git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"

git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"

[Paul Sokolovsky]

Hello,

We recently upgraded to git 2.2.1 from 2.1.x and faced issue with
accessing repositories over dump HTTP protocol. In our setting,
repositories are managed by Gerrit, so owned by Gerrit daemon user,
but we also offer anon access via smart and dumb HTTP protocols. For the
latter, we of course rely on "git update-server-info" being run.

So, after the upgrade, users started to report that accessing
info/refs file of a repo, as required for HTTP dump protocol, leads to
403 Forbidden HTTP error. We traced that to 0600 filesystem permissions
for such files (for objects/info/packs too) (owner is gerrit user, to
remind). After resetting permissions to 0644, they get back to 0600
after some time (we have a cronjob in addition to a hook to run "git
update-server-info"). umask is permissive when running cronjob (0002).


I traced the issue to:
https://github.com/git/git/commit/d38379ece9216735ecc0ffd76c4c4e3da217daec

It says: "Let's instead switch to using a unique tempfile via mkstemp."
Reading man mkstemp: "The  file  is  created  with permissions 0600".
So, that's it. The patch above contains call to adjust_shared_perm(),
but apparently it doesn't promote restrictive msktemp permissions to
something more accessible.

Hope this issue can be addressed.


Thanks,
Paul

Linaro.org | Open source software for ARM SoCs
Follow Linaro: http://www.facebook.com/pages/Linaro
http://twitter.com/#!/linaroorg - http://www.linaro.org/linaro-blog

Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"

[Torsten Bögershausen]

On 2015-01-05 20.07, Paul Sokolovsky wrote:
> Hello,
> 
> We recently upgraded to git 2.2.1 from 2.1.x and faced issue with
> accessing repositories over dump HTTP protocol. In our setting,
> repositories are managed by Gerrit, so owned by Gerrit daemon user,
> but we also offer anon access via smart and dumb HTTP protocols. For the
> latter, we of course rely on "git update-server-info" being run.
> 
> So, after the upgrade, users started to report that accessing
> info/refs file of a repo, as required for HTTP dump protocol, leads to
> 403 Forbidden HTTP error. We traced that to 0600 filesystem permissions
> for such files (for objects/info/packs too) (owner is gerrit user, to
> remind). After resetting permissions to 0644, they get back to 0600
> after some time (we have a cronjob in addition to a hook to run "git
> update-server-info"). umask is permissive when running cronjob (0002).
> 
> 
> I traced the issue to:
> https://github.com/git/git/commit/d38379ece9216735ecc0ffd76c4c4e3da217daec
> 
> It says: "Let's instead switch to using a unique tempfile via mkstemp."
> Reading man mkstemp: "The  file  is  created  with permissions 0600".
> So, that's it. The patch above contains call to adjust_shared_perm(),
> but apparently it doesn't promote restrictive msktemp permissions to
> something more accessible.
> 
> Hope this issue can be addressed.
> 
> 
> Thanks,
> Paul
Does 
git config core.sharedRepository 0644 
help?

Unless the the repo is configured as shared, 
adjust_shared_perm() will not widen the access bits:

http://git-htmldocs.googlecode.com/git/git-config.html

Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"

[Jeff King]

On Mon, Jan 05, 2015 at 09:07:24PM +0200, Paul Sokolovsky wrote:

> So, after the upgrade, users started to report that accessing
> info/refs file of a repo, as required for HTTP dump protocol, leads to
> 403 Forbidden HTTP error. We traced that to 0600 filesystem permissions
> for such files (for objects/info/packs too) (owner is gerrit user, to
> remind). After resetting permissions to 0644, they get back to 0600
> after some time (we have a cronjob in addition to a hook to run "git
> update-server-info"). umask is permissive when running cronjob (0002).
> 
> I traced the issue to:
> https://github.com/git/git/commit/d38379ece9216735ecc0ffd76c4c4e3da217daec

Yeah, I didn't consider the mode impact of using mkstemp. That is
definitely a regression that should be fixed. Though of course if you
really do want 0644, you should set your umask to 0022. :)

> It says: "Let's instead switch to using a unique tempfile via mkstemp."
> Reading man mkstemp: "The  file  is  created  with permissions 0600".
> So, that's it. The patch above contains call to adjust_shared_perm(),
> but apparently it doesn't promote restrictive msktemp permissions to
> something more accessible.

If you haven't set core.sharedrepository, then adjust_shared_perm is a
noop. But you shouldn't have to do that. Git should just respect your
umask in this case.

> Hope this issue can be addressed.

Patches to follow. Thanks for the report.

  [1/2]: t1301: set umask in reflog sharedrepository=group test
  [2/2]: update-server-info: create info/* with mode 0666

-Peff

[PATCH 1/2] t1301: set umask in reflog sharedrepository=group test

[Jeff King]

The t1301 script sets the umask globally before many of the
tests. Most of the tests that care about the umask then set
it explicitly at the start of the test. However, one test
does not, and relies on the 077 umask setting from earlier
tests. This is fragile and can break if another test is
added in between. Let's be more explicit.

Signed-off-by: Jeff King <peff@peff.net>
---
I suspect the world would be a better place if t1301 did all of its
umask setting in subshells, as it may also affect things like writing
out the test results. But nobody has complained, so I'm not inclined to
spend a lot of time futzing with it.

This is enough to protect the test I'm about to add in the next patch,
so it's not worse than the status quo.

 t/t1301-shared-repo.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/t/t1301-shared-repo.sh b/t/t1301-shared-repo.sh
index de42d21..86ed901 100755
--- a/t/t1301-shared-repo.sh
+++ b/t/t1301-shared-repo.sh
@@ -112,6 +112,7 @@ do
 done
 
 test_expect_success POSIXPERM 'git reflog expire honors core.sharedRepository' '
+	umask 077 &&
 	git config core.sharedRepository group &&
 	git reflog expire --all &&
 	actual="$(ls -l .git/logs/refs/heads/master)" &&
-- 
2.2.1.425.g441bb3c

[PATCH 2/2] update-server-info: create info/* with mode 0666

[Jeff King]

Prior to d38379e (make update-server-info more robust,
2014-09-13), we used a straight "fopen" to create the
info/refs and objects/info/packs files, which creates the
file using mode 0666 (less the default umask).

In d38379e, we switched to creating the file with mkstemp
to get a unique filename. But mkstemp also uses the more
restrictive 0600 mode to create the file. This was an
unintended side effect that we did not want, and causes
problems when the repository is served by a different user
than the one running update-server-info (it is no longer
readable by a dumb http server running as `www`, for
example).

We can fix this by using git_mkstemp_mode and specifying
0666.  Note that we could also say "just use
core.sharedrepository", as we do call adjust_shared_perm
on the result before renaming it into place.  But that is
not very friendly. The shared-repo config is usually about
making things _writable_ for other users. Until d38379e,
there was no explicit config needed to serve an otherwise
readable repository, and we should consider it a
regression.

Signed-off-by: Jeff King <peff@peff.net>
---
 server-info.c          |  2 +-
 t/t1301-shared-repo.sh | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/server-info.c b/server-info.c
index 31f4a74..34b0253 100644
--- a/server-info.c
+++ b/server-info.c
@@ -17,7 +17,7 @@ static int update_info_file(char *path, int (*generate)(FILE *))
 	FILE *fp = NULL;
 
 	safe_create_leading_directories(path);
-	fd = mkstemp(tmp);
+	fd = git_mkstemp_mode(tmp, 0666);
 	if (fd < 0)
 		goto out;
 	fp = fdopen(fd, "w");
diff --git a/t/t1301-shared-repo.sh b/t/t1301-shared-repo.sh
index 86ed901..feff55e 100755
--- a/t/t1301-shared-repo.sh
+++ b/t/t1301-shared-repo.sh
@@ -111,6 +111,16 @@ do
 
 done
 
+test_expect_success POSIXPERM 'info/refs is readable in unshared repo' '
+	rm -f .git/info/refs &&
+	test_unconfig core.sharedrepository &&
+	umask 002 &&
+	git update-server-info &&
+	echo "-rw-rw-r--" >expect &&
+	modebits .git/info/refs >actual &&
+	test_cmp expect actual
+'
+
 test_expect_success POSIXPERM 'git reflog expire honors core.sharedRepository' '
 	umask 077 &&
 	git config core.sharedRepository group &&
-- 
2.2.1.425.g441bb3c

Re: [PATCH 2/2] update-server-info: create info/* with mode 0666

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> +test_expect_success POSIXPERM 'info/refs is readable in unshared repo' '
> +	rm -f .git/info/refs &&
> +	test_unconfig core.sharedrepository &&
> +	umask 002 &&
> +	git update-server-info &&
> +	echo "-rw-rw-r--" >expect &&
> +	modebits .git/info/refs >actual &&
> +	test_cmp expect actual
> +'

Hmm, the label and the test look somewhat out-of-sync.  "readable as
long as umask allows it" would be more in line with what the fix is
about (i.e. I would expect a test with that title to pass even if I
changed 'umask 002' to 'umask 007', but that is not what we want in
this series).



>  test_expect_success POSIXPERM 'git reflog expire honors core.sharedRepository' '
>  	umask 077 &&
>  	git config core.sharedRepository group &&

Re: [PATCH 2/2] update-server-info: create info/* with mode 0666

[Jeff King]

On Tue, Jan 06, 2015 at 10:47:01AM -0800, Junio C Hamano wrote:

> Jeff King <peff@peff.net> writes:
> 
> > +test_expect_success POSIXPERM 'info/refs is readable in unshared repo' '
> > +	rm -f .git/info/refs &&
> > +	test_unconfig core.sharedrepository &&
> > +	umask 002 &&
> > +	git update-server-info &&
> > +	echo "-rw-rw-r--" >expect &&
> > +	modebits .git/info/refs >actual &&
> > +	test_cmp expect actual
> > +'
> 
> Hmm, the label and the test look somewhat out-of-sync.  "readable as
> long as umask allows it" would be more in line with what the fix is
> about (i.e. I would expect a test with that title to pass even if I
> changed 'umask 002' to 'umask 007', but that is not what we want in
> this series).

That is definitely not what the series means to accomplish. I think
naming the test "info/refs respects umask in unshared repo" is probably
a better title for the test.

-Peff

Re: [PATCH 2/2] update-server-info: create info/* with mode 0666

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> On Tue, Jan 06, 2015 at 10:47:01AM -0800, Junio C Hamano wrote:
>
>> Jeff King <peff@peff.net> writes:
>> 
>> > +test_expect_success POSIXPERM 'info/refs is readable in unshared repo' '
>> > +	rm -f .git/info/refs &&
>> > +	test_unconfig core.sharedrepository &&
>> > +	umask 002 &&
>> > +	git update-server-info &&
>> > +	echo "-rw-rw-r--" >expect &&
>> > +	modebits .git/info/refs >actual &&
>> > +	test_cmp expect actual
>> > +'
>> 
>> Hmm, the label and the test look somewhat out-of-sync.  "readable as
>> long as umask allows it" would be more in line with what the fix is
>> about (i.e. I would expect a test with that title to pass even if I
>> changed 'umask 002' to 'umask 007', but that is not what we want in
>> this series).
>
> That is definitely not what the series means to accomplish. I think
> naming the test "info/refs respects umask in unshared repo" is probably
> a better title for the test.

Thanks for sanity-checking me (I am still somewhat feverish and not
performing at 100% level).  Here is what I have locally (but haven't
got around to today's integration cycle yet) on top.

Subject: [PATCH] SQUASH???

---
 t/t1301-shared-repo.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/t/t1301-shared-repo.sh b/t/t1301-shared-repo.sh
index feff55e..d5eacb0 100755
--- a/t/t1301-shared-repo.sh
+++ b/t/t1301-shared-repo.sh
@@ -111,7 +111,7 @@ do
 
 done
 
-test_expect_success POSIXPERM 'info/refs is readable in unshared repo' '
+test_expect_success POSIXPERM 'info/refs is created honoring the umask' '
 	rm -f .git/info/refs &&
 	test_unconfig core.sharedrepository &&
 	umask 002 &&
-- 
2.2.1-349-g24d7964

Re: [PATCH 2/2] update-server-info: create info/* with mode 0666

[Jeff King]

On Tue, Jan 06, 2015 at 01:43:33PM -0800, Junio C Hamano wrote:

> > That is definitely not what the series means to accomplish. I think
> > naming the test "info/refs respects umask in unshared repo" is probably
> > a better title for the test.
> 
> Thanks for sanity-checking me (I am still somewhat feverish and not
> performing at 100% level).  Here is what I have locally (but haven't
> got around to today's integration cycle yet) on top.

Yeah, that looks fine. Do you think we need an update to the explanation
in the commit message, or does it make sense in light of the
discussion we've had?

-Peff

Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> Yeah, I didn't consider the mode impact of using mkstemp. That is
> definitely a regression that should be fixed. Though of course if you
> really do want 0644, you should set your umask to 0022. :)
> ...
> If you haven't set core.sharedrepository, then adjust_shared_perm is a
> noop. But you shouldn't have to do that. Git should just respect your
> umask in this case.

Thanks for a nicely done patch series, but I am not sure if I agree
with the analysis and its conclusion.

If adjust_shared_perm is a no-op, how do we ensure that other files
that need to be served by a dumb HTTP server are readable by it?  Is
it because we just happen not to use mkstemp() to create them (and
also is it because the pushers do not have umask 007 or stronger to
prevent files from being read by the HTTP server user)?

Is our goal here to give the users this statement?

    For shared repository served by dumb HTTP and written by users
    who are different from the user that runs the HTTP server, you
    need to do nothing special.

If that is the case, shouldn't the rule be something a lot looser
than "we should just respect your umask"?  To satisify the above
goal, shouldn't we somehow make it readable by the HTTP user even
when some pusher has a draconian 0077 umask?  But that, while still
complying to the promise of "nothing special", would imply we would
have to make everything readable everywhere, whish is an unachievable
goal.  We need to somehow be able to say "this repository should be
readable by these people" per-repository basis.

And we have a mechanism exactly designed to do so to defeat
draconian umask individual users have.

It feels to me that the old set-up were "working" by accident, not
by design (I may be mistaken--so correct me if that were the case).
And if that is the case, I do not think it is a good idea to try to
hide the broken configuration under the rug longer.  "As long as
everybody writes world-readable files, you do not have to do
anything" will break when the next person with 0xx7 umask setting
pushes, no?

Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"

[Paul Sokolovsky]

Hello,

On Tue, 06 Jan 2015 02:08:16 -0800
Junio C Hamano <gitster@pobox.com> wrote:

> Jeff King <peff@peff.net> writes:
> 
> > Yeah, I didn't consider the mode impact of using mkstemp. That is
> > definitely a regression that should be fixed. Though of course if
> > you really do want 0644, you should set your umask to 0022. :)
> > ...
> > If you haven't set core.sharedrepository, then adjust_shared_perm
> > is a noop. But you shouldn't have to do that. Git should just
> > respect your umask in this case.
> 
> Thanks for a nicely done patch series, but I am not sure if I agree
> with the analysis and its conclusion.
> 
> If adjust_shared_perm is a no-op, how do we ensure that other files
> that need to be served by a dumb HTTP server are readable by it?

Just don't make it unreadable on purpose (or by mistake) by git. The
rest is taken care by OS.

>   Is
> it because we just happen not to use mkstemp() to create them (and
> also is it because the pushers do not have umask 007 or stronger to
> prevent files from being read by the HTTP server user)?
> 
> Is our goal here to give the users this statement?
> 
>     For shared repository served by dumb HTTP and written by users
>     who are different from the user that runs the HTTP server, you
>     need to do nothing special.
>
> If that is the case, shouldn't the rule be something a lot looser
> than "we should just respect your umask"?  To satisify the above
> goal, shouldn't we somehow make it readable by the HTTP user even
> when some pusher has a draconian 0077 umask?

I would dread such solution. umask is well-known Unix device to control
permissions of created files. If someone sets it to 0077, they want
new files be not accessible by anyone but their owner, period. It
doesn't make sense to work that around. Or at least, it's different
issue from the reported here.

>  But that, while still
> complying to the promise of "nothing special", would imply we would
> have to make everything readable everywhere, whish is an unachievable
> goal.  We need to somehow be able to say "this repository should be
> readable by these people" per-repository basis.
> 
> And we have a mechanism exactly designed to do so to defeat
> draconian umask individual users have.

I'm not sure I understand how this "draconian umask" got into picture
here at all. The original report was "with liberal umask, there're
draconian file permissions". Jeff's patch fixes exactly it. Transposing
"draconian" into "umask" position make it completely different
problem.

> 
> It feels to me that the old set-up were "working" by accident, not
> by design (I may be mistaken--so correct me if that were the case).

If you mean our setup, I don't see anything wrong with it: we installed
git and apache from our distro, we installed Gerrit from the official
site, we made a cronjob to be run from gerrit user (as the owner of
repositories). Everything worked, as expected. Upgrading to git 2.2.1
broke it, because umask was not followed. What can be wrong here except
not following umask?

> And if that is the case, I do not think it is a good idea to try to
> hide the broken configuration under the rug longer.  "As long as
> everybody writes world-readable files, you do not have to do
> anything" will break when the next person with 0xx7 umask setting
> pushes, no?



Thanks,
Paul

Linaro.org | Open source software for ARM SoCs
Follow Linaro: http://www.facebook.com/pages/Linaro
http://twitter.com/#!/linaroorg - http://www.linaro.org/linaro-blog

Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"

[Junio C Hamano]

Junio C Hamano <gitster@pobox.com> writes:

> Jeff King <peff@peff.net> writes:
>
>> Yeah, I didn't consider the mode impact of using mkstemp. That is
>> definitely a regression that should be fixed. Though of course if you
>> really do want 0644, you should set your umask to 0022. :)
>> ...
>> If you haven't set core.sharedrepository, then adjust_shared_perm is a
>> noop. But you shouldn't have to do that. Git should just respect your
>> umask in this case.
>
> Thanks for a nicely done patch series, but I am not sure if I agree
> with the analysis and its conclusion.
>
> If adjust_shared_perm is a no-op, how do we ensure that other files
> that need to be served by a dumb HTTP server are readable by it?  Is
> it because we just happen not to use mkstemp() to create them (and
> also is it because the pushers do not have umask 007 or stronger to
> prevent files from being read by the HTTP server user)?
>
> Is our goal here to give the users this statement?
>
>     For shared repository served by dumb HTTP and written by users
>     who are different from the user that runs the HTTP server, you
>     need to do nothing special.
>
> If that is the case, shouldn't the rule be something a lot looser
> than "we should just respect your umask"?  To satisify the above
> goal, shouldn't we somehow make it readable by the HTTP user even
> when some pusher has a draconian 0077 umask?  But that, while still
> complying to the promise of "nothing special", would imply we would
> have to make everything readable everywhere, whish is an unachievable
> goal.  We need to somehow be able to say "this repository should be
> readable by these people" per-repository basis.
>
> And we have a mechanism exactly designed to do so to defeat
> draconian umask individual users have.
>
> It feels to me that the old set-up were "working" by accident, not
> by design (I may be mistaken--so correct me if that were the case).
> And if that is the case, I do not think it is a good idea to try to
> hide the broken configuration under the rug longer.  "As long as
> everybody writes world-readable files, you do not have to do
> anything" will break when the next person with 0xx7 umask setting
> pushes, no?

Having said all that, I agree that the patch series does the right
thing in that it stops us from tightening without being told.  It's
just that the change is not a general solution for "you shouldn't
have to set core.sharedrepository even when people with different
umask settings push into the same repo".

Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"

[Jeff King]

On Tue, Jan 06, 2015 at 02:08:16AM -0800, Junio C Hamano wrote:

> Jeff King <peff@peff.net> writes:
> 
> > Yeah, I didn't consider the mode impact of using mkstemp. That is
> > definitely a regression that should be fixed. Though of course if you
> > really do want 0644, you should set your umask to 0022. :)
> > ...
> > If you haven't set core.sharedrepository, then adjust_shared_perm is a
> > noop. But you shouldn't have to do that. Git should just respect your
> > umask in this case.
> 
> Thanks for a nicely done patch series, but I am not sure if I agree
> with the analysis and its conclusion.
> 
> If adjust_shared_perm is a no-op, how do we ensure that other files
> that need to be served by a dumb HTTP server are readable by it?  Is
> it because we just happen not to use mkstemp() to create them (and
> also is it because the pushers do not have umask 007 or stronger to
> prevent files from being read by the HTTP server user)?

I think there are two things at play here.

One is that we accidentally tightened the permissions on the info/*
files, and that is a regression that should be fixed regardless. So the
patch series is doing the right thing, even if the commit message is up
for debate. And I think you agree with that, from what you've written.

As for "should it work", I would tend to say yes. As long as "work" is
"respect your umask". Git has no reason to do anything other than "0666
& umask"[1] when creating new files. The umask is the traditional way to
configure the permissions on files you create, and git should follow it,
unless it happens to know a particular file is sensitive (and I cannot
really think of any that are, aside from a few related to credential
storage).

So if you do not have "0004" in your umask, everything git creates should
be world-readable, and other users should be able to access it.

Grepping around, there are a few other calls to mkstemp (and not
mkstemp_mode). But they are all for true temporary files (which will be
read by subprocesses of the current process), and not files which we
expect to live on in the repo. So I think we are mostly following that
rule already.

There are a couple spots where we use 0600 explicitly, for no good
reason (e.g., some BISECT_* files, which I guess might be left in the
filesystem for later processes to read).

[1] We actually use 0444 for object and packfile creation, but I think
    that still follows the same line of reasoning.

> Is our goal here to give the users this statement?
> 
>     For shared repository served by dumb HTTP and written by users
>     who are different from the user that runs the HTTP server, you
>     need to do nothing special.

No, I don't think so. We should follow the umask, and in most cases that
will just work for serving by another user (and if it _doesn't_, then
perhaps it is because the user with the draconian umask _wanted_ to
prevent other people, including the http user, from reading it).

And as you noted, if you want to override that umask, we already have
core.sharedrepository.

So maybe my commit message overstated things. And it should just say "we
should be respecting the umask, because setting a permissive umask is
enough to make dumb http work, and we broke that".

> It feels to me that the old set-up were "working" by accident, not
> by design (I may be mistaken--so correct me if that were the case).

I do not think it was consciously designed as part of git, but rather
that general good taste and fitting in with Unix traditions made it
work. We follow the umask, and the umask is typically enough to make it
work.

> And if that is the case, I do not think it is a good idea to try to
> hide the broken configuration under the rug longer.  "As long as
> everybody writes world-readable files, you do not have to do
> anything" will break when the next person with 0xx7 umask setting
> pushes, no?

Yes, but it will be the fault of the person with the 0xx7 umask. ;)

-Peff

Re: git 2.2.x: Unexpected, overstrict file permissions after "git update-server-info"

[Paul Sokolovsky]

Hello,

On Mon, 5 Jan 2015 22:47:02 -0500
Jeff King <peff@peff.net> wrote:

> On Mon, Jan 05, 2015 at 09:07:24PM +0200, Paul Sokolovsky wrote:
> 
> > So, after the upgrade, users started to report that accessing
> > info/refs file of a repo, as required for HTTP dump protocol, leads
> > to 403 Forbidden HTTP error. We traced that to 0600 filesystem
> > permissions for such files (for objects/info/packs too) (owner is
> > gerrit user, to remind). After resetting permissions to 0644, they
> > get back to 0600 after some time (we have a cronjob in addition to
> > a hook to run "git update-server-info"). umask is permissive when
> > running cronjob (0002).
> > 
> > I traced the issue to:
> > https://github.com/git/git/commit/d38379ece9216735ecc0ffd76c4c4e3da217daec
> 
> Yeah, I didn't consider the mode impact of using mkstemp. That is
> definitely a regression that should be fixed. Though of course if you
> really do want 0644, you should set your umask to 0022. :)

Well, group permissions are ok - we just need it to be world-readable,
and that's not random, but complies with hosting requirements - our
repos are public otherwise.

> > It says: "Let's instead switch to using a unique tempfile via
> > mkstemp." Reading man mkstemp: "The  file  is  created  with
> > permissions 0600". So, that's it. The patch above contains call to
> > adjust_shared_perm(), but apparently it doesn't promote restrictive
> > msktemp permissions to something more accessible.
> 
> If you haven't set core.sharedrepository, then adjust_shared_perm is a
> noop. But you shouldn't have to do that. Git should just respect your
> umask in this case.

My reference to adjust_shared_perm() was because I initially wanted to
write "apparently, it makes sense to do chmod after mkstemp()", but I
spotted that there's adjust_shared_perm() already, which does some
shuffling of permissions.

> > Hope this issue can be addressed.
> 
> Patches to follow. Thanks for the report.
> 
>   [1/2]: t1301: set umask in reflog sharedrepository=group test
>   [2/2]: update-server-info: create info/* with mode 0666

Thanks much for the prompt reply and patches!

> 
> -Peff



-- 
Best Regards,
Paul

Linaro.org | Open source software for ARM SoCs
Follow Linaro: http://www.facebook.com/pages/Linaro
http://twitter.com/#!/linaroorg - http://www.linaro.org/linaro-blog