[tech] [wheel] /services/http git permission issue
Nick Bannon
nick at ucc.gu.uwa.edu.au
Fri Mar 30 17:36:57 AWST 2018
On Thu, Mar 29, 2018 at 12:03:29AM +0800, Felix von Perger wrote:
> There is a potentially problematic permissions issue relating to the git
> repository in /services/http which may or may not result in certain things
> (like committee minutes) being properly added to the git repository. This
> can be seen when I run the `minutes-push` script (albeit a slightly modified
> version but the git part is the same as the version in
> /home/other/committee/bin/).
>
> On motsugo in the directory /services/http, I attempt to run `git commit -a`
> to reproduce the issue:
>
> |error: insufficient permission for adding an object to repository database
> .git/objects||
> ||error: infobase/committee/2017/2018-01-11.txt: failed to insert into
> database||
> ||error: unable to index file infobase/committee/2017/2018-01-11.txt||
> ||fatal: updating files failed|
>
> The output of `id` is:
> |uid=12168(frekk) gid=10021(gumby) groups=10021(gumby),101(netdev),10069(committee),10101(webmasters),13001(BUILTIN\users)
> |
>
> Hopefully this provides enough information to fix the issue.
> Best regards,
> Felix
> UCC Secretary 2018
Thanks for the thorough email!
/services/http is meant to be very simple, but group permissions are
easily mucked up if you don't newgrp / umask appropriately.
At times there's been a cronjob to ensure something like the following:
chmod -R o-w /services/http
chgrp -R webmasters /services/http
find /services/http -type d \! -perm -2070 -exec chmod g+srwx {} \;
find /services/http -type f -name config -exec git config -f {} core.sharedRepository group \;
(see core.sharedRepository in git-config(1) )
...so none of the following should have output:
find /services/http \! -group webmasters -ls
find /services/http \! -type l -perm -o=w -ls
find /services/http -type d \! -perm 2775 -ls
find /services/http -type f -name config \! -exec grep -q 'sharedRepository = group' {} \; -ls
Nick.
--
Nick Bannon | "I made this letter longer than usual because
nick-sig at rcpt.to | I lack the time to make it shorter." - Pascal
More information about the tech
mailing list