Re: Smart HTTP push permissions failure

[Jeff King <peff@peff.net>]

On Tue, Aug 23, 2016 at 03:45:33PM +0000, David McGough wrote:

> When I try to push to the server I get this message:
> remote: error: insufficient permission for adding an object to repository database ./objects
> remote: fatal: failed to write object
> [...]
> So I am pretty confused about what the issue.  Which OS user is git
> using to write the files?  I hope somebody can help me understand why
> the project cannot be pushed to the git server.

For a smart-http push, it will be whatever user the web server execs the
CGI as. So I'd think "apache" would be the default, but it's possible
that it runs CGIs as a different user, depending on your config.

One possibility may be to add a simple shell script CGI that does
something like:

  #!/bin/sh
  echo "Content-type: text/plain"
  echo
  id

just to see what's happening.

Based on the data you showed, here are some wild possibilities I can
think of:

  - the CGI runs as "apache", but your files are owned by "git".
    "apache" is in the "staff" group, and the directories all have write
    permission for that group. But are we sure that apache does not shed
    any group permissions when running a CGI? The "id" script above
    should hopefully show that.

  - You mentioned CentOS. It has been a while since I dealt with RHEL
    and its derivatives, but I think selinux is turned on by default
    there. Is it possible that the webserver runs in an selinux profile
    that does not allow writing to the repository directory?

    I don't recall the specifics of debugging selinux problems, but
    there may be logs there.

Sorry those are just stabs in the dark, but I don't see anything else
obviously wrong with what you've posted.

-Peff