I now need to set up a repo hosted on my own machine (not github) for a web project. I'm hoping to set up the repo on my server
dev.example.com to facilitate development for multiple devs. It will be accessed via SSH by numerous developers. I'm not especially concerned about auto-deployment in this case, but PERMISSIONS are proving to be quite confusing. Per
this article, I have gone to my production web root and created a git repo there and committed all my files. I realize when creating this repo that the article I just linked says
nothing at all about file permissions. I am expecting to create a bare repo on dev.example.com and expect that any contributor must have a user account on that machine, but am wondering what permissions to assign to the bare repo.
This article has two suggestions and I was wondering what everyone might think. I was prepared to create a new group,
developers, add all my devs to this group and set a chmod g+rws on the bare repo's directory, but the article mentions "security issues" which I can quite visualize. Any thoughts would be much appreciated. From the article:
Quote:
Permissions are a pest.
Basically, you need to make sure that all of those developers can write to everything in the git repo.
Skip down to The New-Wave Solution for the superior method of granting a group of developers write capability.
The Standard Solution
If you put all the developers in a specially-created group, you can, in principle, just do:
Code:
chgrp -R <whatever group> gitrepo
chmod -R g+swX gitrepo
Then change the umask for the users to 002, so that new files get created with group-writable permissions.
The problems with this are legion; if you’re on a distro that assumes a umask of 022 (such as having a common users group that includes everyone by default), this can open up security problems elsewhere. And sooner or later, something is going to screw up your carefully crafted permissions scheme, putting the repo out of action until you get root access and fix it up (i.e., re-running the above commands).
The New-Wave Solution
A superior solution—though less well understood, and which requires a bit more OS/tool support—is to use POSIX extended attributes. I’ve only come to this area fairly recently, so my knowledge here isn’t as hot as it could be. But basically, an extended ACL is the ability to set permissions on more than just the 3 default slots (user/group/other).
So once again, create your group, then run:
Code:
setfacl -R -m g:<whatever group>:rwX gitrepo
find gitrepo -type d | xargs setfacl -R -m d:g:<whatever group>:rwX
This sets up the extended ACL for the group so that the group members can read/write/access whatever files are already there (the first line); then, also tell all existing directories that new files should have this same ACL applied (the second line).
|