让 git push 尊重权限?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5264968/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Making git push respect permissions?
提问by user10
We use a git repo that is hosted at a remote location, and is shared. We want the repo to be user & group readable & writeable, but not have any permissions for other. The remote repo is owned by a different user (say rUser). I have set core.sharedRepositoryto 0660in my local repo, as well as the remote repo. Also, my umask is 0027. So, whenever I create a new file, it has no permissions for other.
我们使用托管在远程位置并共享的 git 存储库。我们希望 repo 是用户和组可读和可写的,但对其他人没有任何权限。远程仓库归不同的用户所有(比如 rUser)。我已core.sharedRepository到0660我的本地回购,以及远程回购。另外,我的 umask 是0027. 因此,每当我创建一个新文件时,它都没有其他权限。
In spite of all this, for some reason whenever I push a change to the remote repo, it creates some new objects in the repo.git/objects/directory with permissions -r--r--r--. What's even weirder is that it makes me (instead of the remote user) the owner of the directories/files. Any idea what's going on?
尽管如此,出于某种原因,每当我将更改推送到远程存储库时,它都会在repo.git/objects/目录中创建一些具有权限的新对象-r--r--r--。更奇怪的是,它使我(而不是远程用户)成为目录/文件的所有者。知道发生了什么吗?
I tried finding an answer by going over several seemingly related questions on stackoverflow, but couldn't find anything.
我试图通过在 stackoverflow 上查看几个看似相关的问题来找到答案,但找不到任何东西。
回答by Chris Johnsen
Note: I am assuming that you are using an SSH-based access mechanism with each user logging into the server as their own user (i.e. you do not have multiple users login to a single account to access the repository). If this assumption is not true, then the following answer may not be wholly useful.
注意:我假设您使用基于 SSH 的访问机制,每个用户都以自己的用户身份登录服务器(即,您没有多个用户登录到单个帐户来访问存储库)。如果这个假设不成立,那么下面的答案可能并不完全有用。
The core.sharedrepositorysetting of your personal repository and the umaskyou use to access it are irrelevant to the ownership and permissions used on a remote repository.
core.sharedrepository您的个人存储库的设置和用于访问它的umask与远程存储库上使用的所有权和权限无关。
Setting core.sharedrepositoryto 0660in the remote repository is the right way to get what you say you want. The umaskof the accessing user on the remote side is also irrelevant because Git will override the mask when it sees a 0xxxvalue for core.sharedrepository. You do need to make sure all the files and directories are group-owned by the your common group and that the permissions are correct (2770for all directories (or just 770for BSD-ish systems); 440for files under objects/??and /objects/pack/; 660for other files).
在远程存储库中设置core.sharedrepository为0660是获得所需内容的正确方法。所述的umask在远程侧上的访问用户的也无关紧要,因为GIT中将覆盖掩模时,看到一个0xxx为值core.sharedrepository。您确实需要确保所有文件和目录都归您的公共组2770所有,并且权限正确(对于所有目录(或仅770对于 BSD-ish 系统);440对于objects/??和下的文件/objects/pack/;660对于其他文件)。
It is normal that a new file is user-owned by the user that created it. On non-BSD systems you need the setgid bit (the 2000bit) on directories to make new entries inherit the group-owner of its parent directory. The user-owner is rarely inherited (FreeBSD can be configured to do it with the setuid bit, but this is not used in normal configurations). Thus, all the files and directories should have the same, common, group-owner, but each write to the repository (e.g. push) will leave some files and/or directories that are user-owned by the writing user1(i.e. it is not required that any one user (your rUser?) be the user-owner of all the files and directories; any user that needs access to the repository should be a member of common group).
新文件归创建它的用户所有是正常的。在非 BSD 系统上,您需要目录上的 setgid 位(2000位)以使新条目继承其父目录的组所有者。用户所有者很少被继承(FreeBSD 可以配置为使用 setuid 位来实现,但这在正常配置中不使用)。因此,所有文件和目录都应该具有相同的、共同的、组所有者,但是每次写入存储库(例如推送)都会留下一些文件和/或目录,这些文件和/或目录由写入用户1拥有(即它是不需要任何一个用户(你的rUser?)是所有文件和目录的用户所有者;任何需要访问存储库的用户都应该是公共组的成员)。
1Each user will obviously user-own any files/directories they create, but they will also user-own most files that they modify because Git uses “atomic rewrites” (it writes the new content to a new, separate file in the same directory, and then renames it atop the original file).
1每个用户显然将拥有他们创建的任何文件/目录,但他们也将拥有他们修改的大多数文件,因为 Git 使用“原子重写”(它将新内容写入同一目录中的一个新的单独文件,然后将其重命名为原始文件)。
Maybe there is a bug in the way Git is overriding the umask for new files. Exactly which files are getting permissions that are too wide? What version of Git are you on the remote end to access on the repository? What OS are you running on the remote end?
也许 Git 覆盖新文件的 umask 的方式存在错误。究竟哪些文件获得的权限太宽?您在远程端使用哪个版本的 Git 来访问存储库?你在远程端运行什么操作系统?
I was unable to reproduce this problem with Git 1.7.4.1 with two users and a common group on my Unixy machine.
我无法使用 Git 1.7.4.1 在我的 Unixy 机器上用两个用户和一个公共组重现这个问题。
You might try simplifying the scenario a bit. Try pushing to the remote repository directly from the server itself (i.e. make a local clone and push to a throw-away branch). Doing local-only access makes it easier to check your assumptions (umask; uids; gids; user-, and group-ownership, and permissions of files and directories before and after pushing) than when you have a transport of some kind in the middle (either Git's own SSH-based transports, or a network filesystem that might not map ids and permissions with full fidelity).
您可以尝试稍微简化一下场景。尝试直接从服务器本身推送到远程存储库(即制作本地克隆并推送到一次性分支)。与中间有某种传输相比,仅进行本地访问可以更容易地检查您的假设(umask;uids;gids;用户和组所有权,以及推送之前和之后的文件和目录的权限) (Git 自己的基于 SSH 的传输,或者可能无法完全保真地映射 ID 和权限的网络文件系统)。
