Web lists-archives.com

Re: [PATCH v2] read-cache: write all indexes with the same permissions

On Sat, Nov 17, 2018 at 10:29 AM Junio C Hamano <gitster@xxxxxxxxx> wrote:
> Christian Couder <christian.couder@xxxxxxxxx> writes:
> > However, as noted in those commits we'd still create the file as 0600,
> > and would just re-chmod it depending on the setting of
> > core.sharedRepository. So without core.splitIndex a system with
> > e.g. the umask set to group writeability would work for the members of
> > the group, but not with core.splitIndex set, as members of the group
> > would not be able to access the shared index file.
> I am not sure what the above wants to say.

I tried to improve from Ævar's previous commit message but I agree
that the above is not very clear.

> If we are not making
> necessary call to adjust-shared-perm,

The issue is that adjust_shared_perm() returns immediately when
core.sharedRepository is unset (or false). So when it is unset (or
false), and when the umask is 0022 or 0002 for example, then the index
and the shared index will not have the same permissions because one is
created using open() with mode 0666 and the other with mode 0600.

> then it is irrelevant that the
> lack of the call does not immediately cause an apparent problem for
> users who happens to have non-restrictive group perm bit in their
> umask.  Another group member whose umask is tighter will eventually
> use the repository and end up creating a file unreadable to group
> members.

The issue is that a group member with non-restrictive group perm bit
in their umask, like 0022 or 0002, will currently create an unreadable
shared index when using the repo.

I agree that it is much safer to just set core.sharedRepository to
"true" or "all", but maybe in some setups/systems it might be ok to
rely on everyone having non-restrictive group perm bit in their umask.

> Are you saying that we _lack_ necessary call when core.sharedRepository
> is set?

No, I am saying that, when it is unset, adjust_shared_perm() does nothing.

> If so, a commit that fixes such a bug would be the best
> place to have a paragraph like the above.  If not, the above description
> simply misleads the readers.

I agree that it is a bit misleading. Maybe something like:

"However, as noted in those commits we'd still create the file as
0600, and would just re-chmod it only if core.sharedRepository is set
to "true" or "all". If core.sharedRepository is unset or set to
"false", then the file mode will not be changed, so without
core.splitIndex a system with e.g. the umask set to group writeability
would work for a group member, but not with core.splitIndex set, as
group members would not be able to access the shared index file.

> > Let's instead make the two consistent by using mks_tempfile_sm() and
> > passing 0666 in its `mode` argument.
> On the other hand, this is a relevant description; this patch kills
> an inconsistency that is very short lived (I am assuming that there
> is no bug in the current code before this patch and we make
> necessary calls to adjust-shared-perm when core.sharedrepository is
> set).

It is unfortunately not short lived when core.sharedrepository is
unset for example as adjust_shared_perm() starts with:

int adjust_shared_perm(const char *path)
        int old_mode, new_mode;

        if (!get_shared_repository())
                return 0;

but get_shared_repository() will return PERM_UMASK which is 0 when
git_config_get_value("core.sharedrepository", ...) returns a non zero
value which happens when "core.sharedrepository" is unset.

Maybe there is a bug somewhere in adjust_shared_perm() or the
functions it calls, but I don't know this part of the code base much.

> > Note that we cannot use the create_tempfile() function itself that is
> > used to write the main ".git/index" file because we want the XXXXXX
> > part of the "sharedindex_XXXXXX" argument to be replaced by a pseudo
> > random value and create_tempfile() doesn't do that.
> Sure.  Pseudo-random-ness is less important than the resulting
> filename being unique.  "Because we are asking for a unique file to
> be created, we cannot use create_tempfile() interface that is
> designed to be used to create a file with known name."
> But is that really worth saying, I wonder.

I am ok with either your version or removing the above from the commit message.

> > Ideally we'd split up the adjust_shared_perm() function to one that
> > can give us the mode we want so we could just call open() instead of
> > open() followed by chmod(), but that's an unrelated cleanup.
> I would drop this paragraph, as I think this is totally incorrect.
> Imagine your umask is tighter than the target permission.  You ask
> such a helper function and get "you want 0660".  Doing open(0660)
> would not help you an iota---you'd need chmod() or fchmod() to
> adjust the result anyway, which already is done by
> adjust-shared-perm.

It seems to me that it is not done when "core.sharedrepository" is unset.

> > We already have that minor issue with the "index" file
> > #leftoverbits.
> The above "Ideally", which I suspect is totally bogus, would show up
> whey people look for that keyword in the list archive.  This is one
> of the reasons why I try to write it after at least one person
> sanity checks that an idea floated is worth remembering.

It was in Ævar's commit message and I thought it might be better to
keep it so that people looking for that keyword could find the above
as well as the previous RFC patch.