On Mon, Jan 05, 2015 at 09:07:24PM +0200, Paul Sokolovsky wrote: > So, after the upgrade, users started to report that accessing > info/refs file of a repo, as required for HTTP dump protocol, leads to > 403 Forbidden HTTP error. We traced that to 0600 filesystem permissions > for such files (for objects/info/packs too) (owner is gerrit user, to > remind). After resetting permissions to 0644, they get back to 0600 > after some time (we have a cronjob in addition to a hook to run "git > update-server-info"). umask is permissive when running cronjob (0002). > > I traced the issue to: > https://github.com/git/git/commit/d38379ece9216735ecc0ffd76c4c4e3da217daec Yeah, I didn't consider the mode impact of using mkstemp. That is definitely a regression that should be fixed. Though of course if you really do want 0644, you should set your umask to 0022. :) > It says: "Let's instead switch to using a unique tempfile via mkstemp." > Reading man mkstemp: "The file is created with permissions 0600". > So, that's it. The patch above contains call to adjust_shared_perm(), > but apparently it doesn't promote restrictive msktemp permissions to > something more accessible. If you haven't set core.sharedrepository, then adjust_shared_perm is a noop. But you shouldn't have to do that. Git should just respect your umask in this case. > Hope this issue can be addressed. Patches to follow. Thanks for the report. [1/2]: t1301: set umask in reflog sharedrepository=group test [2/2]: update-server-info: create info/* with mode 0666 -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html