safe.directory and ACLs

safe.directory and ACLs

[John Soo]

Hello git!

We have some build processes that would like access to repos in /home
directories that are 0700. We had done this already:

$ setfacl --recursive --modify group:<build users
group>:r-X,default:group:<build users group>:r-X /home

Should this ACL be enough to consider the repos "owned" by the build
users? Should *any* ACL be enough to consider the repos "owned" by the
build users?

Currently:
$ sudo -u <build user> git config --get safe.directory
$ sudo -u <build user> git -C /home/<non build user>/repo rev-parse HEAD
fatal: unsafe repository ('/home/<non build user>/repo' is owned by
someone else)
To add an exception for this directory, call:

        git config --global --add safe.directory /home/<non build user>

Kindly,

John Soo

Re: safe.directory and ACLs

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1315 bytes --]

On 2022-11-02 at 15:18:25, John Soo wrote:
> Hello git!
> 
> We have some build processes that would like access to repos in /home
> directories that are 0700. We had done this already:
> 
> $ setfacl --recursive --modify group:<build users
> group>:r-X,default:group:<build users group>:r-X /home
> 
> Should this ACL be enough to consider the repos "owned" by the build
> users? Should *any* ACL be enough to consider the repos "owned" by the
> build users?
> 
> Currently:
> $ sudo -u <build user> git config --get safe.directory
> $ sudo -u <build user> git -C /home/<non build user>/repo rev-parse HEAD
> fatal: unsafe repository ('/home/<non build user>/repo' is owned by
> someone else)
> To add an exception for this directory, call:
> 
>         git config --global --add safe.directory /home/<non build user>

No, the permissions of a repository, whether standard Unix permissions
or ACLs, are not relevant to ownership.  The question here is whether
the owner of the .git directory (that is, the value of the `st_uid`
field when calling lstat(2) on it) is equal to the effective user ID.

When you the path in `ls`, you can see the owner and group of the file
specified, and that owner is what matters here.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

Re: safe.directory and ACLs

[John Soo]

Hi brian!

> No, the permissions of a repository, whether standard Unix permissions
> or ACLs, are not relevant to ownership.  The question here is whether
> the owner of the .git directory (that is, the value of the `st_uid`
> field when calling lstat(2) on it) is equal to the effective user ID.
>
> When you the path in `ls`, you can see the owner and group of the file
> specified, and that owner is what matters here.

I see. Is that by design or an implementation detail?

Kindly,

John

Re: safe.directory and ACLs

[Taylor Blau]

On Wed, Nov 02, 2022 at 04:41:15PM -0700, John Soo wrote:
> Hi brian!
>
> > No, the permissions of a repository, whether standard Unix permissions
> > or ACLs, are not relevant to ownership.  The question here is whether
> > the owner of the .git directory (that is, the value of the `st_uid`
> > field when calling lstat(2) on it) is equal to the effective user ID.
> >
> > When you the path in `ls`, you can see the owner and group of the file
> > specified, and that owner is what matters here.
>
> I see. Is that by design or an implementation detail?

It is by design. See 8959555cee7 (setup_git_directory(): add an owner
check for the top-level directory, 2022-03-02) for details.

Thanks,
Taylor

Re: safe.directory and ACLs

[John Soo]

Thank you!

Got it!

Kindly,

John