[PATCH] t1301-shared-repo: Fix forced modes test

[PATCH] t1301-shared-repo: Fix forced modes test

[Johannes Sixt]

This test was added recently (5a688fe, "core.sharedrepository = 0mode"
should set, not loosen; 2009-03-28). It checked the result of a sed
invocation for emptyness, but in some cases it forgot to print anything
at all, so that those checks would never be false.

Due to this mistake, it went unnoticed that the files in objects/info are
not necessarily 0440, but can also be 0640. This directory is now exempt
from the check.

Finally, this test cannot be run on Windows (requires POSIXPERM).

Signed-off-by: Johannes Sixt <j6t@kdbg.org>
---

  I don't have a Linux/Unix readily available right now, so this is only
  tested on Windows.

  -- Hannes

  t/t1301-shared-repo.sh |    8 +++++---
  1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/t/t1301-shared-repo.sh b/t/t1301-shared-repo.sh
index 750fbb3..fb7c51d 100755
--- a/t/t1301-shared-repo.sh
+++ b/t/t1301-shared-repo.sh
@@ -126,7 +126,7 @@ test_expect_success POSIXPERM 'git reflog expire
  	esac
  '

-test_expect_success 'forced modes' '
+test_expect_success POSIXPERM 'forced modes' '
  	mkdir -p templates/hooks &&
  	echo update-server-info >templates/hooks/post-update &&
  	chmod +x templates/hooks/post-update &&
@@ -145,7 +145,7 @@ test_expect_success 'forced modes' '
  	xargs ls -ld >actual &&

  	# Everything must be unaccessible to others
-	test -z "$(sed -n -e "/^.......---/d" actual)" &&
+	test -z "$(sed -e "/^.......---/d" actual)" &&

  	# All directories must have either 2770 or 770
  	test -z "$(sed -n -e "/^drwxrw[sx]---/d" -e "/^d/p" actual)" &&
@@ -156,10 +156,12 @@ test_expect_success 'forced modes' '
  		p
  	}" actual)" &&

-	# All files inside objects must be 0440
+	# All files inside objects (except objects/info) must be 0440
  	test -z "$(sed -n -e "/objects\//{
  		/^d/d
+		/info/d
  		/^-r--r-----/d
+		p
  	}" actual)"
  '

-- 
1.6.2.2.1458.gf2216d6

[PATCH v2] t1301-shared-repo: Fix forced modes test, but it still shows a flaw

[Johannes Sixt]

This test was added recently (5a688fe, "core.sharedrepository = 0mode"
should set, not loosen; 2009-03-28). It checked the result of a sed
invocation for emptyness, but in some cases it forgot to print anything
at all, so that those checks would never be false.

Due to this mistake, it went unnoticed that the files in objects/info are
not necessarily 0440, but can also be 0640. This directory is now exempt
from the check.

Moreover, COMMIT_EDITMSG is still world-readable. This is either a bug in
git, or a flaw in the test (the first sed expression). This patch does not
disambiguate these two cases, but only declares the test case as an
expected failure.

Finally, this test cannot be run on Windows (requires POSIXPERM).

Signed-off-by: Johannes Sixt <j6t@kdbg.org>
---
Sorry, the first round was whitespace damaged for some reason.

I could now test the result on Linux, and, lo and behold, it shows a bug:
Either in git, or in the test: COMMIT_EDITMSG is still world-readable, as
is shown by the first sed expression that was fixed (2nd hunk).

-- Hannes

 t/t1301-shared-repo.sh |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/t/t1301-shared-repo.sh b/t/t1301-shared-repo.sh
index 750fbb3..71be308 100755
--- a/t/t1301-shared-repo.sh
+++ b/t/t1301-shared-repo.sh
@@ -126,7 +126,7 @@ test_expect_success POSIXPERM 'git reflog expire honors 
core.sharedRepository' '
 	esac
 '
 
-test_expect_success 'forced modes' '
+test_expect_failure POSIXPERM 'forced modes' '
 	mkdir -p templates/hooks &&
 	echo update-server-info >templates/hooks/post-update &&
 	chmod +x templates/hooks/post-update &&
@@ -145,7 +145,7 @@ test_expect_success 'forced modes' '
 	xargs ls -ld >actual &&
 
 	# Everything must be unaccessible to others
-	test -z "$(sed -n -e "/^.......---/d" actual)" &&
+	test -z "$(sed -e "/^.......---/d" actual)" &&
 
 	# All directories must have either 2770 or 770
 	test -z "$(sed -n -e "/^drwxrw[sx]---/d" -e "/^d/p" actual)" &&
@@ -156,10 +156,12 @@ test_expect_success 'forced modes' '
 		p
 	}" actual)" &&
 
-	# All files inside objects must be 0440
+	# All files inside objects (except objects/info) must be 0440
 	test -z "$(sed -n -e "/objects\//{
 		/^d/d
+		/info/d
 		/^-r--r-----/d
+		p
 	}" actual)"
 '
 
-- 
1.6.2.1.224.g2225f

Re: [PATCH v2] t1301-shared-repo: Fix forced modes test, but it still shows a flaw

[Junio C Hamano]

Johannes Sixt <j6t@kdbg.org> writes:

> This test was added recently (5a688fe, "core.sharedrepository = 0mode"
> should set, not loosen; 2009-03-28). It checked the result of a sed
> invocation for emptyness, but in some cases it forgot to print anything
> at all, so that those checks would never be false.
>
> Due to this mistake, it went unnoticed that the files in objects/info are
> not necessarily 0440, but can also be 0640. This directory is now exempt
> from the check.
>
> Moreover, COMMIT_EDITMSG is still world-readable. This is either a bug in
> git, or a flaw in the test (the first sed expression). This patch does not
> disambiguate these two cases, but only declares the test case as an
> expected failure.
>
> Finally, this test cannot be run on Windows (requires POSIXPERM).
>
> Signed-off-by: Johannes Sixt <j6t@kdbg.org>
> ---
> Sorry, the first round was whitespace damaged for some reason.

So is this one but that was minor and I fixed up by hand.

> I could now test the result on Linux, and, lo and behold, it shows a bug:
> Either in git, or in the test: COMMIT_EDITMSG is still world-readable, as
> is shown by the first sed expression that was fixed (2nd hunk).

I personally do not think it is worth worrying about transient stuff that
are meant for repositories with a work tree, such as COMMIT_EDITMSG file
and the index.  If you are working on a shared machine and on a sekrit
stuff, the root of the work tree would be with mode 0700 (or 0750 to allow
peeking by other people in the group), and that would mean that neither
the index nor .git/COMMIT_EDITMSG in it would be readable by the strangers
anyway.

The index happens to be protected already as-is and I am not saying we
should loosen it.  I am just saying it is not as important as what would
appear in a bare repository).

Also, in the real-world use case, .git/COMMIT_EDITMSG will be given to an
arbitrary editor the user happens to use, and we have no guarantee what it
does (e.g. it may create a new file with umask and replace, it may rewrite
in place, it may leave an editor backup file but use umask to create it,
etc.), and the protection of the file lies majorly on the protection of
the root of the work tree.

But objects/info is meant for users of a bare repository used as a
distribution point, and it should obey the stricter mode.  If the code
makes it world readable, that is indeed a breakage.  If it makes it 0660,
then the test case is broken.

The thing is, these tests are meant to cover the 0mode protection, and not
about "because object files are immutable, they should not have w-bit".
The rule should apply no matter what core.sharedrepository setting is in
effect for the repository, and such a test should be done elsewhere.  It
is not a part of core.sharedrepository settings topic.

So how about doing it this way instead?  If somebody cares, s/he can fix
the COMMIT_EDITMSG codepath and then drop the exclusion of it, but as I
already stated why, I do not think it is worth it.

	Side note: I think info/refs and objects/info/packs files are made
	0660, not 0640, as you stated.  As far as I can remember, these
	are updated by the usual creat-write-rename and do not have be
	writable, but it is a separate matter.

Note that this patch is against the tip of the original jc/shared-literally
topic (1b89eaa) that can be merged to 'maint'; I'll have a fix-up to add
POSIXPERM when merging it to 'master'.

-- >8 --
From: Johannes Sixt <j6t@kdbg.org>
Date: Sun, 12 Apr 2009 21:22:02 +0200
Subject: [PATCH] t1301-shared-repo: fix forced modes test

This test was added recently (5a688fe, "core.sharedrepository = 0mode"
should set, not loosen; 2009-03-28). It checked the result of a sed
invocation for emptyness, but in some cases it forgot to print anything
at all, so that those checks would never be false.

Due to this mistake, it went unnoticed that the files in objects/info are
not necessarily 0440, but can also be 0660.  Because the 0mode setting
tries to guarantee that the files are accessible only to the people they
are meant to be used by, we should only make sure that they are readable
by the user and the group when the configuration is set to 0660.  It is a
separate matter from the core.shredrepository settings that w-bit from
immutable object files under objects/[0-9a-f][0-9a-f] directories should
be dropped.

COMMIT_EDITMSG is still world-readable, but it (and any transient files
that are meant for repositories with a work tree) does not matter.  If you
are working on a shared machine and on a sekrit stuff, the root of the
work tree would be with mode 0700 (or 0750 to allow peeking by other
people in the group), and that would mean that .git/COMMIT_EDITMSG in such
a repository would not be readable by the strangers anyway.

Also, in the real-world use case, .git/COMMIT_EDITMSG will be given to an
arbitrary editor the user happens to use, and we have no guarantee what it
does (e.g. it may create a new file with umask and replace, it may rewrite
in place, it may leave an editor backup file but use umask to create it,
etc.), and the protection of the file lies majorly on the protection of
the root of the work tree.

This test cannot be run on Windows; it requires POSIXPERM when merged to
'master'.

Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 t/t1301-shared-repo.sh |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/t/t1301-shared-repo.sh b/t/t1301-shared-repo.sh
index 3c8a237..3fddc9e 100755
--- a/t/t1301-shared-repo.sh
+++ b/t/t1301-shared-repo.sh
@@ -141,11 +141,14 @@ test_expect_success 'forced modes' '
 		git commit -a -m initial &&
 		git repack
 	) &&
-	find new/.git -print |
+	# List repository files meant to be protected; note that
+	# COMMIT_EDITMSG does not matter---0mode is not about a
+	# repository with a work tree.
+	find new/.git -type f -name COMMIT_EDITMSG -prune -o -print |
 	xargs ls -ld >actual &&
 
 	# Everything must be unaccessible to others
-	test -z "$(sed -n -e "/^.......---/d" actual)" &&
+	test -z "$(sed -e "/^.......---/d" actual)" &&
 
 	# All directories must have either 2770 or 770
 	test -z "$(sed -n -e "/^drwxrw[sx]---/d" -e "/^d/p" actual)" &&
@@ -156,10 +159,11 @@ test_expect_success 'forced modes' '
 		p
 	}" actual)" &&
 
-	# All files inside objects must be 0440
+	# All files inside objects must be accessible by us
 	test -z "$(sed -n -e "/objects\//{
 		/^d/d
-		/^-r--r-----/d
+		/^-r.-r.----/d
+		p
 	}" actual)"
 '
 
-- 
1.6.2.2.527.gea4fd