summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Annex/Content.hs15
-rw-r--r--debian/changelog3
-rw-r--r--doc/bugs/Move_out_of_shared_repository_as___34__maintenance_user__34___gives_permission_denied_for_files_edited_by_others.mdwn2
-rw-r--r--doc/bugs/Move_out_of_shared_repository_as___34__maintenance_user__34___gives_permission_denied_for_files_edited_by_others/comment_1_5c06ab75371237a263c836da45106707._comment28
4 files changed, 42 insertions, 6 deletions
diff --git a/Annex/Content.hs b/Annex/Content.hs
index 612a96a6b..289a4f1b3 100644
--- a/Annex/Content.hs
+++ b/Annex/Content.hs
@@ -699,18 +699,21 @@ preseedTmp key file = go =<< inAnnex key
)
)
-{- Blocks writing to an annexed file, and modifies file permissions to
- - allow reading it, per core.sharedRepository setting. -}
+{- Normally, blocks writing to an annexed file, and modifies file
+ - permissions to allow reading it.
+ -
+ - When core.sharedRepository is set, the write bits are not removed from
+ - the file, but instead the appropriate group write bits are set. This is
+ - necessary to let other users in the group lock the file.
+ -}
freezeContent :: FilePath -> Annex ()
freezeContent file = unlessM crippledFileSystem $
withShared go
where
go GroupShared = liftIO $ modifyFileMode file $
- removeModes writeModes .
- addModes [ownerReadMode, groupReadMode]
+ addModes [ownerReadMode, groupReadMode, ownerWriteMode, groupWriteMode]
go AllShared = liftIO $ modifyFileMode file $
- removeModes writeModes .
- addModes readModes
+ addModes (readModes ++ writeModes)
go _ = liftIO $ modifyFileMode file $
removeModes writeModes .
addModes [ownerReadMode]
diff --git a/debian/changelog b/debian/changelog
index 9c9b2c7c9..55f195dc4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,9 @@ git-annex (5.20151117) UNRELEASED; urgency=medium
* Display progress meter in -J mode when downloading from the web.
* map: Improve display of git remotes with non-ssh urls, including http
and gcrypt.
+ * When core.sharedRepository is set, annex object files are not made mode
+ 444, since that prevents a user other than the file owner from locking
+ them. Instead, a mode such as 664 is used in this case.
-- Joey Hess <id@joeyh.name> Mon, 16 Nov 2015 16:49:34 -0400
diff --git a/doc/bugs/Move_out_of_shared_repository_as___34__maintenance_user__34___gives_permission_denied_for_files_edited_by_others.mdwn b/doc/bugs/Move_out_of_shared_repository_as___34__maintenance_user__34___gives_permission_denied_for_files_edited_by_others.mdwn
index 204e81221..f67d73ba4 100644
--- a/doc/bugs/Move_out_of_shared_repository_as___34__maintenance_user__34___gives_permission_denied_for_files_edited_by_others.mdwn
+++ b/doc/bugs/Move_out_of_shared_repository_as___34__maintenance_user__34___gives_permission_denied_for_files_edited_by_others.mdwn
@@ -247,3 +247,5 @@ git-annex: .git/annex/unused: openFile: permission denied (Permission denied)
# End of transcript or log.
"""]]
+
+> [[fixed|done]] --[[Joey]]
diff --git a/doc/bugs/Move_out_of_shared_repository_as___34__maintenance_user__34___gives_permission_denied_for_files_edited_by_others/comment_1_5c06ab75371237a263c836da45106707._comment b/doc/bugs/Move_out_of_shared_repository_as___34__maintenance_user__34___gives_permission_denied_for_files_edited_by_others/comment_1_5c06ab75371237a263c836da45106707._comment
new file mode 100644
index 000000000..43b37c020
--- /dev/null
+++ b/doc/bugs/Move_out_of_shared_repository_as___34__maintenance_user__34___gives_permission_denied_for_files_edited_by_others/comment_1_5c06ab75371237a263c836da45106707._comment
@@ -0,0 +1,28 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2015-11-18T19:35:52Z"
+ content="""
+More simply stated, user A adds a file, which sets its perms to 444, and
+user B can't change those perms to lock the file for removal.
+
+In sharedRepository mode, the object directory's perms are already
+weakened, to eg 775 rather than the default 555, for the same reason;
+another user with shared access can't chmod the object directory to allow
+writing to it. That just needs to be extended from object directory to
+object file to fix this.
+
+But, that means that the object file will be mode 664, rather than
+444, and so git-annex can't prevent accidental direct modifications of the
+content of objects when in sharedRepository mode, like it normally does.
+
+Since that's a belt and suspenders protection, and since the object
+directory permissions weakening already lost a similar protection against
+accidential deletion of object files, shrug, I guess we'll do that.
+
+I do feel that sharedRepository mode rarely ever makes sense to use. It's
+very fiddely to get the permissions set up right and keep them right, and
+there are much better ways to share a centralized repo between users, eg
+use gitolite or a dedicated account that's locked down to only let
+git/git-annex commands be run.
+"""]]
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 16:05:24 +0000