For over a year, I've been having troubles with GIT and directory/file permissions. I have a central repository to which multiple developers push code, using ssh (origin set up as ssh://example/git/repository). I have set up the repository as follows:
1) My config file in the central repository: [core] repositoryformatversion = 0 filemode = true bare = true sharedrepository = 0660
2) All repository directory permissions are set to 770 (rwxrwx---) 3) All files in ./objects/XX and ./objects/info are set to 440 (r--r-----) 4) All other files are set to 660 (rw-rw----) 5) Ownership is set to root:group_name
(note that this came from the reccomended setup in the top response in this thread: Making git push respect permissions?)
All accessing users are members of the group 'group_name'.
The problem is that if user1 pushes to the repository, the file ownership on some files are set to user1:user1 - meaning that the group is changed. Once this happens, no other users can push (or pull) from the repository, as they do not have permission to read, write or execute from required files in the repository anymore.
I have read every thread I can find regarding the matter on Stack Overflow and pretty much everywhere else on the net, but I keep running into this same issue.
The problem is, I'm not sure if this issue is one of GIT, or one of UNIX, and I'm not sure how to fix it. How can I stop the group from being changed when a user pushes to the repository?
Yes, by default, git is configured to track the changes in file permission mode, too. Just to experiment with the idea, I created a dummy repo and "touched" an empty file. The initial default permission was 775.
If server detects a conflict when someone pushes data (and if two users are doing this "simultaneously" one of the pushes will be conflicting, because it will be applied only after the other one completes), the server will reject it, and the unlucky user shall then resolve conflicts and try to push again.
Git Tracks ONLY the Executable Bit of the Permissions for the User Who Owns the File.
true : git tracks the executable bit for the file owner.
It looks like you changed to git config core.sharedRepository 0660
after initializing the repository rather than using git init --shared=0660
which should set the permissions up correctly. This means that the sgid bit won't be set on the git repository's directories correctly. You will have to fix this manually with something like (assuming GNU find and xargs):
find . -print0 | xargs -0 chgrp group_name
find . -type d -print0 | xargs -0 chmod g+s
Excerpt of git init --help
for those confused about group
vs. true
vs. 0660
:
--shared[=(false|true|umask|group|all|world|everybody|0xxx)]
Specify that the Git repository is to be shared amongst several users.
This allows users belonging to the same group to push into that
repository. When specified, the config variable
"core.sharedRepository" is set so that files and directories under
$GIT_DIR are created with the requested permissions. When not
specified, Git will use permissions reported by umask(2).
The option can have the following values, defaulting to group if no
value is given:
umask (or false)
Use permissions reported by umask(2). The default, when --shared
is not specified.
group (or true)
Make the repository group-writable, (and g+sx, since the git group
may be not the primary group of all users). This is used to loosen
the permissions of an otherwise safe umask(2) value. Note that the
umask still applies to the other permission bits (e.g. if umask is
0022, using group will not remove read privileges from other
(non-group) users). See 0xxx for how to exactly specify the
repository permissions.
all (or world or everybody)
Same as group, but make the repository readable by all users.
0xxx
0xxx is an octal number and each file will have mode 0xxx. 0xxx
will override users' umask(2) value (and not only loosen
permissions as group and all does). 0640 will create a repository
which is group-readable, but not group-writable or accessible to
others. 0660 will create a repo that is readable and writable to
the current user and group, but inaccessible to others.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With