From: Paul Sokolovsky <paul.sokolovsky@linaro.org>
To: git@vger.kernel.org, Jeff King <peff@peff.net>
Subject: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"
Date: Mon, 5 Jan 2015 21:07:24 +0200 [thread overview]
Message-ID: <20150105210724.032e9718@x230> (raw)
Hello,
We recently upgraded to git 2.2.1 from 2.1.x and faced issue with
accessing repositories over dump HTTP protocol. In our setting,
repositories are managed by Gerrit, so owned by Gerrit daemon user,
but we also offer anon access via smart and dumb HTTP protocols. For the
latter, we of course rely on "git update-server-info" being run.
So, after the upgrade, users started to report that accessing
info/refs file of a repo, as required for HTTP dump protocol, leads to
403 Forbidden HTTP error. We traced that to 0600 filesystem permissions
for such files (for objects/info/packs too) (owner is gerrit user, to
remind). After resetting permissions to 0644, they get back to 0600
after some time (we have a cronjob in addition to a hook to run "git
update-server-info"). umask is permissive when running cronjob (0002).
I traced the issue to:
https://github.com/git/git/commit/d38379ece9216735ecc0ffd76c4c4e3da217daec
It says: "Let's instead switch to using a unique tempfile via mkstemp."
Reading man mkstemp: "The file is created with permissions 0600".
So, that's it. The patch above contains call to adjust_shared_perm(),
but apparently it doesn't promote restrictive msktemp permissions to
something more accessible.
Hope this issue can be addressed.
Thanks,
Paul
Linaro.org | Open source software for ARM SoCs
Follow Linaro: http://www.facebook.com/pages/Linaro
http://twitter.com/#!/linaroorg - http://www.linaro.org/linaro-blog
next reply other threads:[~2015-01-05 19:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-05 19:07 Paul Sokolovsky [this message]
2015-01-05 22:23 ` git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info" Torsten Bögershausen
2015-01-06 3:47 ` Jeff King
2015-01-06 3:49 ` [PATCH 1/2] t1301: set umask in reflog sharedrepository=group test Jeff King
2015-01-06 3:50 ` [PATCH 2/2] update-server-info: create info/* with mode 0666 Jeff King
2015-01-06 18:47 ` Junio C Hamano
2015-01-06 19:39 ` Jeff King
2015-01-06 21:43 ` Junio C Hamano
2015-01-06 21:47 ` Jeff King
2015-01-06 10:08 ` git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info" Junio C Hamano
2015-01-06 12:43 ` Paul Sokolovsky
2015-01-06 18:44 ` Junio C Hamano
2015-01-06 19:37 ` Jeff King
2015-01-06 12:12 ` Paul Sokolovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150105210724.032e9718@x230 \
--to=paul.sokolovsky@linaro.org \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).