From 078688213f321ac52c224c1cfa264d686c7264bd Mon Sep 17 00:00:00 2001 From: Johannes Sixt Date: Sun, 12 Apr 2009 21:22:02 +0200 Subject: [PATCH 1/2] t1301-shared-repo: fix forced modes test This test was added recently (5a688fe, "core.sharedrepository = 0mode" should set, not loosen; 2009-03-28). It checked the result of a sed invocation for emptyness, but in some cases it forgot to print anything at all, so that those checks would never be false. Due to this mistake, it went unnoticed that the files in objects/info are not necessarily 0440, but can also be 0660. Because the 0mode setting tries to guarantee that the files are accessible only to the people they are meant to be used by, we should only make sure that they are readable by the user and the group when the configuration is set to 0660. It is a separate matter from the core.shredrepository settings that w-bit from immutable object files under objects/[0-9a-f][0-9a-f] directories should be dropped. COMMIT_EDITMSG is still world-readable, but it (and any transient files that are meant for repositories with a work tree) does not matter. If you are working on a shared machine and on a sekrit stuff, the root of the work tree would be with mode 0700 (or 0750 to allow peeking by other people in the group), and that would mean that .git/COMMIT_EDITMSG in such a repository would not be readable by the strangers anyway. Also, in the real-world use case, .git/COMMIT_EDITMSG will be given to an arbitrary editor the user happens to use, and we have no guarantee what it does (e.g. it may create a new file with umask and replace, it may rewrite in place, it may leave an editor backup file but use umask to create it, etc.), and the protection of the file lies majorly on the protection of the root of the work tree. This test cannot be run on Windows; it requires POSIXPERM when merged to 'master'. Signed-off-by: Johannes Sixt Signed-off-by: Junio C Hamano --- t/t1301-shared-repo.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/t/t1301-shared-repo.sh b/t/t1301-shared-repo.sh index 3c8a2373ac0..3fddc9ee781 100755 --- a/t/t1301-shared-repo.sh +++ b/t/t1301-shared-repo.sh @@ -141,11 +141,14 @@ test_expect_success 'forced modes' ' git commit -a -m initial && git repack ) && - find new/.git -print | + # List repository files meant to be protected; note that + # COMMIT_EDITMSG does not matter---0mode is not about a + # repository with a work tree. + find new/.git -type f -name COMMIT_EDITMSG -prune -o -print | xargs ls -ld >actual && # Everything must be unaccessible to others - test -z "$(sed -n -e "/^.......---/d" actual)" && + test -z "$(sed -e "/^.......---/d" actual)" && # All directories must have either 2770 or 770 test -z "$(sed -n -e "/^drwxrw[sx]---/d" -e "/^d/p" actual)" && @@ -156,10 +159,11 @@ test_expect_success 'forced modes' ' p }" actual)" && - # All files inside objects must be 0440 + # All files inside objects must be accessible by us test -z "$(sed -n -e "/objects\//{ /^d/d - /^-r--r-----/d + /^-r.-r.----/d + p }" actual)" ' From 098082fb78768dc3cbe659048c9f47cabdd7e39b Mon Sep 17 00:00:00 2001 From: Johan Herland Date: Tue, 14 Apr 2009 15:15:42 +0200 Subject: [PATCH 2/2] Update docs on behaviour of 'core.sharedRepository' and 'git init --shared' This documentation update is needed to reflect the recent changes where "core.sharedRepository = 0mode" was changed to set, not loosen, the repository permissions. Signed-off-by: Johan Herland Signed-off-by: Junio C Hamano --- Documentation/config.txt | 6 ++++-- Documentation/git-init.txt | 16 +++++++++++----- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/Documentation/config.txt b/Documentation/config.txt index f5152c5038b..6af58ff3aa9 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -290,8 +290,10 @@ core.sharedRepository:: group-shareable. When 'umask' (or 'false'), git will use permissions reported by umask(2). When '0xxx', where '0xxx' is an octal number, files in the repository will have this mode value. '0xxx' will override - user's umask value, and thus, users with a safe umask (0077) can use - this option. Examples: '0660' is equivalent to 'group'. '0640' is a + user's umask value (whereas the other options will only override + requested parts of the user's umask value). Examples: '0660' will make + the repo read/write-able for the owner and group, but inaccessible to + others (equivalent to 'group' unless umask is e.g. '0022'). '0640' is a repository that is group-readable but not group-writable. See linkgit:git-init[1]. False by default. diff --git a/Documentation/git-init.txt b/Documentation/git-init.txt index 71749c09d30..7151d12f349 100644 --- a/Documentation/git-init.txt +++ b/Documentation/git-init.txt @@ -54,15 +54,21 @@ is given: - 'group' (or 'true'): Make the repository group-writable, (and g+sx, since the git group may be not the primary group of all users). + This is used to loosen the permissions of an otherwise safe umask(2) value. + Note that the umask still applies to the other permission bits (e.g. if + umask is '0022', using 'group' will not remove read privileges from other + (non-group) users). See '0xxx' for how to exactly specify the repository + permissions. - 'all' (or 'world' or 'everybody'): Same as 'group', but make the repository readable by all users. - - '0xxx': '0xxx' is an octal number and each file will have mode '0xxx' - Any option except 'umask' can be set using this option. '0xxx' will - override users umask(2) value, and thus, users with a safe umask (0077) - can use this option. '0640' will create a repository which is group-readable - but not writable. '0660' is equivalent to 'group'. + - '0xxx': '0xxx' is an octal number and each file will have mode '0xxx'. + '0xxx' will override users' umask(2) value (and not only loosen permissions + as 'group' and 'all' does). '0640' will create a repository which is + group-readable, but not group-writable or accessible to others. '0660' will + create a repo that is readable and writable to the current user and group, + but inaccessible to others. By default, the configuration flag receive.denyNonFastForwards is enabled in shared repositories, so that you cannot force a non fast-forwarding push