Checking / fixing permissions on hosted git projects

Thu Jul 23 19:51:05 UTC 2009

On Thu, 23 Jul 2009, Todd Zullinger wrote:

> Hey all,
>
> Every so often we've had problems with uses having permissions
> problems in git repos on hosted.  This is less of an issue over the
> past few months as we backported a patch from upstream git to ensure
> that git sets the permissions properly as well as setting the right
> permissions with the gitsetup.sh script when creating new repos¹.
>
> ¹ Except for the minor issue that it issues a mildly overly broad
>   'chmod -R g+w .' -- which makes any files in the objects tree group
>   writable even though they are not intended nor required to be
>   writable by anyone.  Objects are read only for git.
>
> To help ensure that we don't end up with any new permissions problems
> I whipped up a git-check-perms script which might be useful to run as
> a cron job once a daily or even weekly.  It should alert us to any new
> problems with git or with our setup/import scripts.  It can also be
> used to correct any problems found, after we've looked into what
> caused them, of course.  The script is in ~tmz/bin/git-check-perms on
> hosted1.
>
> Before the output of this is clean and suitable for a cron job, there
> are a few minor things that should be fixed.  Mostly this is fixing
> files in the objects dir that have unneeded write permissions.  There
> are also a few config and commit-list files that would get group write
> permissions added.  Neither of these things cause any real problems,
> but they differ from how we'd like to setup and import git projects,
> so making them consistent will make things simpler all around.
>
> The list of changes the script would make is attached.  If anyone has
> a moment to check that it looks sane, that would great.  The short
> list of non-objects dir issues is:
>
> /git/Virtualization_Guide.git/commit-list: Not group writable (should be "0664")
> /git/augeas.git/commit-list: Not group writable (should be "0664")
> /git/collie.git/commit-list: Not group writable (should be "0664")
> /git/comps-extras.git/logs: Not SETGID (should be "02775")
> /git/comps-extras.git/logs/refs: Not SETGID (should be "02775")
> /git/comps-extras.git/logs/refs/heads: Not SETGID (should be "02775")
> /git/docs/install-guide.git/config: Not group writable (should be "0664")
> /git/docs/release-notes.git/config: Not group writable (should be "0664")
> /git/fastback.git/commit-list: Not group writable (should be "0664")
> /git/grubby.git/commit-list: Not group writable (should be "0664")
> /git/grubby.git/config: Not group writable (should be "0664")
> /git/moksha.git/commit-list: Not group writable (should be "0664")
> /git/pam_url.git/config: Not group writable (should be "0664")
> /git/piranha.git/commit-list: Not group writable (should be "0664")
> /git/simon.git/commit-list: Not group writable (should be "0664")
> /git/sssd.git/commit-list: Not group writable (should be "0664")
>

This all seems very reasonable to me.  Thanks for putting that together.

	-Mike