On 2022-11-02 at 15:18:25, John Soo wrote:
> Hello git!
>
> We have some build processes that would like access to repos in /home
> directories that are 0700. We had done this already:
>
> $ setfacl --recursive --modify group:<build users
> group>:r-X,default:group:<build users group>:r-X /home
>
> Should this ACL be enough to consider the repos "owned" by the build
> users? Should *any* ACL be enough to consider the repos "owned" by the
> build users?
>
> Currently:
> $ sudo -u <build user> git config --get safe.directory
> $ sudo -u <build user> git -C /home/<non build user>/repo rev-parse HEAD
> fatal: unsafe repository ('/home/<non build user>/repo' is owned by
> someone else)
> To add an exception for this directory, call:
>
> git config --global --add safe.directory /home/<non build user>
No, the permissions of a repository, whether standard Unix permissions
or ACLs, are not relevant to ownership. The question here is whether
the owner of the .git directory (that is, the value of the `st_uid`
field when calling lstat(2) on it) is equal to the effective user ID.
When you the path in `ls`, you can see the owner and group of the file
specified, and that owner is what matters here.
--
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
