From: John Ratliff <john@technoplaza.net>
To: Jonathan Nieder <jrnieder@gmail.com>
Cc: Jeff King <peff@peff.net>, git@vger.kernel.org
Subject: Re: git credential cache and sudo
Date: Mon, 15 Mar 2021 13:24:41 -0400 [thread overview]
Message-ID: <CAP8UukjOghB7yak-tk=+YvCDkgsMt7bobfrbdiRmPpus3LaZJA@mail.gmail.com> (raw)
In-Reply-To: <YEwoyeYM7ac+6aIx@google.com>
We have a shared git repo for our production puppet environment. I
have my own environment for testing things, so my git credential cache
is already created as my user before I move things into production. My
environment is in a github fork of the production environment though,
so I don't think rsync is an option here. It's possible the directory
permissions could be ACL'd to enable us not to need sudo, but I do not
have the authority to change that myself.
I think I will try referencing the socket and see how that works.
Thanks.
--John
On Fri, Mar 12, 2021 at 9:51 PM Jonathan Nieder <jrnieder@gmail.com> wrote:
>
> Jeff King wrote:
>
> > Note that it's a little funky to be accessing the cache as a different user than
> > the one who created it. This should work reliably when the cache was created by
> > your normal user, but then accessed as root, because root has permissions to
> > access the socket. But if you spawn a cache daemon as root (because the _first_
> > operation you perform is as root, which automatically starts a daemon to store
> > the cached credential), then it's likely you won't be able to access it as your
> > regular user.
>
> I wonder if this suggests a missing feature in
> git-credential-cache(1): if the manpage advertised a way to launch the
> daemon through an explicit command, similar to 'ssh-agent', then a
> user could run that as themselves before running other commands that
> communicate with it as another user.
>
> All that said: John, why are you running git as root in the first
> place? It's likely that it's safer to run git as a different user and
> use a separate command such as rsync to perform the privileged deploy
> action.
>
> Thanks,
> Jonathan
next prev parent reply other threads:[~2021-03-15 17:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-12 16:43 git credential cache and sudo John Ratliff
2021-03-12 20:29 ` Jeff King
2021-03-13 2:51 ` Jonathan Nieder
2021-03-15 17:24 ` John Ratliff [this message]
2021-03-15 18:56 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAP8UukjOghB7yak-tk=+YvCDkgsMt7bobfrbdiRmPpus3LaZJA@mail.gmail.com' \
--to=john@technoplaza.net \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).