Re: safe.directory and ACLs - brian m. carlson

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: John Soo <johh.soo@arista.com>
Cc: git@vger.kernel.org
Subject: Re: safe.directory and ACLs
Date: Wed, 2 Nov 2022 21:27:42 +0000	[thread overview]
Message-ID: <Y2LgzmTvElmRTsoe@tapette.crustytoothpaste.net> (raw)
In-Reply-To: <CAJyRyRo7oVAfLx8MONO=Y8KhLvL+tJgDTbCUezR1AFa73R5pbw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1315 bytes --]

On 2022-11-02 at 15:18:25, John Soo wrote:
> Hello git!
> 
> We have some build processes that would like access to repos in /home
> directories that are 0700. We had done this already:
> 
> $ setfacl --recursive --modify group:<build users
> group>:r-X,default:group:<build users group>:r-X /home
> 
> Should this ACL be enough to consider the repos "owned" by the build
> users? Should *any* ACL be enough to consider the repos "owned" by the
> build users?
> 
> Currently:
> $ sudo -u <build user> git config --get safe.directory
> $ sudo -u <build user> git -C /home/<non build user>/repo rev-parse HEAD
> fatal: unsafe repository ('/home/<non build user>/repo' is owned by
> someone else)
> To add an exception for this directory, call:
> 
>         git config --global --add safe.directory /home/<non build user>

No, the permissions of a repository, whether standard Unix permissions
or ACLs, are not relevant to ownership.  The question here is whether
the owner of the .git directory (that is, the value of the `st_uid`
field when calling lstat(2) on it) is equal to the effective user ID.

When you the path in `ls`, you can see the owner and group of the file
specified, and that owner is what matters here.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

next prev parent reply	other threads:[~2022-11-02 21:28 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-02 15:18 safe.directory and ACLs John Soo
2022-11-02 21:27 ` brian m. carlson [this message]
2022-11-02 23:41   ` John Soo
2022-11-03  0:11     ` Taylor Blau
2022-11-03  0:39       ` John Soo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y2LgzmTvElmRTsoe@tapette.crustytoothpaste.net \
    --to=sandals@crustytoothpaste.net \
    --cc=git@vger.kernel.org \
    --cc=johh.soo@arista.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.