[PATCH/RFC 0/7] Restricting repository access (Was: [BUG?] How to make a shared/restricted repo?)

[Johan Herland <johan@herland.net>]

On Wednesday 25 March 2009, Junio C Hamano wrote:
> Johan Herland <johan@herland.net> writes:
> > On Wednesday 25 March 2009, Junio C Hamano wrote:
> >> You might like to try a patch like this (untested).
> >>
> >>  path.c |   17 +++++------------
> >>  1 files changed, 5 insertions(+), 12 deletions(-)
> >
> > Thanks!
> >
> > This works much better :)
> >
> > However, there are still some questions/issues:
> >
> > - t1301-shared-repo.sh fails:
> >     Oops, .git/HEAD is not 0664 but -rw-rw---- [...]
> >     * FAIL 3: shared=1 does not clear bits preset by umask 022
> >   (I guess this is expected, as your patch changes the assumptions)
>
> I'd rather say the patch breaks people's expectations.

I thought some more about the current semantics, and came up with this
patch series, which replaces your original suggestion.

In short, I leave the core.sharedRepository semantics as is (i.e. it is
only used to _loosen_ repository permissions), and introduce a new
variable - core.restrictedRepository - that takes care of _tightening_
repository permissions. Its value is a permission mask that is applied
to the file mode in adjust_shared_perm()

The patch series is based on recent 'next', and the testsuite passes
after each individual patch.

Here is a short rundown of the individual patches:

1. Clarify existing documentation to reflect the current semantics of
   core.sharedRepository and "git init --shared". Even if the rest of
   the series is rejected, I hope this can make it in some form.

2. Minor cleanup in path.c:adjust_shared_perm(). This is pretty much
   your original patch with any functional changes removed.

3. Introduce core.restrictedRepository. Adds git_config_perm_mask()
   for parsing the config value, and changes adjust_shared_perm() to
   apply the permission mask. Includes documentation of the new config
   variable.

4. Add "--restricted" to "git init". Heavily modeled on the existing
   "--shared" option. Includes documentation of the new option.

5. Add tests for the functionality introduced in #3 and #4.

6. Apply adjusted repository permissions in "git init" when copying
   templates into the new repo.

7. Apply restricted permissions to loose objects and pack files. This
   ensures that loose objects and pack files do not get permissions
   that are more liberal than the rest of the repository.


Have fun!

...Johan


Johan Herland (7):
  Clarify documentation on permissions in shared repositories
  Cleanup: Remove unnecessary if-else clause
  Introduce core.restrictedRepository for restricting repository
    permissions
  git-init: Introduce --restricted for restricting repository access
  Add tests for "core.restrictedRepository" and "git init --restricted"
  git-init: Apply correct mode bits to template files in
    shared/restricted repo
  Apply restricted permissions to loose objects and pack files

 Documentation/config.txt   |   41 ++++++++++++-
 Documentation/git-init.txt |   50 +++++++++++++++--
 builtin-init-db.c          |   31 +++++++++-
 cache.h                    |    8 +++
 environment.c              |    1 +
 fast-import.c              |    4 +-
 http-push.c                |    2 +-
 http-walker.c              |    2 +-
 index-pack.c               |    4 +-
 path.c                     |   22 +++----
 setup.c                    |   36 ++++++++++++
 sha1_file.c                |    2 +-
 t/t0001-init.sh            |   24 +++++++-
 t/t1304-restricted-repo.sh |  132 ++++++++++++++++++++++++++++++++++++++++++++
 14 files changed, 323 insertions(+), 36 deletions(-)
 create mode 100755 t/t1304-restricted-repo.sh