From: "Torsten Bögershausen" <tboegi@web.de>
To: Paul Sokolovsky <paul.sokolovsky@linaro.org>,
git@vger.kernel.org, Jeff King <peff@peff.net>
Subject: Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"
Date: Mon, 05 Jan 2015 23:23:12 +0100 [thread overview]
Message-ID: <54AB0ED0.3000400@web.de> (raw)
In-Reply-To: <20150105210724.032e9718@x230>
On 2015-01-05 20.07, Paul Sokolovsky wrote:
> Hello,
>
> We recently upgraded to git 2.2.1 from 2.1.x and faced issue with
> accessing repositories over dump HTTP protocol. In our setting,
> repositories are managed by Gerrit, so owned by Gerrit daemon user,
> but we also offer anon access via smart and dumb HTTP protocols. For the
> latter, we of course rely on "git update-server-info" being run.
>
> So, after the upgrade, users started to report that accessing
> info/refs file of a repo, as required for HTTP dump protocol, leads to
> 403 Forbidden HTTP error. We traced that to 0600 filesystem permissions
> for such files (for objects/info/packs too) (owner is gerrit user, to
> remind). After resetting permissions to 0644, they get back to 0600
> after some time (we have a cronjob in addition to a hook to run "git
> update-server-info"). umask is permissive when running cronjob (0002).
>
>
> I traced the issue to:
> https://github.com/git/git/commit/d38379ece9216735ecc0ffd76c4c4e3da217daec
>
> It says: "Let's instead switch to using a unique tempfile via mkstemp."
> Reading man mkstemp: "The file is created with permissions 0600".
> So, that's it. The patch above contains call to adjust_shared_perm(),
> but apparently it doesn't promote restrictive msktemp permissions to
> something more accessible.
>
> Hope this issue can be addressed.
>
>
> Thanks,
> Paul
Does
git config core.sharedRepository 0644
help?
Unless the the repo is configured as shared,
adjust_shared_perm() will not widen the access bits:
http://git-htmldocs.googlecode.com/git/git-config.html
next prev parent reply other threads:[~2015-01-05 22:23 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-05 19:07 git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info" Paul Sokolovsky
2015-01-05 22:23 ` Torsten Bögershausen [this message]
2015-01-06 3:47 ` Jeff King
2015-01-06 3:49 ` [PATCH 1/2] t1301: set umask in reflog sharedrepository=group test Jeff King
2015-01-06 3:50 ` [PATCH 2/2] update-server-info: create info/* with mode 0666 Jeff King
2015-01-06 18:47 ` Junio C Hamano
2015-01-06 19:39 ` Jeff King
2015-01-06 21:43 ` Junio C Hamano
2015-01-06 21:47 ` Jeff King
2015-01-06 10:08 ` git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info" Junio C Hamano
2015-01-06 12:43 ` Paul Sokolovsky
2015-01-06 18:44 ` Junio C Hamano
2015-01-06 19:37 ` Jeff King
2015-01-06 12:12 ` Paul Sokolovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54AB0ED0.3000400@web.de \
--to=tboegi@web.de \
--cc=git@vger.kernel.org \
--cc=paul.sokolovsky@linaro.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.