From: Jeff King <peff@peff.net>
To: Jamie Zawinski <jwz@jwz.org>
Cc: git@vger.kernel.org
Subject: Re: sharedrepository=group not working
Date: Mon, 3 Dec 2018 23:09:03 -0500 [thread overview]
Message-ID: <20181204040903.GA17059@sigill.intra.peff.net> (raw)
In-Reply-To: <F9365CBF-3D2D-4A05-AC0D-4604067B5826@jwz.org>
On Mon, Dec 03, 2018 at 07:27:13PM -0800, Jamie Zawinski wrote:
> I think sharedrepository=group stopped working some time between
> 2.10.5 (works) and 2.12.4 (does not). 2.19.2 also does not.
Hmm. Given the time-frame and the fact that your strace shows problems
writing into the objects/incoming-* directory, it's likely caused by
722ff7f876 (receive-pack: quarantine objects until pre-receive accepts,
2016-10-03).
The big change there is that instead of writing directly into objects/,
we create a temporary objects/incoming-* directory, write there, and
then migrate the objects over after we determine they're sane.
So in your strace we see the temp directory get created:
> mkdir("./objects/incoming-U5EN8D", 0700 <unfinished ...>
> <... mkdir resumed> ) = 0
The permissions are tighter than we ultimately want, but that's OK.
This tempdir is just for this process (and its children) to look at, and
then we'd eventually migrate the files out.
I could definitely imagine there being a bug in which we don't then
properly loosen permissions when we move things out of the tempdir, but
we don't even get that far. We fail immediately:
> mkdir("./objects/incoming-U5EN8D/pack", 0777) = -1 EACCES (Permission denied)
That seems strange. The outer directory is only 0700, but the user
permissions should be sufficient. Even with the g+s bit set, it should
still be owned by the same user, shouldn't it?
I tried reproducing your state like this:
git init --bare dst.git
git -C dst.git config core.sharedrepository group
chgrp -R somegroup dst.git
find dst.git -type f | xargs chmod g+rw
find dst.git -type d | xargs chmod g+srw
# push works from original user
git clone dst.git client
(
cd client &&
git commit --allow-empty -m foo
git push
)
# push works from alternate user
sudo su anotheruser sh -c '
git clone dst.git /tmp/other &&
cd /tmp/other &&
git commit --allow-empty -m foo &&
git push --receive-pack="strace -e mkdir git-receive-pack"
'
but it works fine. Might there be some effective-uid trickiness with the
way the server side of git is invoked? Or is this a network mount where
the filesystem uid might not match the process uid?
-Peff
next prev parent reply other threads:[~2018-12-04 4:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-04 3:27 sharedrepository=group not working Jamie Zawinski
2018-12-04 4:09 ` Jeff King [this message]
2018-12-04 4:19 ` Jamie Zawinski
2018-12-04 4:20 ` Jamie Zawinski
2018-12-04 4:50 ` Jeff King
2018-12-04 5:24 ` Jamie Zawinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181204040903.GA17059@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=jwz@jwz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).