On 2015-01-05 20.07, Paul Sokolovsky wrote: > Hello, > > We recently upgraded to git 2.2.1 from 2.1.x and faced issue with > accessing repositories over dump HTTP protocol. In our setting, > repositories are managed by Gerrit, so owned by Gerrit daemon user, > but we also offer anon access via smart and dumb HTTP protocols. For the > latter, we of course rely on "git update-server-info" being run. > > So, after the upgrade, users started to report that accessing > info/refs file of a repo, as required for HTTP dump protocol, leads to > 403 Forbidden HTTP error. We traced that to 0600 filesystem permissions > for such files (for objects/info/packs too) (owner is gerrit user, to > remind). After resetting permissions to 0644, they get back to 0600 > after some time (we have a cronjob in addition to a hook to run "git > update-server-info"). umask is permissive when running cronjob (0002). > > > I traced the issue to: > https://github.com/git/git/commit/d38379ece9216735ecc0ffd76c4c4e3da217daec > > It says: "Let's instead switch to using a unique tempfile via mkstemp." > Reading man mkstemp: "The file is created with permissions 0600". > So, that's it. The patch above contains call to adjust_shared_perm(), > but apparently it doesn't promote restrictive msktemp permissions to > something more accessible. > > Hope this issue can be addressed. > > > Thanks, > Paul Does git config core.sharedRepository 0644 help? Unless the the repo is configured as shared, adjust_shared_perm() will not widen the access bits: http://git-htmldocs.googlecode.com/git/git-config.html -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html