In this post I will cover the subject of sharing git repositories in the simplest way, i.e. using file permissions.
First we’ll analyze sharing directories on a unix system, then we’ll see it applied to git repositories.
setuid (u+s) and setgit (g+s) on directories:
Despite of who has created a file inside a direcotry, that file will have owner and/or group same as owner and/or group of the owner of the directory.
Note: Only new directories inherit this bit.
Sharing directories:
cd sahred-dir/
chown user:team -R .
chmod g=u,o= -R .
find . -type d -print0 | xargs -0 chmod g+s
vim /etc/profile --> setting umask 002
Remember:
- manually enable sticky bit on already created directories (only new ones inherit it)
- umask is very important: with umask 022, sharing will not work: group need same access as owner.
- people sharing this folder must be a ‘team’ group member
Sharing directory , umask set by ACL:
A fine grained approach is to set umask 002 ONLY on this direcotry.
We need ACL to accomplish this task.
vim /etc/fstab --> add ACL as option on filesys hosting our shared-dir
mount -o remount <that filesys>
setfacl -d -m mask:007 -R shared-dir
Useful (backup&restore permissions):
getfacl <file> > backup.acl
getfacl -R <dir> > backup.acl #recursive
setfacl –restore=backup.acl
Sharing git repositories:
When sharing a repository with git, the shared repository is the one receiving pushes.
Any clone is supposed to be used by only one user => no need to set setgit bit inside those clones.
git init --bare --shared=group
This command will create a bare repo with setgid on directories.
This is a shared folder.
When people (inside a ‘team’ group) pushes to this repo, git objects will have always the same ‘team’ group despite of who is pushing.
Note: git sets
core.sharedrepository = 1
to properly manage file creation regardless of umask value.
References: