From 422c4003314396ae84e363e0ddb0cfb17357b646 Mon Sep 17 00:00:00 2001 From: Petr Baudis Date: Mon, 9 Oct 2006 04:15:43 +0200 Subject: [PATCH] Fix permissions/ownership for push-hosted projects A root cronjob now takes care of that --- README | 4 ++++ cgi/regproj.cgi | 5 +++-- fixup.sh | 21 +++++++++++++++++++++ fixupcheck.sh | 17 +++++++++++++++++ 4 files changed, 45 insertions(+), 2 deletions(-) create mode 100755 fixup.sh create mode 100755 fixupcheck.sh diff --git a/README b/README index f28e9f5..ff908cb 100644 --- a/README +++ b/README @@ -65,6 +65,10 @@ for the project in /etc/group. The web interface for the project administration is protected by the group password; chroot/etc/group is used as the htpasswd file here. +Since Apache is not in the project groups, there is a special cronjob run +every minute to fix up the permissions for the refs/, info/, and objects/ +project directories, under the root user. + Mirror mode ----------- diff --git a/cgi/regproj.cgi b/cgi/regproj.cgi index 4aa0112..2a48fc6 100755 --- a/cgi/regproj.cgi +++ b/cgi/regproj.cgi @@ -48,14 +48,15 @@ sub setup_push { system("cg-admin-setuprepo -g repo /srv/git/$name.git") == 0 or die "cg-admin-setuprepo failed: $?"; open X, ">/srv/git/$name.git/.nofetch" or die "nofetch failed: $!"; close X; save_proj_data("/srv/git/$name.git", $url, $email, $desc); - my $gid = add_group($name, $pwd, ''); - chown -1, $gid, map { "/srv/git/$name.git/$_" } qw(info refs/heads refs/tags objects); + chmod 0664, map { "/srv/git/$name.git/$_" } qw(base_url owner description); + add_group($name, $pwd, ''); print "

"; print "Project successfuly set up. "; print "You can assign users now (use project name as username, admin password as password). "; print "You need to register a user first if you have not done so yet. "; print "(One user can have push access to multiple projects and multiple users can have push access to one project.)"; print "

\n"; + print "

You may experience permission problems if you try to push right now. If so, that should get fixed automagically in few minutes.

\n"; print "

Enjoy yourself!

\n"; print "\n"; } diff --git a/fixup.sh b/fixup.sh new file mode 100755 index 0000000..286e225 --- /dev/null +++ b/fixup.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# +# THIS SCRIPT IS BEING RUN UNDER ROOT!!! +# +# [repo.or.cz] You will need to manually update this file if you modify +# it in the repository. + +set -e + +proj="$1" +cd "$proj.git" + +xproj="$(echo "$proj" | sed 's/\./\\./g')" +gid="$(sed -ne "/^$xproj:/ { s/^[^:]*:[^:]*:\([0-9]*\):.*/\1/; p }")" +if [ "$git" = "" ]; then + echo "cannot resolve gid for $proj ($xproj)" >&2 + exit 1 +fi + +chown ."$gid" info refs objects -R +chmod g+w info refs objects -R diff --git a/fixupcheck.sh b/fixupcheck.sh new file mode 100755 index 0000000..a433550 --- /dev/null +++ b/fixupcheck.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# +# THIS SCRIPT IS BEING RUN UNDER ROOT!!! +# +# [repo.or.cz] You will need to manually update this file if you modify +# it in the repository. + +# We want to make sure the push-access projects have the right directories +# in the right groups. + +# No need to lock. + +cd /srv/git +for dir in *; do + [ -e "$dir"/.nofetch ] || continue + /root/repomgr/fixup.sh "${dir%.git}" +done -- 2.11.4.GIT