GitWeb & file permissions

3,061 views
Skip to first unread message

ncdc

unread,
Jul 22, 2010, 12:48:43 PM7/22/10
to gitolite
Hi,

I've installed Gitolite and have it configured to use the git user.
The repositories in /home/git/repositories have the directory
permissions configured (by default) so that only the owner (git) is
given permission to access them on the local filesystem. I'm not
running Apache as the git user - is there some way I can make Gitolite
work with GitWeb as far as file permissions go? I've tried manually
chmod'ing my repositories, but anytime I push changes to a repository,
refs/heads/master changes back to being so that only the git user may
read or write that file, and gitweb is no longer able to access the
repository. Any thoughts?

Thanks!
Andy

Kevin P. Fleming

unread,
Jul 22, 2010, 2:26:35 PM7/22/10
to gito...@googlegroups.com

Edit the gitolite.rc file and change the mask used for file/directory
creation to solve this.

If you want a quick and dirty fix, change the mask to 022, and all users
on the system will be able to read the repositories. If you want a more
secure solution, change it to 027, and then create a group that both the
git user and the apache user are members of; then set that group to be
the owner of everything in and under /home/git, with the 'group suid'
bit set on so that all future stuff that gets created will be owned by
that group as well.

--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kfle...@digium.com
Check us out at www.digium.com & www.asterisk.org

Sitaram Chamarty

unread,
Jul 22, 2010, 2:27:03 PM7/22/10
to ncdc, gitolite
http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd#umask_setting

After changing REPO_UMASK you do have to one final chmod
because umask only affects *new* files/directories.

HTH

--
Sitaram Chamarty
+91-40-6667-3521 (work)
+91-92462-22927 (cell; please note new number)
440-3521 (TCS India VOIP)

Todd A. Jacobs

unread,
Sep 15, 2010, 12:56:27 PM9/15/10
to ncdc, gitolite
On Thu, Jul 22, 2010 at 12:48 PM, ncdc <andy.go...@gmail.com> wrote:

> read or write that file, and gitweb is no longer able to access
> the repository. Any thoughts?

I had a similar issue. Rather than mucking with gitolite itself, I
just cloned each repo under /srv/gitolite/ like so:

sudo -u gitolite \
    git clone --bare --no-hardlinks \
    file:///home/gitolite/repositories/foo.git

and then added a cron job to fetch the updates regularly:

*/10 * * * *    gitolite cd /srv/gitolite; for dir in *git; do cd
"$dir" && git fetch; done

The main reason I did it this way, instead of with umasks, is that I
don't want people to have access to the gitolite home directory or the
gitolite administrative repository. I see that as a bit of a security
risk.

YMMV.

Sitaram Chamarty

unread,
Sep 16, 2010, 12:43:31 AM9/16/10
to Todd A. Jacobs, ncdc, gitolite

if you did things by setting groups as described in Kevin's email at
http://groups.google.com/group/gitolite/msg/e7579cbd35dc1b3d you would
not have that risk.

The groups part ensures that at the Unix level these repos are seen by
the gitweb process.

Then you ensure within gitolite that gitweb does not see the admin repo.

The home directory cannot be "seen" anyway.

All this assumes you're installing and can control the apache+gitweb
configuration/code.

>
> YMMV.
>

--
Sitaram

wil

unread,
Sep 27, 2010, 3:36:56 PM9/27/10
to gitolite
I have a similar setup to ncdc

If I change the REPO_UMASK to 027 in gitolite.rc gitweb sees all (new)
repositories.
I still would like to limit what repositories are viewable.

What user is supposed to run Apache at the moment I have root and www-
data part of the git group.

What is the best practice to getting this going?

Regards

Sitaram Chamarty

unread,
Sep 28, 2010, 10:47:17 AM9/28/10
to wil, gitolite
ok I was hoping someone who actually uses gitweb would answer...

On Tue, Sep 28, 2010 at 1:06 AM, wil <willia...@frog.za.net> wrote:
> I have a similar setup to ncdc
>
> If I change the REPO_UMASK to 027 in gitolite.rc gitweb sees all (new)
> repositories.

That is surprising... usually 0022 does that.

> I still would like to limit what repositories are viewable.
>
> What user is supposed to run Apache at the moment I have root and www-
> data part of the git group.
>
> What is the best practice to getting this going?

assuming "gitolite" is the user name *and* groupname of the gitolite
hosting user, you add "gitolite" as a secondary group to the
"www-data" user. Something like "usermod -G gitolite www-data" should
do.

but in your case this seems it is already done, somehow, otherwise
0027 would not have worked.

Anyway after that you setup gitweb to honor the $projects_list file (I
dont know how). You then make sure the $PROJECT_LIST setting in
~/.gitolite.rc matches $projects_list that gitweb knows.

Finally, you give gitweb access to specific repos using gitolite, as
described in http://github.com/sitaramc/gitolite/blob/pu/doc/2-admin.mkd#_specifying_gitweb_and_daemon_access

HTH

wil

unread,
Sep 28, 2010, 2:28:56 PM9/28/10
to gitolite
Thanks for the tip Sitaram.

In /etc/gitweb.conf I changed $projects_list to point to the project
lists file
$projects_list = "/home/git/projects.list";

I also had to add group read rights to the project.list file
chmod g+r /home/git/projects.list

Things are finally working :)


On Sep 28, 4:47 pm, Sitaram Chamarty <sitar...@gmail.com> wrote:
>
> Anyway after that you setup gitweb to honor the $projects_list file (I
> dont know how).  You then make sure the $PROJECT_LIST setting in
> ~/.gitolite.rc matches $projects_list that gitweb knows.
>
> Finally, you give gitweb access to specific repos using gitolite, as
> described inhttp://github.com/sitaramc/gitolite/blob/pu/doc/2-admin.mkd#_specifyi...
>
> HTH
Reply all
Reply to author
Forward
0 new messages