linaro.org | Open source software for ARM SoCs
Follow Linaro: http://www.facebook.com/pages/Linaro
http://twitter.com/#!/linaroorg - http://www.linaro.org/linaro-blog

     prev parent reply	other threads:[~2015-01-06 12:12 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-05 19:07 git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info" Paul Sokolovsky
2015-01-05 22:23 ` Torsten Bögershausen
2015-01-06  3:47 ` Jeff King
2015-01-06  3:49   ` [PATCH 1/2] t1301: set umask in reflog sharedrepository=group test Jeff King
2015-01-06  3:50   ` [PATCH 2/2] update-server-info: create info/* with mode 0666 Jeff King
2015-01-06 18:47     ` Junio C Hamano
2015-01-06 19:39       ` Jeff King
2015-01-06 21:43         ` Junio C Hamano
2015-01-06 21:47           ` Jeff King
2015-01-06 10:08   ` git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info" Junio C Hamano
2015-01-06 12:43     ` Paul Sokolovsky
2015-01-06 18:44     ` Junio C Hamano
2015-01-06 19:37     ` Jeff King
2015-01-06 12:12   ` Paul Sokolovsky [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150106141211.2ad83df4@x230 \
    --to=paul.sokolovsky@linaro.org \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.