Kyle Moffett wrote: > On Dec 10, 2006, at 10:30:00, Jakub Narebski wrote: >> Jeff Garzik wrote: >>> >>> I actively use git to version, store and distribute an exim mail >>> configuration across six servers. So far my solution has been a >>> 'fix perms' script, or using the file perm checking capabilities >>> of cfengine. >> >> Fix perms' script used on a checkout hook is a best idea I think. > > Hmm, unfortunately that has problems with security-related race > conditions when used directly for /etc. Think about what happens > with "/etc/shadow" in that case, for example. (/etc/.git is of > course 0700) I'm sure there are others where non-root daemons get > unhappy when they get an inotify event and their config files have > suddenly become root:root:0600. I also want to be able to "cd /etc > && git status" to see what changed after running "apt-get update" or > maybe fiddling in SWAT or webmin, so a makefile which installs into / > etc won't quite solve it either. It would also be nice to see when > things change the permissions on files in /etc, or even bind-mount an > append-only volume over /etc/.git/objects to provide additional data > security. The idea is to not store /etc in git directly, but use import/export scripts, which for example saves permissions and ownership in some file also tracked by git on import, and restores correct permissions on export. That is what I remember from this discussion. This of course means that you would have to write your own porcelain... What about mentioned in other email IsiSetup? -- Jakub Narebski Warsaw, Poland ShadeHawk on #git - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html